Curve25519

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents.^[1] The reference implementation is public domain software.^[2][3]

The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.^[4]

Mathematical properties

The curve used is ${\displaystyle y^{2}=x^{3}+486662x^{2}+x}$, a Montgomery curve, over the prime field defined by the pseudo-Mersenne prime number^[5] ${\displaystyle 2^{255}-19}$ (hence the numeric "25519" in the name), and it uses the base point ${\displaystyle x=9}$. This point generates a cyclic subgroup whose order is the prime ${\displaystyle 2^{252}+27742317777372353535851937790883648493}$. This subgroup has a co-factor of 8, meaning the number of elements in the subgroup is ⁠1/8⁠ that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.^[6]

The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.^[7]

Curve25519 is constructed such that it avoids many potential implementation pitfalls.^[8]

The curve is birationally equivalent to a twisted Edwards curve used in the Ed25519^[9][10] signature scheme.^[11]

History

In 2005, Curve25519 was first released by Daniel J. Bernstein.^[6]

In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.^[12] While not directly related,^[13] suspicious aspects of the NIST's P curve constants^[14] led to concerns^[15] that the NSA had chosen values that gave them an advantage in breaking the encryption.^[16][17]

"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."

— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)

Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.^[18] Starting in 2014, OpenSSH^[19] defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.^[20] The use of the curve was eventually standardized for both key exchange and signature in 2020.^[21][22]

In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.^[23] Both are described in RFC 7748.^[24] A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519^[25] for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.^[26]

In February 2017, the DNSSEC specification for using Ed25519 and Ed448 was published as RFC 8080, assigning algorithm numbers 15 and 16.^[27]

In 2018, DKIM specification was amended so as to allow signatures with this algorithm.^[28] Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519, Ed25519, X448, and Ed448 algorithms.^[29]

Libraries

• Libgcrypt^[30]
• libssh^[19][31]
• libssh2 (since version 1.9.0)
• NaCl^[32]
• GnuTLS^[33]
• mbed TLS (formerly PolarSSL)^[34]
• wolfSSL^[35]
• Botan^[36]
• Schannel^[a][37]
• Libsodium^[38]
• OpenSSL since version 1.1.0^[39]
• LibreSSL^[40]
• NSS since version 3.28^[41]
• Crypto++
• curve25519-dalek^[42]
• Bouncy Castle^[43]

Protocols

• OMEMO, a proposed extension for XMPP (Jabber)^[44]
• Secure Shell
• Signal Protocol
• Matrix (protocol)
• Tox
• Zcash
• Transport Layer Security
• WireGuard

Applications

• Conversations Android application^[b]
• Cryptocat^[45][b]
• DNSCrypt^[46]
• DNSCurve

• DNSSEC
• Dropbear^[31][47]
• Facebook Messenger ^[c][d]
• Gajim via plugin^[48][b]
• GNUnet^[49]
• GnuPG
• Google Allo^[e][d]
• I2P^[50]
• IPFS^[51]
• iOS^[52]
• Monero^[53]
• OpenBSD and signify^[f]
• OpenSSH^[31][g]
• Peerio^[58]
• Proton Mail^[59]
• PuTTY^[60]
• Signal^[d]
• Silent Phone
• SmartFTP^[31]
• SSHJ^[31]
• SQRL^[61]
• Threema Instant Messenger^[62]
• TinySSH^[31]
• TinyTERM^[31]
• Tor^[63]
• Viber^[64]
• WhatsApp^[d][65]
• Wire
• WireGuard

Notes

1. Starting with Windows 10 (1607), Windows Server 2016
2. Via the OMEMO protocol
3. Only in "secret conversations"
4. Via the Signal Protocol
5. Only in "incognito mode"
6. Used to sign releases and packages^[54][55]
7. Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.^[56][57]