# Next generation cipher suite

http://ed448goldilocks.sourceforge.net/

For our 256 bit security level we should have 384—512 bit ECC

Curve | Complexity | Security | Performance | Key size |
---|---|---|---|---|

Curve25519 | 310 loc | 252 bit | 161648 | 32 bytes |

Ed25519 | 1571 loc | 252 bit | ||

M-383 | 380 bit | |||

NIST P-384 | 384 bit | |||

Curve41417 | 411 bit | |||

Ed448 | 446 bit | 532056 | 56 bytes | |

M-511 | 508 bit | |||

E-521 | 519 bit | |||

NTRU |

Cortext NEON: 578976 curve25519 769225 ed448goldilocks

The NIST curve is widely available but has downsides:

- Coefficients generated by hashing the unexplained seed a335926a a319a27a 1d00896a 6773a482 7acdac73. This theoretically allows a backdoor to be installed.
- Requires short-Weierstrass scalar-multiplication instead of Montgomery ladder. Weierstrass multiplication is usually not constant-time and vulnerable to side-channel attacks.
- The addition law is incomplete. If exceptional cases are not handled security can be compromised.
- Public keys are distinguishable from uniform random bit-strings. This makes censored protocols difficult.

http://cr.yp.to/ecdh/curve41417-20140706.pdf

http://safecurves.cr.yp.to/

15 2013.08: Silent Circle requests non-NIST curve at higher security level. Bernstein{Lange: Curve41417. Now Silent Circle’s default. Bernstein{Lange, independently Hamburg, independently Aranha{ Barreto{Pereira{Ricardini: E-521.

https://eprint.iacr.org/2013/647.pdf

https://github.com/NWilson/ed448-goldilocks