Efficient elliptic curve Diffie-Hellman computation at the 256-bit security level

Authors

Kaushik Nath, Indian Statistical Institute, Kolkata
Palash Sarkar, Indian Statistical Institute, Kolkata

Article Type

Research Article

Publication Title

IET Information Security

Abstract

In this study, the authors introduce new Montgomery and Edwards form elliptic curves targeted at the 256-bit security level. To this end, they work with three primes, namely p1:= 2506 − 45, p2:= 2510 − 75 and p3:= 2521 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. They define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3-4% slowdown and the new Montgomery curve over p2 leads to a 4.5-5% slowdown; on the other hand, 29 and 30.5 extra bits of security, respectively, are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency.

First Page

633

Last Page

640

DOI

10.1049/iet-ifs.2019.0620

Publication Date

11-1-2020

Comments

Open Access, Bronze

Recommended Citation

Nath, Kaushik and Sarkar, Palash, "Efficient elliptic curve Diffie-Hellman computation at the 256-bit security level" (2020). Journal Articles. 74.
https://digitalcommons.isical.ac.in/journal-articles/74