Skip to main content
Version: CORE v. go-2.1

ED448

Introduction

Since Edwards’ discovery of a new elliptic curve form in 2007, implementors have produced a steady stream of implementations of this form. Edwards curves tend to be easier to implement securely than the previously used curve shapes because they support complete addition formulas. These formulas do not have exceptional cases that would lead to a division by zero. Edwards curves are also faster, and have marginally simpler formulas as well. However, curves in Edwards or twisted Edwards form always have a co-factor divisible by 4, so prime-order curves such as the NIST curves cannot be used in this formula.

Here I detail the design of an Edwards curve with a 448-bit field. I hope that this curve will provide enough security to satisfy conservative users, but still be fast enough for those who are performance-conscious. It would therefore be useful as a more conservative supplement to Curve25519 and Ed25519.

Security rationale

Before going on, it is important to consider why a stronger elliptic curve would be desirable. In particular, why would anyone need a curve stronger than the existing 256-bit-field curves? These curves are said to require about as much work to break as AES-128 (e.g. Curve25519 has work factor W12logq126W \coloneqq \frac 1 2 \log q \approx 126), but in strong attack models they may require more work than AES. Depending on the mode, symmetric encryption may be susceptible to multiple-target attacks, which could allow an attacker to recover the first key of n targets in time approximately 2128/(n+1)2^{128} / (n+1). For elliptic curves, batch attacks do not speed up the recovery of the first key, only the subsequent ones.

What sorts of attacks might break an elliptic curve with a conjectured security level near 128 bits? Here are several possibilities:

  • An attacker could use brute force. This is unlikely to be feasible for several decades at least, but designers might be concerned about it for long-term security.
  • An attacker might build a quantum computer capable of running Shor’s algorithm. This would break every elliptic curve cryptosystem that could fit in that computer’s memory, so a larger curve would not be helpful.
  • A mathematical breakthrough might render all elliptic curve cryptography weak, or at least much weaker than expected. Depending on the breakthrough, a larger curve might resist attack due to its size, or it might fall victim to several smaller ones.
  • A breakthrough might break only curves with special properties, such as complex multiplication or a certain field shape. Or it might break all curves which do not have those properties.
  • A protocol might have a loose security bound, and might allow an attacker to break it with only a tiny fraction of the work of solving the discrete log problem. This might enable an attack on curves that were previously out of reach, but only in that protocol.
  • Security bugs or side channels might compromise an implementation. The defense against this is simplicity, not field size.
  • Security architects might want to over-engineer a system, for marketing or just for extra confidence. Or having already done this, they might want to migrate from the NIST or Brainpool elliptic curves to an Edwards curve, without weak-ening their design.

Some of these issues can be mitigated by using a curve that is slightly bigger, such as Scott’s curve modulo 233632^{336}-3. Others favor a curve that is significantly larger, but it is difficult to evaluate exactly how large. If a significantly larger curve is chosen, the usual work factor estimate means almost nothing, since any attempt to attack such a curve would require a significant breakthrough to render that estimate obsolete.

I decided to design a curve of a “significantly larger” or so-to-say “overkill” level. The currently popular curves in this field include the NIST and Brainpool curves at 384, 512 and 521 bits, so I aimed for something in this range. Since it is always possible to use a larger curve at the cost of worse performance, I aimed to find the best trade-off between performance and field size.

Field choice

Having settled the curve shape and generation method, the remaining major choice is the field. Following Safecurves, I used a prime-order field. That leaves at least six families of desirable primes:

  • Random primes
  • Mersenne primes
  • Crandall primes (2kc)(2^k-c)
  • Special Montgomery primes (2kc1)(2^kc-1)
  • Granger-Moss primes (Φn(k))(\Phi_n(k))
  • Solinas primes (2k2l±±1)(2^k-2^l \pm \dotsm \pm 1)

The Goldilocks prime

2448222412^{448} - 2^{224} - 1

I chose the Solinas trinomial prime p244822241p \coloneqq 2^{448} - 2^{224} - 1. I call this the “Goldilocks” prime because its form defines the golden ratio ϕ2224\phi \equiv 2^{224}. Because 224=327=288=564224 = 32 \cdot 7 = 28 \cdot 8 = 56 \cdot 4 , this prime supports fast arithmetic in radix 2282^{28} or 2322^{32} (on 32-bit machines) or 2562^{56} (on 64- bit machines). With 16, 28-bit limbs it works well on vector units such as NEON. Furthermore, radix264radix-2^{64} implementations are possible with greater efficiency than most of the NIST primes.

Karatsuba The main advantage of a golden-ratio prime is fast Karatsuba multiplication. Let ϕ=2224\phi = 2^{224} as above. Then:

(a+bϕ)(c+dϕ)(a+b \phi) \cdot (c+d \phi)

=ac+(ad+bc)ϕ+bdϕ2= ac + (ad + bc) \phi + bd \phi^2

(ac+bd)+(ad+bc+bd)ϕ   (mod p)\equiv (ac + bd) + (ad + bc + bd) \phi \space \space \space (\bmod \space p)

=(ac+bd)+((a+b)(c+d)ac)ϕ= (ac + bd) + ((a+b)(c+d)-ac) \phi

Curve coefficients

I chose an untwisted Edwards curve, i.e. one of the form

Ed:y2+x2=1+dx2y2E_d: y^2+x^2=1+dx^2y^2

To demonstrate that there is nothing up my sleeve, I chose the lower root of dd possible in the absolute value so that the EdE_d and its twist both have 4prime4 \cdot prime order, and so that the order of the curve is less than pp . This last restriction was for ease of implementation, but it doesn’t matter because the lower root of dd already gives a curve of order less than pp.

The Goldilocks dd is 39081−39081. The resulting curve satisfies the other Safecurves criteria, as shown on safecurves.cr.yp.to. In particular, because dd is not square in Z/pZZ / pZ , the strongly unified Edwards point addition formulas apply.

Implementation

Key generation

The key generation algorithm uses the signed all-bits-set combs algorithm. On 64-bit platforms it uses 15kiB of tables (5 comb tables, 5 teeth per comb, 3 coordinates per point, expanded to 32 bytes per coordinate). On 32-bit platforms it instead uses 12kiB of tables (8 combs, 4 teeth per comb).

Signing

The signature algorithm produces Schnorr signatures. It uses the same combset as the key generation algorithm.

Verification

The verification algorithm runs in variable time, using wNAF and a 6kiB precomputed table with multiples of the generator. Verification can in principle be batched, but I haven’t tested this.

ECDH

ECDH uses the Montgomery ladder, which is marginally faster than an Edwards scalar multiplication because it doesn’t need to decompress the input point. The Montgomery ladder is enhanced to preserve sign information and to reject points on the twist, even though it is believed to be safe to allow them. It is therefore a drop-in replacement for an Edwards scalar multiplication.

by Mike Hamburg (Ed448-Goldilocks)