Next generation cipher suite

Remco Bloemen

http://ed448goldilocks.sourceforge.net/

For our 256 bit security level we should have 384—512 bit ECC

Curve Complexity Security Performance Key size
Curve25519 310 loc 252 bit 161648 32 bytes
Ed25519 1571 loc 252 bit
M-383 380 bit
NIST P-384 384 bit
Curve41417 411 bit
Ed448 446 bit 532056 56 bytes
M-511 508 bit
E-521 519 bit
NTRU

Cortext NEON: 578976 curve25519 769225 ed448goldilocks

The NIST curve is widely available but has downsides:

http://cr.yp.to/ecdh/curve41417-20140706.pdf

http://safecurves.cr.yp.to/

15 2013.08: Silent Circle requests non-NIST curve at higher security level. Bernstein{Lange: Curve41417. Now Silent Circle’s default. Bernstein{Lange, independently Hamburg, independently Aranha{ Barreto{Pereira{Ricardini: E-521.

https://eprint.iacr.org/2013/647.pdf

https://github.com/NWilson/ed448-goldilocks