Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
Curve25519
Elliptic curve used in Internet cryptography

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.

We don't have any images related to Curve25519 yet.
We don't have any YouTube videos related to Curve25519 yet.
We don't have any PDF documents related to Curve25519 yet.
We don't have any Books related to Curve25519 yet.
We don't have any archived web articles related to Curve25519 yet.

Mathematical properties

The curve used is y 2 = x 3 + 486662 x 2 + x {\displaystyle y^{2}=x^{3}+486662x^{2}+x} , a Montgomery curve, over the prime field defined by the prime number 2 255 − 19 {\displaystyle 2^{255}-19} (hence the numeric "25519" in the name), and it uses the base point x = 9 {\displaystyle x=9} . This point generates a cyclic subgroup whose order is the prime 2 252 + 27742317777372353535851937790883648493 {\displaystyle 2^{252}+27742317777372353535851937790883648493} . This subgroup has a co-factor of 8, meaning the number of elements in the subgroup is ⁠1/8⁠ that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.5

The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.6

Curve25519 is constructed such that it avoids many potential implementation pitfalls.7

The curve is birationally equivalent to a twisted Edwards curve used in the Ed2551989 signature scheme.10

History

In 2005, Curve25519 was first released by Daniel J. Bernstein.11

In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.12 While not directly related,13 suspicious aspects of the NIST's P curve constants14 led to concerns15 that the NSA had chosen values that gave them an advantage in breaking the encryption.1617

"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."

— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)

Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.18 Starting in 2014, OpenSSH19 defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.20 The use of the curve was eventually standardized for both key exchange and signature in 2020.2122

In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.23 Both are described in RFC 7748.24 A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed2551925 for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.26

In February 2017, the DNSSEC specification for using Ed25519 and Ed448 was published as RFC 8080, assigning algorithm numbers 15 and 16.27

In 2018, DKIM specification was amended so as to allow signatures with this algorithm.28 Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519, Ed25519, X448, and Ed448 algorithms.29

Libraries

Protocols

Applications

Notes

References

  1. Bernstein. "Irrelevant patents on elliptic-curve cryptography". cr.yp.to. Retrieved 2016-02-08. https://cr.yp.to/ecdh/patents.html

  2. A state-of-the-art Diffie-Hellman function by Daniel J. Bernstein"My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain." https://cr.yp.to/ecdh.html

  3. "X25519". Crypto++. 5 March 2019. Archived from the original on 29 August 2020. Retrieved 3 February 2023. https://www.cryptopp.com/wiki/X25519

  4. "[Cfrg] 25519 naming". Retrieved 2016-02-25. https://mailarchive.ietf.org/arch/msg/cfrg/-9LEdnzVrE5RORux3Oo_oDDRksU/

  5. Bernstein, Daniel J. (2006). "Curve25519: New Diffie-Hellman Speed Records" (PDF). In Yung, Moti; Dodis, Yevgeniy; Kiayias, Aggelos; et al. (eds.). Public Key Cryptography - PKC 2006. Public Key Cryptography. Lecture Notes in Computer Science. Vol. 3958. New York: Springer. pp. 207–228. doi:10.1007/11745853_14. ISBN 978-3-540-33851-2. MR 2423191. 978-3-540-33851-2

  6. Lange, Tanja. "EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves". EFD / Explicit-Formulas Database. Retrieved 2016-02-08. /wiki/Tanja_Lange

  7. Bernstein, Daniel J.; Lange, Tanja (2017-01-22). "SafeCurves: Introduction". SafeCurves: choosing safe curves for elliptic-curve cryptography. Retrieved 2016-02-08. https://safecurves.cr.yp.to

  8. Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2017-01-22). "Ed25519: high-speed high-security signatures". Retrieved 2019-11-09. http://ed25519.cr.yp.to/

  9. Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2011-09-26). "High-speed high-security signatures" (PDF). Retrieved 2019-11-09. http://ed25519.cr.yp.to/ed25519-20110926.pdf

  10. Bernstein, Daniel J.; Lange, Tanja (2007). "Faster addition and doubling on elliptic curves". In Kurosawa, Kaoru (ed.). Advances in Cryptology – ASIACRYPT 2007. Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. Vol. 4833. Berlin: Springer. pp. 29–50. doi:10.1007/978-3-540-76900-2_3. ISBN 978-3-540-76899-9. MR 2565722. 978-3-540-76899-9

  11. Bernstein, Daniel J. (2006). "Curve25519: New Diffie-Hellman Speed Records" (PDF). In Yung, Moti; Dodis, Yevgeniy; Kiayias, Aggelos; et al. (eds.). Public Key Cryptography - PKC 2006. Public Key Cryptography. Lecture Notes in Computer Science. Vol. 3958. New York: Springer. pp. 207–228. doi:10.1007/11745853_14. ISBN 978-3-540-33851-2. MR 2423191. 978-3-540-33851-2

  12. Kelsey, John (May 2014). "Dual EC in X9.82 and SP 800-90" (PDF). National Institute of Standards in Technology. Retrieved 2018-12-02. https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/dualec_in_x982_and_sp800-90.pdf

  13. Green, Matthew (2015-01-14). "A Few Thoughts on Cryptographic Engineering: The Many Flaws of Dual_EC_DRBG". blog.cryptographyengineering.com. Retrieved 2015-05-20. http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html

  14. "SafeCurves: Introduction". https://safecurves.cr.yp.to/

  15. Maxwell, Gregory (2013-09-08). "[tor-talk] NIST approved crypto in Tor?". Retrieved 2015-05-20. https://lists.torproject.org/pipermail/tor-talk/2013-September/029956.html

  16. "SafeCurves: Rigidity". safecurves.cr.yp.to. Retrieved 2015-05-20. https://safecurves.cr.yp.to/rigid.html

  17. "The NSA Is Breaking Most Encryption on the Internet - Schneier on Security". www.schneier.com. Retrieved 2015-05-20. https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

  18. "Things that use Curve25519". Retrieved 2015-12-23. https://ianix.com/pub/curve25519-deployment.html

  19. Adamantiadis, Aris (2013-11-03). "OpenSSH introduces [email protected] key exchange !". libssh.org. Retrieved 2014-12-27. https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/

  20. "GnuPG - What's new in 2.1". August 2021. https://gnupg.org/faq/whats-new-in-2.1.html

  21. A. Adamantiadis; libssh; S. Josefsson; SJD AB; M. Baushke; Juniper Networks, Inc. (February 2020). Secure Shell (SSH) Key Exchange Method Using Curve25519 and Curve448. doi:10.17487/RFC8731. RFC 8731. https://datatracker.ietf.org/doc/html/rfc8731

  22. B. Harris; L. Velvindron (February 2020). Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol. doi:10.17487/RFC8709. RFC 8709. https://datatracker.ietf.org/doc/html/rfc8709

  23. "Transition Plans for Key Establishment Schemes". National Institute of Standards and Technology. 2017-10-31. Archived from the original on 2018-03-11. Retrieved 2019-09-04. https://web.archive.org/web/20180311141933/https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes

  24. RFC 7748. Retrieved from rfc:7748.

  25. Regenscheid, Andrew (31 October 2019). "FIPS PUB 186-5". National Institute of Standards and Technology (Withdrawn Draft). doi:10.6028/NIST.FIPS.186-5-draft. S2CID 241055751. https://csrc.nist.gov/publications/detail/fips/186/5/draft

  26. "Recommendations for Discrete Logarithm-Based Cryptography" (PDF). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf

  27. "Domain Name System Security (DNSSEC) Algorithm Numbers". Internet Assigned Numbers Authority. 2024-12-05. Retrieved 2024-12-27. https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

  28. John Levine (September 2018). A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM). IETF. doi:10.17487/RFC8463. RFC 8463. https://datatracker.ietf.org/doc/html/rfc8463

  29. E Rescorla (September 2018). The Transport Layer Security (TLS) Protocol Version 1.3. IETF. doi:10.17487/RFC8446. RFC 8446. https://datatracker.ietf.org/doc/html/rfc8446

  30. Werner Koch (15 April 2016). "Libgcrypt 1.7.0 release announcement". Retrieved 22 April 2016. /wiki/Werner_Koch

  31. Adamantiadis, Aris (2013-11-03). "OpenSSH introduces [email protected] key exchange !". libssh.org. Retrieved 2014-12-27. https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/

  32. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  33. "Introduction". yp.to. Retrieved 11 December 2014. https://nacl.cr.yp.to/

  34. "nettle: curve25519.h File Reference". Fossies (doxygen documentation). Archived from the original on 2015-05-20. Retrieved 2015-05-19. https://web.archive.org/web/20150520171756/http://fossies.org/dox/nettle-3.1.1/curve25519_8h.html

  35. Limited, ARM. "PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL)". tls.mbed.org. Retrieved 2015-05-19. {{cite web}}: |last= has generic name (help) https://tls.mbed.org/tech-updates/releases/polarssl-1.3.3-released

  36. "wolfSSL Embedded SSL/TLS Library | Products – wolfSSL". https://www.wolfssl.com/products/wolfssl/

  37. "Botan: src/lib/pubkey/curve25519/curve25519.cpp Source File". botan.randombit.net. http://botan.randombit.net/doxygen/curve25519_8cpp_source.html

  38. Starting with Windows 10 (1607), Windows Server 2016

  39. Justinha. "TLS (Schannel SSP)". docs.microsoft.com. Retrieved 2017-09-15. https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server

  40. Denis, Frank. "Introduction · libsodium". libsodium.org. https://libsodium.org

  41. "OpenSSL 1.1.0 Series Release Notes". OpenSSL Foundation. Archived from the original on 2018-03-17. Retrieved 2016-06-24. https://web.archive.org/web/20180317162208/https://www.openssl.org/news/openssl-1.1.0-notes.html

  42. "Add support for ECDHE with X25519. · openbsd/src@0ad90c3". GitHub. https://github.com/openbsd/src/commit/0ad90c3e6b15b9b6b8463a8a0f87d70c83a07ef4

  43. "NSS 3.28 release notes". Archived from the original on 9 December 2017. Retrieved 25 July 2017. https://web.archive.org/web/20171209152048/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes

  44. "A pure-Rust implementation of group operations on ristretto255 and Curve25519". GitHub. Retrieved 14 April 2021. https://github.com/dalek-cryptography/curve25519-dalek/

  45. "Ed25519.java". GitHub. 13 October 2021. https://github.com/bcgit/bc-java/blob/bc3b92f1f0e78b82e2584c5fb4b226a13e7f8b3b/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java

  46. Straub, Andreas (25 October 2015). "OMEMO Encryption". conversations.im. https://conversations.im/xeps/multi-end.html#usecases-setup

  47. Via the OMEMO protocol /wiki/OMEMO

  48. "Cryptocat - Security". crypto.cat. Archived from the original on 2016-04-07. Retrieved 2016-05-24. https://web.archive.org/web/20160407125207/https://crypto.cat/security.html#encryption

  49. Via the OMEMO protocol /wiki/OMEMO

  50. Frank Denis. "DNSCrypt version 2 protocol specification". GitHub. Archived from the original on 2015-08-13. Retrieved 2016-03-03. https://web.archive.org/web/20150813075450/https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.txt

  51. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  52. Matt Johnston. "Dropbear SSH - Changes". Retrieved 2016-02-25. https://matt.ucc.asn.au/dropbear/CHANGES

  53. Only in "secret conversations"

  54. Via the Signal Protocol /wiki/Signal_Protocol

  55. Bahtiar Gadimov; et al. "Gajim plugin for OMEMO Multi-End Message and Object Encryption". GitHub. Retrieved 2016-10-01. https://github.com/omemo/gajim-omemo

  56. Via the OMEMO protocol /wiki/OMEMO

  57. "GNUnet 0.10.0". gnunet.org. Archived from the original on 9 December 2017. Retrieved 11 December 2014. https://web.archive.org/web/20171209100204/https://gnunet.org/gnunet0-10-0

  58. Only in "incognito mode"

  59. Via the Signal Protocol /wiki/Signal_Protocol

  60. zzz (2014-09-20). "0.9.15 Release - Blog". Retrieved 20 December 2014. https://geti2p.net/en/blog/post/2014/09/20/0.9.15-Release

  61. "go-ipfs_keystore.go at master". Github.com. 30 March 2022. https://github.com/ipfs/go-ipfs/blob/master/core/commands/keystore.go#L68

  62. "Apple Platform Security". Apple Support. https://support.apple.com/guide/security/welcome/web

  63. "MRL-0003 - Monero is Not That Mysterious" (PDF). getmonero.com. Archived from the original (PDF) on 2019-05-01. Retrieved 2018-06-05. https://web.archive.org/web/20190501100100/https://lab.getmonero.org/pubs/MRL-0003.pdf

  64. Used to sign releases and packages[53][54]

  65. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  66. Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.[55][56] /wiki/OpenSSL

  67. "How does Peerio implement end-to-end encryption?". Peerio. Archived from the original on 2017-12-09. Retrieved 2015-11-04. https://web.archive.org/web/20171209100137/https://peerio.zendesk.com/hc/en-us/articles/204155895-How-does-Peerio-implement-end-to-end-encryption

  68. "Proton Mail now offers elliptic curve cryptography for advanced security and faster speeds". 25 April 2019. https://proton.me/blog/elliptic-curve-cryptography

  69. "PuTTY Change Log". www.chiark.greenend.org.uk. http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

  70. Via the Signal Protocol /wiki/Signal_Protocol

  71. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  72. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  73. Steve Gibson (December 2019). "SQRL Cryptography whitepaper" (PDF). https://www.grc.com/sqrl/SQRL_Cryptography.pdf

  74. "Threema Cryptography Whitepaper" (PDF). https://threema.ch/press-files/cryptography_whitepaper.pdf

  75. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  76. SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25. http://ssh-comparison.quendi.de/comparison/kex.html

  77. Roger Dingledine & Nick Mathewson. "Tor's Protocol Specifications - Blog". Retrieved 20 December 2014. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt?id=b5b771b19df9fc052b424228045409467a7b6414#n81

  78. "Viber Encryption Overview". Viber. 3 May 2016. Retrieved 24 September 2016. https://www.viber.com/en/security-overview

  79. Via the Signal Protocol /wiki/Signal_Protocol

  80. Nidhi Rastogi; James Hendler (2017-01-24). "WhatsApp security and role of metadata in preserving privacy". arXiv:1701.06817 [cs.CR]. /wiki/ArXiv_(identifier)