Ed448-Goldilocks, a new elliptic curve

Many papers have proposed elliptic curves which are faster and easier to implement than the NIST prime-order curves. Most of these curves have had fields of size around 2, and thus security estimates of around 128 bits. Recently there has been interest in a stronger curve, prompting designs such as Curve41417 and Microsoft’s pseudo-Mersenne-prime curves. Here I report on the design of another strong curve, called Ed448-Goldilocks. Implementations of this curve can perform very well for its security level on many architectures. As of this writing, this curve is favored by IRTF CFRG for inclusion in future versions of TLS along with Curve25519.

[1]  Shay Gueron,et al.  Fast prime field elliptic-curve cryptography with 256-bit primes , 2014, Journal of Cryptographic Engineering.

[2]  H. Hisil Elliptic curves, group law, and efficient computation , 2010 .

[3]  Peter Schwabe,et al.  NEON Crypto , 2012, CHES.

[4]  Paulo S. L. M. Barreto,et al.  A note on high-security general-purpose elliptic curves , 2013, IACR Cryptol. ePrint Arch..

[5]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[6]  Michael Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2009, Journal of Cryptology.

[7]  Robert Granger,et al.  Generalised Mersenne numbers revisited , 2011, Math. Comput..

[8]  H. Edwards A normal form for elliptic curves , 2007 .

[9]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[10]  Johannes Merkle,et al.  Elliptic Curve Cryptography (ecc) Brainpool Standard Curves and Curve Generation , 2010 .

[11]  Tanja Lange,et al.  Curve41417: Karatsuba revisited , 2014, IACR Cryptol. ePrint Arch..

[12]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[13]  Michael Hamburg,et al.  Decaf: Eliminating Cofactors Through Point Compression , 2015, CRYPTO.

[14]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[15]  Michael Hamburg,et al.  Fast and compact elliptic-curve cryptography , 2012, IACR Cryptol. ePrint Arch..

[16]  Craig Costello,et al.  Selecting elliptic curves for cryptography: an efficiency and security analysis , 2016, Journal of Cryptographic Engineering.

[17]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.