This One Goes to 414

In my previous post about cipher suites, I said that we were going to get a new elliptic curve for Silent Circle systems to use. Dan and Tanja have completed their work on our new curve and published details on their SafeCurves website. They call the curve Curve3617 and all the parameters are on the SafeCurves site.

It is a 414-bit curve, in a field that is modulo the prime number 2414 – 17.

It has a beautifully simple equation in the above field, x2 + y2 = 1 + 3617x2 y2

Dan’s notes to me say:

• This is a complete Edwards curve, so the Edwards addition formulas work for all inputs; this is our recommended way to handle double-scalar multiplication. For single-scalar multiplication we recommend the Montgomery formulas on the equivalent Montgomery curves; these also work for all inputs.

• The curve has 8*prime order, so small-subgroup attacks reveal at most the scalar mod 8. We recommend choosing 414-bit scalars whose bottom 3 bits are 0. (Replacing 3617 with a 6-digit number would allow 8 to be replaced by 4, but this is a negligible security benefit, while on some platforms 3617 is noticeably faster.)

• The twist curve also has 8*prime order, so twist attacks reveal at most the scalar mod 8. There’s no need to validate curve points.

• The rho method costs 2205.3 to break ECDLP on this curve.

• The embedding degree of the curve is maximum possible, l – 1. (Embedding degrees above 100 are already overkill.)

• The CM field discriminant of the curve has prime factors 3607, 26662209338045324627822402579758961857427012457827101, and 254723693668765069288156859027433499782242697184918145687475956144269. (Discriminants above 250 are already overkill.)

• Compared to NIST P–384, this is 13 32-bit words instead of 12, which
should give a slowdown between 10% and 25% depending on the platform —
but this will be outweighed by the extra efficiency of the prime (as in
Adam Langley’s notes) and the extra efficiency of the curve shape. It also provides a Spinal Tap level of security.

I’m pleased that while some people boast “military grade” security, we can boast “Spinal Tap grade” security, as vouched for by Dan Bernstein.

We’re working on an implementation that we’ll make completely open, and would love to work with anyone who wants to do an independent implementation for testing and verification. Drop me an email if you’re interested in helping.