Efficient elliptic curve Diffie‐Hellman computation at the 256‐bit security level

Abstract

In this study, the authors introduce new Montgomery and Edwards form elliptic curves targeted at the 256-bit security level. To this end, they work with three primes, namely $p_1:= 2^{506} - 45$p 1 :=2506-45, $p_2:= 2^{510} - 75$p 2 :=2510-75 and $p_3:= 2^{521} - 1$p 3 :=2521-1. While $p_3$p 3 has been considered earlier in the literature, $p_1$p 1 and $p_2$p 2 are new. They define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over $p_1$p 1 leads to a 3-4% slowdown and the new Montgomery curve over $p_2$p 2 leads to a 4.5-5% slowdown; on the other hand, 29 and 30.5 extra bits of security, respectively, are gained. For designers aiming for the 256-bit security level, the new curves over $p_1$p 1 and $p_2$p 2 provide an acceptable trade-off between security and efficiency.