Selecting Elliptic Curves for Cryptography: An E ciency and Security Analysis

We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomery-friendly and pseudo-Mersenne primes allows us to consider more possibilities which improves the overall e ciency of base eld arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved e ciency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constant-time, exception-free scalar multiplications, thereby o ering high practical security in cryptographic applications. Our implementation shows that variable-base scalar multiplication on the new Weierstrass curves at the 128-bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a di erent curve model and sacri ce a few bits of security, we present a collection of twisted Edwards curves with particularly e cient arithmetic that are up to 1.43, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128-, 192and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real world protocol by considering di erent scalar multiplication scenarios in the transport layer security (TLS) protocol.