Journal of Cryptographic Engineering

, Volume 6, Issue 4, pp 259–286

Selecting elliptic curves for cryptography: an efficiency and security analysis

  • Joppe W. Bos
  • Craig Costello
  • Patrick Longa
  • Michael Naehrig
Regular Paper

DOI: 10.1007/s13389-015-0097-y

Cite this article as:
Bos, J.W., Costello, C., Longa, P. et al. J Cryptogr Eng (2016) 6: 259. doi:10.1007/s13389-015-0097-y

Abstract

We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomery-friendly and pseudo-Mersenne primes allows us to consider more possibilities which help to improve the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constant-time, exception-free scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variable-base scalar multiplication on the new Weierstrass curves at the 128-bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.42, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128-, 192- and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real-world protocol by considering different scalar multiplication scenarios in the transport layer security protocol. The proposed curves and the results of the analysis are intended to contribute to the recent efforts towards recommending new elliptic curves for Internet standards.

Keywords

Elliptic curves Weierstrass form Twisted Edwards form Secure scalar multiplication Constant-time execution  Transport layer security (TLS) protocol 

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Craig Costello
    • 2
  • Patrick Longa
    • 2
  • Michael Naehrig
    • 2
  1. 1.NXP SemiconductorsLeuvenBelgium
  2. 2.Microsoft ResearchRedmondUSA

Personalised recommendations