[go: up one dir, main page]

Paper 2015/625

Ed448-Goldilocks, a new elliptic curve

Mike Hamburg

Abstract

Many papers have proposed elliptic curves which are faster and easier to implement than the NIST prime-order curves. Most of these curves have had fields of size around $2^256$, and thus security estimates of around 128 bits. Recently there has been interest in a stronger curve, prompting designs such as Curve41417 and Microsoft’s pseudo-Mersenne-prime curves. Here I report on the design of another strong curve, called Ed448-Goldilocks. Implementations of this curve can perform very well for its security level on many architectures. As of this writing, this curve is favored by IRTF CFRG for inclusion in future versions of TLS along with Curve25519.

Note: Fixed an error. I originally gave a base point which had order 2q. This revision rotates the base point by 180˚ so that it has prime order q.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. NIST ECC Workshop 2015
Keywords
Elliptic curvesEdwards curvesimplementations
Contact author(s)
mike @ shiftleft org
History
2015-06-30: revised
2015-06-30: received
See all versions
Short URL
https://ia.cr/2015/625
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2015/625,
      author = {Mike Hamburg},
      title = {Ed448-Goldilocks, a new elliptic curve},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/625},
      year = {2015},
      url = {https://eprint.iacr.org/2015/625}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.