Hello,
Folks interested in a legacy-level high-efficiency curve targeting the
~94 bit security level might like to have a look at Curve19119 and it's
associated DH protocol X19119. Curve19119 and X19119 originally have
been developed for use with our variant of the PAKE protocol PACE. We
developed Curve19119 in order to get better responsiveness in our PAKE
protocol implementation in an explosion protected setting with severe
power constraints. Originally we did fear that Curve25519 might be too
slow. A preprint of our CHES2017 paper giving the curve parameters and
the derivation process (as a side-aspect of the optimization for PACE)
is available at
"*Making Password Authenticated Key Exchange Suitable For
Resource-Constrained Industrial Control Devices"*
https://eprint.iacr.org/2017/562
We observe a speedup factor of roughly 1.9 in comparison to our X25519
implementation on a Cortex M0+ microcontroller.
Yours,
Björn
_______________________________________________
Curves mailing list
Curves@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/curves
