Incryptography,Curve448 orCurve448-Goldilocks is anelliptic curve potentially offering 224 bits of security and designed for use with theelliptic-curve Diffie–Hellman (ECDH) key agreement scheme.

Developed by Mike Hamburg ofRambus Cryptography Research, Curve448 allows fast performance compared with other proposed curves with comparable security.^[1] Thereference implementation is available under anMIT license.^[2] The curve was favored by theInternet Research Task Force Crypto Forum Research Group (IRTF CFRG) for inclusion inTransport Layer Security (TLS) standards along withCurve25519.

In 2017, NIST announced that Curve25519 and Curve448 would be added to "Special Publication 800-186", which specifies approvedelliptic curves for use by theUS Federal Government,^[3] and in 2023 it was approved for use in FIPS 186-5.^[4] Both are described inRFC 7748. The nameX448 is used for the DH function. X448 support was added toOpenSSL in version 1.1.1 (released on 11 September 2018).^[5]

Hamburg chose theSolinas trinomial prime basep = 2⁴⁴⁸ − 2²²⁴ − 1, calling it a "Goldilocks" prime "because its form defines the golden ratioφ ≡ 2²²⁴". The main advantage of agolden-ratio prime is fastKaratsuba multiplication.^[6]

The curve Hamburg used is an untwistedEdwards curveE_d:y² +x² = 1 − 39081x²y². The constantd = −39081 was chosen as the smallest absolute value that had the required mathematical properties, thus anothing-up-my-sleeve number.

Curve448 is constructed such that it avoids many potentialimplementation pitfalls.^[7]

• Poly1305

• Elliptic curves

• Articles with short description
• Short description matches Wikidata