Reduction Modulo 2^{448}-2^{224}-1


Goldilocks prime
modulo reduction
elliptic curve cryptography
Diffie-Hellman key agreement

How to Cite

Nath, K., & Sarkar, P. (2021). Reduction Modulo 2^{448}-2^{224}-1. Mathematical Cryptology, (1), 8–21. Retrieved from


An elliptic curve known as Curve448 defined over the finite field $\mathbb{F}_p$, where $p=2^{448}-2^{224}-1$, has been proposed as part of
the Transport Layer Security (TLS) protocol, version 1.3. Elements of $\mathbb{F}_p$ can be represented using 7 limbs where each limb is a 64-bit
quantity. This paper describes efficient algorithms for reduction modulo $p$ that are required for performing field arithmetic in $\mathbb{F}_p$
using 7-limb representation. A key feature of our work is that we provide the relevant proofs of correctness of the algorithms.
We also report efficient 64-bit assembly implementations for key generation and shared secret computation of the Diffie-Hellman key agreement
protocol on Curve448. Timings results on the Haswell and Skylake processors demonstrate that the new 64-bit implementations for computing the
shared secret are faster than the previously best known 64-bit implementations.


It is the authors' responsibility that all submitted material, including supplementary files, can be made publicly accessible.