Efficient elliptic curve Diffie‐Hellman computation at the 256‐bit security level

In this study, the authors introduce new Montgomery and Edwards form elliptic curves targeted at the 256‐bit security level. To this end, they work with three primes, namely p 1 := 2 506 − 45 , p 2 := 2 510 − 75 and p 3 := 2 521 − 1 . While p 3 has been considered earlier in the literature, p 1 and p 2 are new. They define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64‐bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie‐Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224‐bit security level. Compared to the best publicly available 64‐bit implementation of Curve448, the new Montgomery curve over p 1 leads to a 3–4% slowdown and the new Montgomery curve over p 2 leads to a 4.5–5% slowdown; on the other hand, 29 and 30.5 extra bits of security, respectively, are gained. For designers aiming for the 256‐bit security level, the new curves over p 1 and p 2 provide an acceptable trade‐off between security and efficiency.