Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Curve25519
open-in-new
<h2 id="mathematical-properties">Mathematical properties</h2> <p>The curve used is y 2 = x 3 + 486662 x 2 + x {\displaystyle y^{2}=x^{3}+486662x^{2}+x} , a <a href="/facts/Montgomery_curve/YQWgbzVp">Montgomery curve</a>, over the <a href="/facts/Prime_field/D2VzcQaG">prime field</a> defined by the <a href="/facts/Prime_number/L20FLkgn">prime number</a> 2 255 − 19 {\displaystyle 2^{255}-19} (hence the numeric "25519" in the name), and it uses the base point x = 9 {\displaystyle x=9} . This point generates a cyclic subgroup whose <a href="/facts/Order_(group_theory)/Cl3tKGFg">order</a> is the prime 2 252 + 27742317777372353535851937790883648493 {\displaystyle 2^{252}+27742317777372353535851937790883648493} . This subgroup has a co-factor of 8, meaning the number of elements in the subgroup is 1/8 that of the elliptic curve group. Using a prime order subgroup prevents mounting a <a href="/facts/Pohlig%E2%80%93Hellman_algorithm/f6jBHbbS">Pohlig–Hellman algorithm</a> attack.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> </p><p>The protocol uses compressed elliptic point (only <i>X</i> coordinates), so it allows efficient use of the <a href="/facts/Montgomery_ladder/W2CdAypD">Montgomery ladder</a> for <a href="/facts/Elliptic_curve_Diffie%E2%80%93Hellman/zy3IJCeK">ECDH</a>, using only <i>XZ</i> coordinates.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p><p>Curve25519 is constructed such that it avoids many potential implementation pitfalls.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p><p>The curve is <a href="/facts/Birational_geometry/hsWqRhJ1">birationally equivalent</a> to a <a href="/facts/Twisted_Edwards_curve/mz1EMMNL">twisted Edwards curve</a> used in the <a href="/facts/Ed25519/IbTRBhK3">Ed25519</a><a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a><a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> signature scheme.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> </p> <h2 id="history">History</h2> <p>In 2005, Curve25519 was first released by <a href="/facts/Daniel_J._Bernstein/KQLuMRTx">Daniel J. Bernstein</a>.<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> </p><p>In 2013, interest began to increase considerably when it was discovered that the <a href="/facts/NSA/Sg6MGV1o">NSA</a> had potentially implemented a <a href="/facts/Backdoor_(computing)/4Vry8CKE">backdoor</a> into the P-256 curve based <a href="/facts/Dual_EC_DRBG/k6XxwA0S">Dual_EC_DRBG</a> algorithm.<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> While not directly related,<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> suspicious aspects of the NIST's P curve constants<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> led to concerns<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a> that the NSA had chosen values that gave them an advantage in breaking the encryption.<a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a><a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a> </p> <blockquote><p>"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." </p>— <a href="/facts/Bruce_Schneier/kWxPFPmQ">Bruce Schneier</a>, The NSA Is Breaking Most Encryption on the Internet (2013)</blockquote> <p>Since 2013, Curve25519 has become the <i><a href="/facts/De_facto/3Du6WQKh">de facto</a></i> alternative to P-256, being used in a wide variety of applications.<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a> Starting in 2014, <a href="/facts/OpenSSH/2qxJ3Fe7">OpenSSH</a><a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a> defaults to Curve25519-based <a href="/facts/ECDH/zy3IJCeK">ECDH</a> and <a href="/facts/GnuPG/EqmGmx7V">GnuPG</a> adds support for <a href="/facts/Ed25519/IbTRBhK3">Ed25519</a> keys for signing and encryption.<a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a> The use of the curve was eventually standardized for both key exchange and signature in 2020.<a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a><a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a> </p><p>In 2017, NIST announced that Curve25519 and <a href="/facts/Curve448/gsN24bb9">Curve448</a> would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a> Both are described in RFC 7748.<a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a> A 2019 draft of "FIPS 186-5" notes the intention to allow usage of <a href="/facts/Ed25519/IbTRBhK3">Ed25519</a><a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a> for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.<a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a> </p><p>In February 2017, the <a href="/facts/DNSSEC/cL9zwhjj">DNSSEC</a> specification for using Ed25519 and Ed448 was published as <a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://datatracker.ietf.org/doc/html/rfc8080">8080</a>, assigning algorithm numbers 15 and 16.<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a> </p><p>In 2018, <a href="/facts/DKIM/STA0jA68">DKIM</a> specification was amended so as to allow signatures with this algorithm.<a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a> Also in 2018, RFC 8446 was published as the new <a href="/facts/Transport_Layer_Security/pGy16TnA">Transport Layer Security v1.3</a> standard. It recommends support for <a href="/facts/X25519/wLr6FMkV">X25519</a>, <a href="/facts/EdDSA/IbTRBhK3">Ed25519</a>, <a href="/facts/X448/gsN24bb9">X448</a>, and <a href="/facts/Ed448/IbTRBhK3">Ed448</a> algorithms.<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> </p> <h2 id="libraries">Libraries</h2> <ul><li><a href="/facts/Libgcrypt/Fsj9wNw3">Libgcrypt</a><a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a></li> <li>libssh<a class="footnote-ref" id="fnref:31" href="#fn:31"><sup>31</sup></a><a class="footnote-ref" id="fnref:32" href="#fn:32"><sup>32</sup></a></li> <li>libssh2 (since version 1.9.0)</li> <li><a href="/facts/NaCl_(software)/0J9zoeHH">NaCl</a><a class="footnote-ref" id="fnref:33" href="#fn:33"><sup>33</sup></a></li> <li><a href="/facts/GnuTLS/y3fYe3RI">GnuTLS</a><a class="footnote-ref" id="fnref:34" href="#fn:34"><sup>34</sup></a></li> <li><a href="/facts/Mbed_TLS/33AV5voW">mbed TLS</a> (formerly PolarSSL)<a class="footnote-ref" id="fnref:35" href="#fn:35"><sup>35</sup></a></li> <li><a href="/facts/WolfSSL/26UD7dQE">wolfSSL</a><a class="footnote-ref" id="fnref:36" href="#fn:36"><sup>36</sup></a></li> <li><a href="/facts/Botan_(programming_library)/IehRkvcn">Botan</a><a class="footnote-ref" id="fnref:37" href="#fn:37"><sup>37</sup></a></li> <li><a href="/facts/Schannel/lIeS9tug">Schannel</a><a class="footnote-ref" id="fnref:38" href="#fn:38"><sup>38</sup></a><a class="footnote-ref" id="fnref:39" href="#fn:39"><sup>39</sup></a></li> <li><a href="/facts/Libsodium/0J9zoeHH">Libsodium</a><a class="footnote-ref" id="fnref:40" href="#fn:40"><sup>40</sup></a></li> <li><a href="/facts/OpenSSL/aXvs5fo2">OpenSSL</a> since version 1.1.0<a class="footnote-ref" id="fnref:41" href="#fn:41"><sup>41</sup></a></li> <li><a href="/facts/LibreSSL/9UnXD0lm">LibreSSL</a><a class="footnote-ref" id="fnref:42" href="#fn:42"><sup>42</sup></a></li> <li><a href="/facts/Network_Security_Services/y7bq3SV2">NSS</a> since version 3.28<a class="footnote-ref" id="fnref:43" href="#fn:43"><sup>43</sup></a></li> <li><a href="/facts/Crypto%2B%2B/cCWAwUmX">Crypto++</a></li> <li>curve25519-dalek<a class="footnote-ref" id="fnref:44" href="#fn:44"><sup>44</sup></a></li> <li><a href="/facts/Bouncy_Castle_(cryptography)/uwEYp9tT">Bouncy Castle</a><a class="footnote-ref" id="fnref:45" href="#fn:45"><sup>45</sup></a></li></ul> <h2 id="protocols">Protocols</h2> <ul><li><a href="/facts/OMEMO/9zmrwPdQ">OMEMO</a>, a proposed extension for <a href="/facts/XMPP/hgulEuRA">XMPP</a> (Jabber)<a class="footnote-ref" id="fnref:46" href="#fn:46"><sup>46</sup></a></li> <li><a href="/facts/Secure_Shell/wjVRw5zv">Secure Shell</a></li> <li><a href="/facts/Signal_Protocol/63QE16cf">Signal Protocol</a></li> <li><a href="/facts/Matrix_(protocol)/nV0oNTsr">Matrix (protocol)</a></li> <li><a href="/facts/Tox_(protocol)/2l3uuyE8">Tox</a></li> <li><a href="/facts/Zcash/t36Edlhr">Zcash</a></li> <li><a href="/facts/Transport_Layer_Security/pGy16TnA">Transport Layer Security</a></li> <li><a href="/facts/WireGuard/zSJv87LA">WireGuard</a></li></ul> <h2 id="applications">Applications</h2> <ul><li><a href="/facts/Conversations_(software)/4IcEqj1C">Conversations Android application</a><a class="footnote-ref" id="fnref:47" href="#fn:47"><sup>47</sup></a></li> <li><a href="/facts/Cryptocat/kXrcJNDX">Cryptocat</a><a class="footnote-ref" id="fnref:48" href="#fn:48"><sup>48</sup></a><a class="footnote-ref" id="fnref:49" href="#fn:49"><sup>49</sup></a></li> <li><a href="/facts/DNSCrypt/MjUrkr3M">DNSCrypt</a><a class="footnote-ref" id="fnref:50" href="#fn:50"><sup>50</sup></a></li> <li><a href="/facts/DNSCurve/Y0TAbU7J">DNSCurve</a></li></ul> <ul><li><a href="/facts/DNSSEC/cL9zwhjj">DNSSEC</a></li> <li><a href="/facts/Dropbear_(software)/Y8GdfWhh">Dropbear</a><a class="footnote-ref" id="fnref:51" href="#fn:51"><sup>51</sup></a><a class="footnote-ref" id="fnref:52" href="#fn:52"><sup>52</sup></a></li> <li><a href="/facts/Facebook_Messenger/NUz3VX8d">Facebook Messenger</a> <a class="footnote-ref" id="fnref:53" href="#fn:53"><sup>53</sup></a><a class="footnote-ref" id="fnref:54" href="#fn:54"><sup>54</sup></a></li> <li><a href="/facts/Gajim/HhQtAdeT">Gajim</a> via plugin<a class="footnote-ref" id="fnref:55" href="#fn:55"><sup>55</sup></a><a class="footnote-ref" id="fnref:56" href="#fn:56"><sup>56</sup></a></li> <li><a href="/facts/GNUnet/8dc2wLPa">GNUnet</a><a class="footnote-ref" id="fnref:57" href="#fn:57"><sup>57</sup></a></li> <li><a href="/facts/GnuPG/EqmGmx7V">GnuPG</a></li> <li><a href="/facts/Google_Allo/oJ6TaVhs">Google Allo</a><a class="footnote-ref" id="fnref:58" href="#fn:58"><sup>58</sup></a><a class="footnote-ref" id="fnref:59" href="#fn:59"><sup>59</sup></a></li> <li><a href="/facts/I2P/Yt6Deh4q">I2P</a><a class="footnote-ref" id="fnref:60" href="#fn:60"><sup>60</sup></a></li> <li><a href="/facts/IPFS/VUhdLRdm">IPFS</a><a class="footnote-ref" id="fnref:61" href="#fn:61"><sup>61</sup></a></li> <li><a href="/facts/IOS/mK5cggH5">iOS</a><a class="footnote-ref" id="fnref:62" href="#fn:62"><sup>62</sup></a></li> <li><a href="/facts/Monero_(cryptocurrency)/yQvg9Dcc">Monero</a><a class="footnote-ref" id="fnref:63" href="#fn:63"><sup>63</sup></a></li> <li><a href="/facts/OpenBSD/xmPS9tek">OpenBSD</a> and <a href="/facts/Signify_(OpenBSD)/pzh5KSFl">signify</a><a class="footnote-ref" id="fnref:64" href="#fn:64"><sup>64</sup></a></li> <li><a href="/facts/OpenSSH/2qxJ3Fe7">OpenSSH</a><a class="footnote-ref" id="fnref:65" href="#fn:65"><sup>65</sup></a><a class="footnote-ref" id="fnref:66" href="#fn:66"><sup>66</sup></a></li> <li><a href="/facts/Peerio/lSSRLvpb">Peerio</a><a class="footnote-ref" id="fnref:67" href="#fn:67"><sup>67</sup></a></li> <li><a href="/facts/Proton_Mail/DvGLlWlk">Proton Mail</a><a class="footnote-ref" id="fnref:68" href="#fn:68"><sup>68</sup></a></li> <li><a href="/facts/PuTTY/xH3DPbA5">PuTTY</a><a class="footnote-ref" id="fnref:69" href="#fn:69"><sup>69</sup></a></li> <li><a href="/facts/Signal_(messaging_app)/1d9mpcMH">Signal</a><a class="footnote-ref" id="fnref:70" href="#fn:70"><sup>70</sup></a></li> <li><a href="/facts/Silent_Circle_(software)/BKJdpxW0">Silent Phone</a></li> <li><a href="/facts/SmartFTP/QCoUnj51">SmartFTP</a><a class="footnote-ref" id="fnref:71" href="#fn:71"><sup>71</sup></a></li> <li>SSHJ<a class="footnote-ref" id="fnref:72" href="#fn:72"><sup>72</sup></a></li> <li><a href="/facts/SQRL/X88cRGQs">SQRL</a><a class="footnote-ref" id="fnref:73" href="#fn:73"><sup>73</sup></a></li> <li><a href="/facts/Threema/HcxX31Rf">Threema Instant Messenger</a><a class="footnote-ref" id="fnref:74" href="#fn:74"><sup>74</sup></a></li> <li>TinySSH<a class="footnote-ref" id="fnref:75" href="#fn:75"><sup>75</sup></a></li> <li>TinyTERM<a class="footnote-ref" id="fnref:76" href="#fn:76"><sup>76</sup></a></li> <li><a href="/facts/Tor_(anonymity_network)/Wj6jjkx1">Tor</a><a class="footnote-ref" id="fnref:77" href="#fn:77"><sup>77</sup></a></li> <li><a href="/facts/Viber/1zUXunk2">Viber</a><a class="footnote-ref" id="fnref:78" href="#fn:78"><sup>78</sup></a></li> <li><a href="/facts/WhatsApp/VMlSeFb6">WhatsApp</a><a class="footnote-ref" id="fnref:79" href="#fn:79"><sup>79</sup></a><a class="footnote-ref" id="fnref:80" href="#fn:80"><sup>80</sup></a></li> <li><a href="/facts/Wire_(software)/ISUS4Yfd">Wire</a></li> <li><a href="/facts/WireGuard/zSJv87LA">WireGuard</a></li></ul> <h2 id="notes">Notes</h2> <h2 id="external-links">External links</h2> <ul><li><a href="https://cr.yp.to/ecdh.html">Official website</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Bernstein. "Irrelevant patents on elliptic-curve cryptography". cr.yp.to. Retrieved 2016-02-08. <a href="https://cr.yp.to/ecdh/patents.html" target="_blank">https://cr.yp.to/ecdh/patents.html</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>A state-of-the-art Diffie-Hellman function by Daniel J. Bernstein"My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain." <a href="https://cr.yp.to/ecdh.html" target="_blank">https://cr.yp.to/ecdh.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"X25519". Crypto++. 5 March 2019. Archived from the original on 29 August 2020. Retrieved 3 February 2023. <a href="https://www.cryptopp.com/wiki/X25519" target="_blank">https://www.cryptopp.com/wiki/X25519</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"[Cfrg] 25519 naming". Retrieved 2016-02-25. <a href="https://mailarchive.ietf.org/arch/msg/cfrg/-9LEdnzVrE5RORux3Oo_oDDRksU/" target="_blank">https://mailarchive.ietf.org/arch/msg/cfrg/-9LEdnzVrE5RORux3Oo_oDDRksU/</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Bernstein, Daniel J. (2006). "Curve25519: New Diffie-Hellman Speed Records" (PDF). In Yung, Moti; Dodis, Yevgeniy; Kiayias, Aggelos; et al. (eds.). Public Key Cryptography - PKC 2006. Public Key Cryptography. Lecture Notes in Computer Science. Vol. 3958. New York: Springer. pp. 207–228. doi:10.1007/11745853_14. ISBN 978-3-540-33851-2. MR 2423191. <a href="978-3-540-33851-2" target="_blank">978-3-540-33851-2</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Lange, Tanja. "EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves". EFD / Explicit-Formulas Database. Retrieved 2016-02-08. <a href="/wiki/Tanja_Lange" target="_blank">/wiki/Tanja_Lange</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Bernstein, Daniel J.; Lange, Tanja (2017-01-22). "SafeCurves: Introduction". SafeCurves: choosing safe curves for elliptic-curve cryptography. Retrieved 2016-02-08. <a href="https://safecurves.cr.yp.to" target="_blank">https://safecurves.cr.yp.to</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2017-01-22). "Ed25519: high-speed high-security signatures". Retrieved 2019-11-09. <a href="http://ed25519.cr.yp.to/" target="_blank">http://ed25519.cr.yp.to/</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2011-09-26). "High-speed high-security signatures" (PDF). Retrieved 2019-11-09. <a href="http://ed25519.cr.yp.to/ed25519-20110926.pdf" target="_blank">http://ed25519.cr.yp.to/ed25519-20110926.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Bernstein, Daniel J.; Lange, Tanja (2007). "Faster addition and doubling on elliptic curves". In Kurosawa, Kaoru (ed.). Advances in Cryptology – ASIACRYPT 2007. Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. Vol. 4833. Berlin: Springer. pp. 29–50. doi:10.1007/978-3-540-76900-2_3. ISBN 978-3-540-76899-9. MR 2565722. <a href="978-3-540-76899-9" target="_blank">978-3-540-76899-9</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Bernstein, Daniel J. (2006). "Curve25519: New Diffie-Hellman Speed Records" (PDF). In Yung, Moti; Dodis, Yevgeniy; Kiayias, Aggelos; et al. (eds.). Public Key Cryptography - PKC 2006. Public Key Cryptography. Lecture Notes in Computer Science. Vol. 3958. New York: Springer. pp. 207–228. doi:10.1007/11745853_14. ISBN 978-3-540-33851-2. MR 2423191. <a href="978-3-540-33851-2" target="_blank">978-3-540-33851-2</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>Kelsey, John (May 2014). "Dual EC in X9.82 and SP 800-90" (PDF). National Institute of Standards in Technology. Retrieved 2018-12-02. <a href="https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/dualec_in_x982_and_sp800-90.pdf" target="_blank">https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/dualec_in_x982_and_sp800-90.pdf</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Green, Matthew (2015-01-14). "A Few Thoughts on Cryptographic Engineering: The Many Flaws of Dual_EC_DRBG". blog.cryptographyengineering.com. Retrieved 2015-05-20. <a href="http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html" target="_blank">http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>"SafeCurves: Introduction". <a href="https://safecurves.cr.yp.to/" target="_blank">https://safecurves.cr.yp.to/</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>Maxwell, Gregory (2013-09-08). "[tor-talk] NIST approved crypto in Tor?". Retrieved 2015-05-20. <a href="https://lists.torproject.org/pipermail/tor-talk/2013-September/029956.html" target="_blank">https://lists.torproject.org/pipermail/tor-talk/2013-September/029956.html</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>"SafeCurves: Rigidity". safecurves.cr.yp.to. Retrieved 2015-05-20. <a href="https://safecurves.cr.yp.to/rigid.html" target="_blank">https://safecurves.cr.yp.to/rigid.html</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>"The NSA Is Breaking Most Encryption on the Internet - Schneier on Security". www.schneier.com. Retrieved 2015-05-20. <a href="https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929" target="_blank">https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>"Things that use Curve25519". Retrieved 2015-12-23. <a href="https://ianix.com/pub/curve25519-deployment.html" target="_blank">https://ianix.com/pub/curve25519-deployment.html</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>Adamantiadis, Aris (2013-11-03). "OpenSSH introduces curve25519-sha256@libssh.org key exchange !". libssh.org. Retrieved 2014-12-27. <a href="https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/" target="_blank">https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>"GnuPG - What's new in 2.1". August 2021. <a href="https://gnupg.org/faq/whats-new-in-2.1.html" target="_blank">https://gnupg.org/faq/whats-new-in-2.1.html</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>A. Adamantiadis; libssh; S. Josefsson; SJD AB; M. Baushke; Juniper Networks, Inc. (February 2020). Secure Shell (SSH) Key Exchange Method Using Curve25519 and Curve448. doi:10.17487/RFC8731. RFC 8731. <a href="https://datatracker.ietf.org/doc/html/rfc8731" target="_blank">https://datatracker.ietf.org/doc/html/rfc8731</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>B. Harris; L. Velvindron (February 2020). Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol. doi:10.17487/RFC8709. RFC 8709. <a href="https://datatracker.ietf.org/doc/html/rfc8709" target="_blank">https://datatracker.ietf.org/doc/html/rfc8709</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>"Transition Plans for Key Establishment Schemes". National Institute of Standards and Technology. 2017-10-31. Archived from the original on 2018-03-11. Retrieved 2019-09-04. <a href="https://web.archive.org/web/20180311141933/https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes" target="_blank">https://web.archive.org/web/20180311141933/https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>RFC 7748. Retrieved from rfc:7748. <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>Regenscheid, Andrew (31 October 2019). "FIPS PUB 186-5". National Institute of Standards and Technology (Withdrawn Draft). doi:10.6028/NIST.FIPS.186-5-draft. S2CID 241055751. <a href="https://csrc.nist.gov/publications/detail/fips/186/5/draft" target="_blank">https://csrc.nist.gov/publications/detail/fips/186/5/draft</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>"Recommendations for Discrete Logarithm-Based Cryptography" (PDF). <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>"Domain Name System Security (DNSSEC) Algorithm Numbers". Internet Assigned Numbers Authority. 2024-12-05. Retrieved 2024-12-27. <a href="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml" target="_blank">https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>John Levine (September 2018). A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM). IETF. doi:10.17487/RFC8463. RFC 8463. <a href="https://datatracker.ietf.org/doc/html/rfc8463" target="_blank">https://datatracker.ietf.org/doc/html/rfc8463</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>E Rescorla (September 2018). The Transport Layer Security (TLS) Protocol Version 1.3. IETF. doi:10.17487/RFC8446. RFC 8446. <a href="https://datatracker.ietf.org/doc/html/rfc8446" target="_blank">https://datatracker.ietf.org/doc/html/rfc8446</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>Werner Koch (15 April 2016). "Libgcrypt 1.7.0 release announcement". Retrieved 22 April 2016. <a href="/wiki/Werner_Koch" target="_blank">/wiki/Werner_Koch</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> <li id="fn:31"><p>Adamantiadis, Aris (2013-11-03). "OpenSSH introduces curve25519-sha256@libssh.org key exchange !". libssh.org. Retrieved 2014-12-27. <a href="https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/" target="_blank">https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/</a> <a href="#fnref:31" class="footnote-back-ref">↩</a></p></li> <li id="fn:32"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:32" class="footnote-back-ref">↩</a></p></li> <li id="fn:33"><p>"Introduction". yp.to. Retrieved 11 December 2014. <a href="https://nacl.cr.yp.to/" target="_blank">https://nacl.cr.yp.to/</a> <a href="#fnref:33" class="footnote-back-ref">↩</a></p></li> <li id="fn:34"><p>"nettle: curve25519.h File Reference". Fossies (doxygen documentation). Archived from the original on 2015-05-20. Retrieved 2015-05-19. <a href="https://web.archive.org/web/20150520171756/http://fossies.org/dox/nettle-3.1.1/curve25519_8h.html" target="_blank">https://web.archive.org/web/20150520171756/http://fossies.org/dox/nettle-3.1.1/curve25519_8h.html</a> <a href="#fnref:34" class="footnote-back-ref">↩</a></p></li> <li id="fn:35"><p>Limited, ARM. "PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL)". tls.mbed.org. Retrieved 2015-05-19. {{cite web}}: |last= has generic name (help) <a href="https://tls.mbed.org/tech-updates/releases/polarssl-1.3.3-released" target="_blank">https://tls.mbed.org/tech-updates/releases/polarssl-1.3.3-released</a> <a href="#fnref:35" class="footnote-back-ref">↩</a></p></li> <li id="fn:36"><p>"wolfSSL Embedded SSL/TLS Library | Products – wolfSSL". <a href="https://www.wolfssl.com/products/wolfssl/" target="_blank">https://www.wolfssl.com/products/wolfssl/</a> <a href="#fnref:36" class="footnote-back-ref">↩</a></p></li> <li id="fn:37"><p>"Botan: src/lib/pubkey/curve25519/curve25519.cpp Source File". botan.randombit.net. <a href="http://botan.randombit.net/doxygen/curve25519_8cpp_source.html" target="_blank">http://botan.randombit.net/doxygen/curve25519_8cpp_source.html</a> <a href="#fnref:37" class="footnote-back-ref">↩</a></p></li> <li id="fn:38"><p>Starting with Windows 10 (1607), Windows Server 2016 <a href="#fnref:38" class="footnote-back-ref">↩</a></p></li> <li id="fn:39"><p>Justinha. "TLS (Schannel SSP)". docs.microsoft.com. Retrieved 2017-09-15. <a href="https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server" target="_blank">https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server</a> <a href="#fnref:39" class="footnote-back-ref">↩</a></p></li> <li id="fn:40"><p>Denis, Frank. "Introduction · libsodium". libsodium.org. <a href="https://libsodium.org" target="_blank">https://libsodium.org</a> <a href="#fnref:40" class="footnote-back-ref">↩</a></p></li> <li id="fn:41"><p>"OpenSSL 1.1.0 Series Release Notes". OpenSSL Foundation. Archived from the original on 2018-03-17. Retrieved 2016-06-24. <a href="https://web.archive.org/web/20180317162208/https://www.openssl.org/news/openssl-1.1.0-notes.html" target="_blank">https://web.archive.org/web/20180317162208/https://www.openssl.org/news/openssl-1.1.0-notes.html</a> <a href="#fnref:41" class="footnote-back-ref">↩</a></p></li> <li id="fn:42"><p>"Add support for ECDHE with X25519. · openbsd/src@0ad90c3". GitHub. <a href="https://github.com/openbsd/src/commit/0ad90c3e6b15b9b6b8463a8a0f87d70c83a07ef4" target="_blank">https://github.com/openbsd/src/commit/0ad90c3e6b15b9b6b8463a8a0f87d70c83a07ef4</a> <a href="#fnref:42" class="footnote-back-ref">↩</a></p></li> <li id="fn:43"><p>"NSS 3.28 release notes". Archived from the original on 9 December 2017. Retrieved 25 July 2017. <a href="https://web.archive.org/web/20171209152048/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes" target="_blank">https://web.archive.org/web/20171209152048/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes</a> <a href="#fnref:43" class="footnote-back-ref">↩</a></p></li> <li id="fn:44"><p>"A pure-Rust implementation of group operations on ristretto255 and Curve25519". GitHub. Retrieved 14 April 2021. <a href="https://github.com/dalek-cryptography/curve25519-dalek/" target="_blank">https://github.com/dalek-cryptography/curve25519-dalek/</a> <a href="#fnref:44" class="footnote-back-ref">↩</a></p></li> <li id="fn:45"><p>"Ed25519.java". GitHub. 13 October 2021. <a href="https://github.com/bcgit/bc-java/blob/bc3b92f1f0e78b82e2584c5fb4b226a13e7f8b3b/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java" target="_blank">https://github.com/bcgit/bc-java/blob/bc3b92f1f0e78b82e2584c5fb4b226a13e7f8b3b/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java</a> <a href="#fnref:45" class="footnote-back-ref">↩</a></p></li> <li id="fn:46"><p>Straub, Andreas (25 October 2015). "OMEMO Encryption". conversations.im. <a href="https://conversations.im/xeps/multi-end.html#usecases-setup" target="_blank">https://conversations.im/xeps/multi-end.html#usecases-setup</a> <a href="#fnref:46" class="footnote-back-ref">↩</a></p></li> <li id="fn:47"><p>Via the OMEMO protocol <a href="/wiki/OMEMO" target="_blank">/wiki/OMEMO</a> <a href="#fnref:47" class="footnote-back-ref">↩</a></p></li> <li id="fn:48"><p>"Cryptocat - Security". crypto.cat. Archived from the original on 2016-04-07. Retrieved 2016-05-24. <a href="https://web.archive.org/web/20160407125207/https://crypto.cat/security.html#encryption" target="_blank">https://web.archive.org/web/20160407125207/https://crypto.cat/security.html#encryption</a> <a href="#fnref:48" class="footnote-back-ref">↩</a></p></li> <li id="fn:49"><p>Via the OMEMO protocol <a href="/wiki/OMEMO" target="_blank">/wiki/OMEMO</a> <a href="#fnref:49" class="footnote-back-ref">↩</a></p></li> <li id="fn:50"><p>Frank Denis. "DNSCrypt version 2 protocol specification". GitHub. Archived from the original on 2015-08-13. Retrieved 2016-03-03. <a href="https://web.archive.org/web/20150813075450/https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.txt" target="_blank">https://web.archive.org/web/20150813075450/https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.txt</a> <a href="#fnref:50" class="footnote-back-ref">↩</a></p></li> <li id="fn:51"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:51" class="footnote-back-ref">↩</a></p></li> <li id="fn:52"><p>Matt Johnston. "Dropbear SSH - Changes". Retrieved 2016-02-25. <a href="https://matt.ucc.asn.au/dropbear/CHANGES" target="_blank">https://matt.ucc.asn.au/dropbear/CHANGES</a> <a href="#fnref:52" class="footnote-back-ref">↩</a></p></li> <li id="fn:53"><p>Only in "secret conversations" <a href="#fnref:53" class="footnote-back-ref">↩</a></p></li> <li id="fn:54"><p>Via the Signal Protocol <a href="/wiki/Signal_Protocol" target="_blank">/wiki/Signal_Protocol</a> <a href="#fnref:54" class="footnote-back-ref">↩</a></p></li> <li id="fn:55"><p>Bahtiar Gadimov; et al. "Gajim plugin for OMEMO Multi-End Message and Object Encryption". GitHub. Retrieved 2016-10-01. <a href="https://github.com/omemo/gajim-omemo" target="_blank">https://github.com/omemo/gajim-omemo</a> <a href="#fnref:55" class="footnote-back-ref">↩</a></p></li> <li id="fn:56"><p>Via the OMEMO protocol <a href="/wiki/OMEMO" target="_blank">/wiki/OMEMO</a> <a href="#fnref:56" class="footnote-back-ref">↩</a></p></li> <li id="fn:57"><p>"GNUnet 0.10.0". gnunet.org. Archived from the original on 9 December 2017. Retrieved 11 December 2014. <a href="https://web.archive.org/web/20171209100204/https://gnunet.org/gnunet0-10-0" target="_blank">https://web.archive.org/web/20171209100204/https://gnunet.org/gnunet0-10-0</a> <a href="#fnref:57" class="footnote-back-ref">↩</a></p></li> <li id="fn:58"><p>Only in "incognito mode" <a href="#fnref:58" class="footnote-back-ref">↩</a></p></li> <li id="fn:59"><p>Via the Signal Protocol <a href="/wiki/Signal_Protocol" target="_blank">/wiki/Signal_Protocol</a> <a href="#fnref:59" class="footnote-back-ref">↩</a></p></li> <li id="fn:60"><p>zzz (2014-09-20). "0.9.15 Release - Blog". Retrieved 20 December 2014. <a href="https://geti2p.net/en/blog/post/2014/09/20/0.9.15-Release" target="_blank">https://geti2p.net/en/blog/post/2014/09/20/0.9.15-Release</a> <a href="#fnref:60" class="footnote-back-ref">↩</a></p></li> <li id="fn:61"><p>"go-ipfs_keystore.go at master". Github.com. 30 March 2022. <a href="https://github.com/ipfs/go-ipfs/blob/master/core/commands/keystore.go#L68" target="_blank">https://github.com/ipfs/go-ipfs/blob/master/core/commands/keystore.go#L68</a> <a href="#fnref:61" class="footnote-back-ref">↩</a></p></li> <li id="fn:62"><p>"Apple Platform Security". Apple Support. <a href="https://support.apple.com/guide/security/welcome/web" target="_blank">https://support.apple.com/guide/security/welcome/web</a> <a href="#fnref:62" class="footnote-back-ref">↩</a></p></li> <li id="fn:63"><p>"MRL-0003 - Monero is Not That Mysterious" (PDF). getmonero.com. Archived from the original (PDF) on 2019-05-01. Retrieved 2018-06-05. <a href="https://web.archive.org/web/20190501100100/https://lab.getmonero.org/pubs/MRL-0003.pdf" target="_blank">https://web.archive.org/web/20190501100100/https://lab.getmonero.org/pubs/MRL-0003.pdf</a> <a href="#fnref:63" class="footnote-back-ref">↩</a></p></li> <li id="fn:64"><p>Used to sign releases and packages[53][54] <a href="#fnref:64" class="footnote-back-ref">↩</a></p></li> <li id="fn:65"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:65" class="footnote-back-ref">↩</a></p></li> <li id="fn:66"><p>Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.[55][56] <a href="/wiki/OpenSSL" target="_blank">/wiki/OpenSSL</a> <a href="#fnref:66" class="footnote-back-ref">↩</a></p></li> <li id="fn:67"><p>"How does Peerio implement end-to-end encryption?". Peerio. Archived from the original on 2017-12-09. Retrieved 2015-11-04. <a href="https://web.archive.org/web/20171209100137/https://peerio.zendesk.com/hc/en-us/articles/204155895-How-does-Peerio-implement-end-to-end-encryption" target="_blank">https://web.archive.org/web/20171209100137/https://peerio.zendesk.com/hc/en-us/articles/204155895-How-does-Peerio-implement-end-to-end-encryption</a> <a href="#fnref:67" class="footnote-back-ref">↩</a></p></li> <li id="fn:68"><p>"Proton Mail now offers elliptic curve cryptography for advanced security and faster speeds". 25 April 2019. <a href="https://proton.me/blog/elliptic-curve-cryptography" target="_blank">https://proton.me/blog/elliptic-curve-cryptography</a> <a href="#fnref:68" class="footnote-back-ref">↩</a></p></li> <li id="fn:69"><p>"PuTTY Change Log". www.chiark.greenend.org.uk. <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html" target="_blank">http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html</a> <a href="#fnref:69" class="footnote-back-ref">↩</a></p></li> <li id="fn:70"><p>Via the Signal Protocol <a href="/wiki/Signal_Protocol" target="_blank">/wiki/Signal_Protocol</a> <a href="#fnref:70" class="footnote-back-ref">↩</a></p></li> <li id="fn:71"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:71" class="footnote-back-ref">↩</a></p></li> <li id="fn:72"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:72" class="footnote-back-ref">↩</a></p></li> <li id="fn:73"><p>Steve Gibson (December 2019). "SQRL Cryptography whitepaper" (PDF). <a href="https://www.grc.com/sqrl/SQRL_Cryptography.pdf" target="_blank">https://www.grc.com/sqrl/SQRL_Cryptography.pdf</a> <a href="#fnref:73" class="footnote-back-ref">↩</a></p></li> <li id="fn:74"><p>"Threema Cryptography Whitepaper" (PDF). <a href="https://threema.ch/press-files/cryptography_whitepaper.pdf" target="_blank">https://threema.ch/press-files/cryptography_whitepaper.pdf</a> <a href="#fnref:74" class="footnote-back-ref">↩</a></p></li> <li id="fn:75"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:75" class="footnote-back-ref">↩</a></p></li> <li id="fn:76"><p>SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. <a href="http://ssh-comparison.quendi.de/comparison/kex.html" target="_blank">http://ssh-comparison.quendi.de/comparison/kex.html</a> <a href="#fnref:76" class="footnote-back-ref">↩</a></p></li> <li id="fn:77"><p>Roger Dingledine & Nick Mathewson. "Tor's Protocol Specifications - Blog". Retrieved 20 December 2014. <a href="https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt?id=b5b771b19df9fc052b424228045409467a7b6414#n81" target="_blank">https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt?id=b5b771b19df9fc052b424228045409467a7b6414#n81</a> <a href="#fnref:77" class="footnote-back-ref">↩</a></p></li> <li id="fn:78"><p>"Viber Encryption Overview". Viber. 3 May 2016. Retrieved 24 September 2016. <a href="https://www.viber.com/en/security-overview" target="_blank">https://www.viber.com/en/security-overview</a> <a href="#fnref:78" class="footnote-back-ref">↩</a></p></li> <li id="fn:79"><p>Via the Signal Protocol <a href="/wiki/Signal_Protocol" target="_blank">/wiki/Signal_Protocol</a> <a href="#fnref:79" class="footnote-back-ref">↩</a></p></li> <li id="fn:80"><p>Nidhi Rastogi; James Hendler (2017-01-24). "WhatsApp security and role of metadata in preserving privacy". arXiv:1701.06817 [cs.CR]. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:80" class="footnote-back-ref">↩</a></p></li> </ol>