Ed448-Goldilocks Wiki

A 448-bit Edwards curve

Brought to you by: bitwiseshiftlef

Home

Ed448-Goldilocks

This project page is here to host an implementation of cryptography using the Ed448-Goldilocks elliptic curve. This curve is part of the safecurves project. The library also supports Ed25519.

The curve

Ed448-Goldilocks is the elliptic curve:

x² + y² ≣ 1 - 39081x²y² mod 2⁴⁴⁸ - 2²²⁴ - 1

This is a 448-bit Edwards curve with a 223-bit conjectured security level. It is designed for spinal tap grade security. The self-deprecating humor there is spot-on. For practical security concerns, you should use the faster and more mature Curve25519 / Ed25519 software, or similar. Curve25519's 126-bit security level is strong enough that it will take a huge mathematical breakthrough or a quantum computer to crack it. A quantum computer would break every elliptic curve, and who knows what a mathematical breakthrough would do?

Goldilocks will be a good choice for systems which are intentionally over-engineered. That said, it is also designed to be as fast as possible for its security level. Goldilocks is much faster than currently-deployed implementations of the weaker NIST-P256 curve. Goldilocks is slower than Curve25519 and Ed25519 by a factor of about 3.5x.

The encoding

Libdecaf supports the Ristretto encoding internally. The main goal of this encoding is to remove the cofactor from the elliptic curve group. Cofactors are fine if you treat them with caution, but if you aren't careful then they can cause security problems. Ristretto removes the cofactor, so it takes away one of the sharp edges of cryptography using Edwards curves.

Ristretto is an evolution of the Decaf encoding.

The most common uses of Ed25519 and Ed448-Goldilocks are X25519/X448 key exchange and EdDSA signatures. These use different encodings for elliptic curve points. Libdecaf supports those encodings as well, and contains fast implementations of X25519, X448 and EdDSA.

Legal

This is cryptographic code which originated in the United States, and so is subject to export control.

I work for Cryptography Research, a division of Rambus. Opinions stated here are my own, and do not necessarily reflect CRI or Rambus policy.

This code is released under MIT license. Its copyright is owned by Cryptography Research, Inc, except for crandom, which is owned by Stanford University. There is no warranty, so use this code at your own risk. Or better yet, don't use it yet, because it's not done yet, and the API and output formats will probably change.

I am not aware of any patents which apply to this work, though the point compression patent is close enough that you might want to read it carefully. Likewise, I do not believe that the fixed-base comb patents apply to my comb, but I'm not a lawyer so don't take my word for it. I'm not planning to file patents on any of the novel components of this work, but I am contractually obligated to help Rambus do so if they want to. That said, most of the novel components are in my paper from 2012, so they are safe.

Thanks

Special thanks to:

Robert Ransom, for pointing out the efficient Montgomery ladder on the isomorphic curve.
Paulo Barreto, Dan Bernstein, Watson Ladd, Tanja Lange, Mark Marson and Trevor Perrin for their helpful feedback and encouragement.
Isis Lovecruft, Henry de Valence, and Tony Arcieri for their collaboration on Ristretto.
Ben Jun and Dan Boneh, who approved the code for release.
Judy Shie, Jae Kim, Michael Moore and Anne Seymour, who dealt with the legal aspects.

Project Members:

Mike Hamburg (admin)