Selecting Elliptic Curves for Cryptography: an Efficiency And

Selecting Elliptic Curves for Cryptography: an Efficiency And

Noname manuscript No. (will be inserted by the editor) and 1:24 times faster than the new Weierstrass curves at the 128-, 192- and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real- world protocol by considering different scalar multipli- cation scenarios in the transport layer security (TLS) Selecting Elliptic Curves for protocol. The proposed curves and the results of the Cryptography: An Efficiency analysis are intended to contribute to the recent efforts towards recommending new elliptic curves for Internet and Security Analysis standards. Joppe W. Bos · Craig Keywords Elliptic curves, Weierstrass form, twisted Costello · Patrick Edwards form, secure scalar multiplication, constant- Longa · Michael time execution, transport layer security (TLS) protocol. Naehrig Received: date / Accepted: date 1 Introduction The first release of a cryptographic standard specify- Abstract We select a set of elliptic curves for cryp- ing elliptic curves for use in practice dates back to tography and analyze our selection from a performance 2000 [21]. Nowadays, roughly one out of ten systems and security perspective. This analysis complements re- on the publicly observable Internet offers cipher suites cent curve proposals that suggest (twisted) Edwards in the Secure Shell (SSH) and Transport Layer Security curves by also considering the Weierstrass model. Work- (TLS) protocols that contain elliptic-curve-based cryp- ing with both Montgomery-friendly and pseudo-Merse- tographic algorithms [16]. Most elliptic curve standards nne primes allows us to consider more possibilities which recommend curves for different perceived security lev- help to improve the overall efficiency of base field arith- els that are either defined over prime fields or binary metic. Our Weierstrass curves are backwards compati- extension fields; on the Internet, however, the deployed ble with current implementations of prime order NIST curves are mostly defined over prime fields [16]. This curves, while providing improved efficiency and stronger can be partially explained by the increasing skepticism security properties. We choose algorithms and explicit towards the security of elliptic curves defined over bi- formulas to demonstrate that our curves support cons- nary extension fields (justified by recent progress on tant-time, exception-free scalar multiplications, thereby solving the discrete logarithm problem on such curves offering high practical security in cryptographic appli- [26]). Therefore, in this work, we only consider elliptic cations. Our implementation shows that variable-base curves defined over prime fields. scalar multiplication on the new Weierstrass curves at Recently, part of the cryptographic community has the 128-bit security level is about 1:4 times faster than been looking for alternatives to the currently deployed the recent implementation record on the corresponding elliptic curves that may offer better performance and NIST curve. For practitioners who are willing to use a provide stronger overall security (see for example an different curve model and sacrifice a few bits of security, evaluation of recent curve candidates in [12]). Most no- we present a collection of twisted Edwards curves with tably, the TLS working group has issued a formal re- particularly efficient arithmetic that are up to 1:42, 1:26 quest to the Crypto Forum Research Group (CFRG) asking for recommendations for new elliptic curves. The Joppe W. Bos urge to change curves has been fueled by the recently NXP Semiconductors, Leuven, Belgium leaked NSA documents, which suggest the existence of E-mail: [email protected] a back door in the Dual Elliptic Curve Deterministic Craig Costello · Patrick Longa · Michael Naehrig Random Bit Generator [56]. Although cryptographers Microsoft Research, Redmond, USA have suspected this at least as early as in 2007 [53], Craig Costello these recent revelations have accelerated a controversy E-mail: [email protected] on whether the widely deployed NIST curves [58] should Patrick Longa be replaced by curves with a verifiably deterministic E-mail: [email protected] generation. Besides such security concerns, there has Michael Naehrig been significant progress related to both efficiency and E-mail: [email protected] security since the initial standardization of elliptic curve 2 Joppe W. Bos et al. cryptography. Notable examples are algorithms protected posal projects (either because they are overlooked or do against certain side-channel attacks, different “special” not fit the requirements set by the project). Our goal prime shapes which allow faster modular arithmetic, is to rigorously analyze all of these different aspects and a larger set of curve models from which to choose. from both a security and efficiency perspective, in hope For example, in 2007, Edwards [25] discovered an in- that this paper helps practitioners better understand teresting normal form for elliptic curves, now called (and correctly implement) the choices that lie in front the Edwards model, which was introduced to crypto- of them. Abandoning a set of standard curves demands graphic applications by Bernstein and Lange [11]. A a judicious selection of new curves, since this cannot be generalization of this curve model, known as the twisted done too frequently if widespread adoption is desired. Edwards model [7], facilitates the most efficient curve In that light, it is our opinion that one should consider arithmetic [35]. Such (twisted) Edwards curves also have all of the options available. For example, in contrast other attractive properties: they may be selected to sup- to [12,3], our selection includes prime order Weierstrass port a complete addition law and are compatible with curves. Just as the almost-prime order twisted Edwards the Montgomery model, which supports efficient Mont- curves have their practical advantages, we argue that gomery ladder computations [47]. However, twisted Ed- there are also benefits to choosing prime order Weier- wards curves cannot have a prime number of rational strass curves: the absence of small torsion simplifies the points over the base field, and they are therefore incom- point/input validation process, and (over a prime field patible with the prime-order Weierstrass curves used in of fixed length) does not sacrifice any bits of security all of the current cryptographic standards [21,48,58]. with respect to attacks on the underlying elliptic curve discrete logarithm problem (ECDLP). In addition, such Related Work. The NIST curves [58] have been in- curves are backwards compatible with current imple- cluded in numerous standards (e.g. [21,48]) and are mentations supporting NIST curves over prime fields deployed in many security protocols. The most recent (i.e., no changes are required in protocols), and could speed record on the NIST curve which aims to provide be integrated into existing implementations by simply 128-bit security is due to Gueron and Krasnov [31]. changing the curve constant and (in some cases) field Alternatives to the NIST curves have been suggested arithmetic1. by the German working group Brainpool [24]; their We investigate the selection of prime moduli that curve choices followed additional security requirements, allow efficient modular arithmetic. As in [5,35,42,15, one of which demands verifiably pseudo-random curve 12,3], we study pseudo-Mersenne primes of the form generation. Another alternative curve has been pro- 2α − γ, but also primes of the form 2α(2β − γ) − 1 that posed by Bernstein [5]; this is a Montgomery curve, can be used to accelerate Montgomery arithmetic [46] called Curve25519, which allows efficient computation as used in [32,15]. Following the deterministic selec- of ECDH using the Montgomery ladder at the 128-bit tion requirement from [12], we pick two primes of each security level. It was later shown by Bernstein et al. [9] shape for a given targeted security level: one prime is that a twisted Edwards curve, birationally equivalent to selected to be slightly smaller than the other, which Curve25519, can be used for efficient elliptic curve sig- sacrifices a small amount of ECDLP security in favor of nature generation and verification. Recently, Bernstein enhanced performance. Note that, as explained in Sec- and Lange started a project to select and analyze se- tion 2, for practical considerations we require all primes cure elliptic curves for use in cryptography: see [12] for to be congruent to 3 modulo 4. These primes are used to a list of the security assessments the project performs construct cryptographically suitable curves focusing on and the requirements it imposes. A range of curves, tar- (arguably) the two most relevant curve models: short geting different security levels, is also presented in [12]. Weierstrass curves with the curve parameter a set to Following this, several new curves satisfying the require- −3 and twisted Edwards curves with the curve param- ments from [12], which facilitate both the twisted Ed- eter a set to −1. The prime order Weierstrass curves wards and Montgomery form, were proposed by Aranha give full ECDLP security over prime fields of a fixed et al. [3]. bitlength, while offering good practical performance. On the other hand, the twisted Edwards curves sacrifice Motivation and Rationale. The new curves presented a small amount of ECDLP security but facilitate the in [12,3] are all efficient and secure elliptic curves ready fastest realization of curve arithmetic [35]. Both types to be used in cryptography. This prompts the question of curves are selected in a deterministic fashion (see Sec- as to why we should perform an efficiency and secu- rity analysis for a set of new curves. It is our opinion 1 Cryptographic libraries with support for generic-prime that not all options for prime fields and elliptic curve field arithmetic (e.g., using Montgomery arithmetic) are fully models have been considered in the recent curve pro- compatible with the proposed curves. Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis 3 tion 3 for the full details) and offer twist-security [5], a friendly primes whose bitlengths match those of the property which is useful in certain scenarios.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    29 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us