Article Type

Research Article

Publication Title

IET Information Security

Abstract

In this study, the authors introduce new Montgomery and Edwards form elliptic curves targeted at the 256-bit security level. To this end, they work with three primes, namely p1:= 2506 − 45, p2:= 2510 − 75 and p3:= 2521 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. They define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3-4% slowdown and the new Montgomery curve over p2 leads to a 4.5-5% slowdown; on the other hand, 29 and 30.5 extra bits of security, respectively, are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency.

First Page

633

Last Page

640

DOI

10.1049/iet-ifs.2019.0620

Publication Date

11-1-2020

Comments

Open Access, Bronze

Share

COinS