In this study, the authors introduce new Montgomery and Edwards form elliptic curves targeted at the 256-bit security level. To this end, they work with three primes, namely , and . While has been considered earlier in the literature, and are new. They define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over leads to a 3–4% slowdown and the new Montgomery curve over leads to a 4.5–5% slowdown; on the other hand, 29 and 30.5 extra bits of security, respectively, are gained. For designers aiming for the 256-bit security level, the new curves over and provide an acceptable trade-off between security and efficiency.

中文翻译：

---

256位安全级别的有效椭圆曲线Diffie-Hellman计算

在这项研究中，作者介绍了针对256位安全级别的新蒙哥马利和爱德华兹形式的椭圆曲线。为此，他们使用三个素数，即 ， 和 。而 在文献中已经被考虑过了 和 是新的。他们在所有三个素数上定义了一对双等价的蒙哥马利和爱德华兹形式曲线。针对新蒙哥马利曲线的Diffie-Hellman密钥协商协议的共享秘密计算阶段，已经针对Skylake和下一代Intel处理器进行了有效的64位汇编实现。1.3版“传输层安全性”的Curve448是蒙哥马利曲线，可在224位安全级别提供安全性。与Curve448最好的公开可用64位实现相比，新的Montgomery曲线 导致速度降低3-4％，新的蒙哥马利曲线 导致速度降低4.5–5％；另一方面，分别获得了29和30.5个额外的安全位。对于以256位安全级别为目标的设计人员，新曲线 和 在安全性和效率之间提供可接受的权衡。