In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents.[1] The reference implementation is public domain software.[2][3]
The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.[4]
Mathematical properties
The curve used is , a Montgomery curve, over the prime field defined by the prime number
(hence the numeric "25519" in the name), and it uses the base point
. This point generates a cyclic subgroup whose order is the prime
. This subgroup has a co-factor of
, meaning the number of elements in the subgroup is
that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.[5]
The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.[6]
Curve25519 is constructed such that it avoids many potential implementation pitfalls.[7]
By design, Curve25519 is immune to timing attacks, and it accepts any 32-byte string as a valid public key and does not require validating that a given point belongs to the curve, or is generated by the base point.[citation needed]
The curve is birationally equivalent to a twisted Edwards curve used in the Ed25519[8][9] signature scheme.[10]
History
In 2005, Curve25519 was first released by Daniel J. Bernstein.[5]
In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.[11] While not directly related,[12] suspicious aspects of the NIST's P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.[15][16]
"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."
— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)
Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.[17] Starting in 2014, OpenSSH[18] defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.[19] The use of the curve was eventually standardized for both key exchange and signature in 2020.[20][21]
In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.[22] Both are described in RFC 7748.[23] A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519[24] for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.[25]
In 2018, DKIM specification was amended so as to allow signatures with this algorithm.[26]
Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519, Ed25519, X448, and Ed448 algorithms.[27]
Libraries
Protocols
- OMEMO, a proposed extension for XMPP (Jabber)[42]
- Secure Shell
- Signal Protocol
- Matrix (protocol)
- Tox
- Zcash
- Transport Layer Security
- WireGuard
Applications
- Conversations Android application[b]
- Cryptocat[43][b]
- DNSCrypt[44]
- DNSCurve
- Dropbear[29][45]
- Facebook Messenger [c][d]
- Gajim via plugin[46][b]
- GNUnet[47]
- GnuPG
- Google Allo[e][d]
- I2P[48]
- IPFS[49]
- iOS[50]
- Monero[51]
- OpenBSD[f]
- OpenSSH[29][g]
- Peerio[56]
- Proton Mail[57]
- PuTTY[58]
- Signal[d]
- Silent Phone
- SmartFTP[29]
- SSHJ[29]
- SQRL[59]
- Threema Instant Messenger[60]
- TinySSH[29]
- TinyTERM[29]
- Tor[61]
- Viber[62]
- WhatsApp[d][63]
- Wire
- WireGuard