A Family of Lightweight Twisted Edwards Curves for the Internet of Things

摘要

We introduce a set of four twisted Edwards curves that satisfy common security requirements and allow for fast implementations of scalar multiplication on 8, 16, and 32-bit processors. Our curves are defined by an equation of the form -x~2 + y~2 = 1 + dx~2y~2 over a prime field F_p, where d is a small non-square modulo p. The underlying prime fields are based on "pseudo-Mersenne" primes given by p = 2~k - c and have in common that p ≡ 5 mod 8, k is a multiple of 32 minus 1, and c is at most eight bits long. Due to these common features, our primes facilitate a parameterized implementation of the low-level arithmetic so that one and the same arithmetic function is able to process operands of different length. Each of the twisted Edwards curves we introduce in this paper is birationally equivalent to a Montgomery curve of the form -(A + 2)y~2 = x~3 + Ax~2 + x where 4/(A + 2) is small. Even though this contrasts with the usual practice of choosing A such that (A + 2)/4 is small, we show that the Montgomery form of our curves allows for an equally efficient implementation of point doubling as Curve25519. The four curves we put forward roughly match the common security levels of 80, 96, 112 and 128 bits. In addition, their Weierstrass representations are isomorphic to curves of the form y~2 = x~3 - 3x + b so as to facilitate inter-operability with TinyECC and other legacy software.