Curve25519
{{Short description|Elliptic curve used in Internet cryptography}}
In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme, first described and implemented by Daniel J. Bernstein. It is one of the fastest curves in ECC, and is not covered by any known patents.{{Cite web|title = Irrelevant patents on elliptic-curve cryptography|url = https://cr.yp.to/ecdh/patents.html|website = cr.yp.to|access-date = 2016-02-08|last = Bernstein}} The reference implementation is public domain software.[https://cr.yp.to/ecdh.html A state-of-the-art Diffie-Hellman function] by Daniel J. Bernstein"My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain."{{cite web |date=5 March 2019 |title=X25519 |url=https://www.cryptopp.com/wiki/X25519 |url-status=live |archive-url=https://archive.today/20200829210454/https://cryptopp.com/w/index.php?title=X25519&oldid=26377 |archive-date=29 August 2020 |access-date=3 February 2023 |website=Crypto++}}
The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.{{cite web|url=https://mailarchive.ietf.org/arch/msg/cfrg/-9LEdnzVrE5RORux3Oo_oDDRksU/|title=[Cfrg] 25519 naming|accessdate=2016-02-25}}
Mathematical properties
The curve used is , a Montgomery curve, over the prime field defined by the pseudo-Mersenne prime number{{Citation |last=Nath |first=Kaushik |title=Efficient Arithmetic In (Pseudo-)Mersenne Prime Order Fields |date=2018 |url=https://eprint.iacr.org/2018/985 |access-date=2025-05-10 |id=2018/985 |last2=Sarkar |first2=Palash}} (hence the numeric "{{val|25519|fmt=none}}" in the name), and it uses the base point . This point generates a cyclic subgroup whose order is the prime . This subgroup has a co-factor of {{val|8}}, meaning the number of elements in the subgroup is {{sfrac|1|8}} that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.
The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.{{cite web |title=EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves |last1=Lange |first1=Tanja |author1-link=Tanja Lange |url=https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html|website=EFD / Explicit-Formulas Database |access-date=2016-02-08 }}
Curve25519 is constructed such that it avoids many potential implementation pitfalls.{{Cite web |title = SafeCurves: Introduction |url = https://safecurves.cr.yp.to |date=2017-01-22 |access-date = 2016-02-08 |first1=Daniel J. |last1=Bernstein |first2=Tanja |last2=Lange |work=SafeCurves: choosing safe curves for elliptic-curve cryptography }}
The curve is birationally equivalent to a twisted Edwards curve used in the Ed25519{{Cite web|url=http://ed25519.cr.yp.to/|title=Ed25519: high-speed high-security signatures |first1=Daniel J. |last1=Bernstein |first2=Niels |last2=Duif |first3=Tanja |last3=Lange |first4=Peter |last4=Schwabe |first5=Bo-Yin |last5=Yang |date=2017-01-22 |access-date=2019-11-09 }}{{Cite web |url=http://ed25519.cr.yp.to/ed25519-20110926.pdf |title=High-speed high-security signatures |first1=Daniel J. |last1=Bernstein |first2=Niels |last2=Duif |first3=Tanja |last3=Lange |first4=Peter |last4=Schwabe |first5=Bo-Yin |last5=Yang |date=2011-09-26 |access-date=2019-11-09 }} signature scheme.{{cite conference |last1=Bernstein|first1=Daniel J.|author-link1=Daniel J. Bernstein|last2=Lange|first2=Tanja|title=Advances in Cryptology – ASIACRYPT 2007 |chapter=Faster addition and doubling on elliptic curves|pages=29–50|chapter-url=https://eprint.iacr.org/2007/286 | doi=10.1007/978-3-540-76900-2_3 | series=Lecture Notes in Computer Science | publisher=Springer | location=Berlin | conference=Advances in cryptology—ASIACRYPT | year=2007 | isbn=978-3-540-76899-9 | mr=2565722 | volume=4833 | editor1-first=Kaoru | editor1-last=Kurosawa| doi-access=free }}
History
In 2005, Curve25519 was first released by Daniel J. Bernstein.{{cite conference |last=Bernstein |first=Daniel J. |title=Public Key Cryptography - PKC 2006 |author-link=Daniel J. Bernstein | chapter=Curve25519: New Diffie-Hellman Speed Records |year=2006 | chapter-url=https://cr.yp.to/ecdh/curve25519-20060209.pdf |conference=Public Key Cryptography |series=Lecture Notes in Computer Science |volume=3958 |pages=207–228 |location=New York |publisher=Springer |isbn=978-3-540-33851-2 |doi=10.1007/11745853_14 | mr=2423191 | editor1-first=Moti | editor1-last=Yung | editor2-first=Yevgeniy | editor2-last=Dodis | editor3-first=Aggelos | editor3-last=Kiayias | editor4-first=Tal |display-editors = 3 | editor4-last=Malkin|doi-access=free }}
In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.{{Cite web|url=https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/dualec_in_x982_and_sp800-90.pdf|title=Dual EC in X9.82 and SP 800-90|last=Kelsey|first=John|date=May 2014|website=National Institute of Standards in Technology|access-date=2018-12-02}} While not directly related,{{Cite web|title = A Few Thoughts on Cryptographic Engineering: The Many Flaws of Dual_EC_DRBG|url = http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html|website = blog.cryptographyengineering.com|access-date = 2015-05-20|last = Green|first = Matthew|date = 2015-01-14 }} suspicious aspects of the NIST's P curve constants{{Cite web|url=https://safecurves.cr.yp.to/|title=SafeCurves: Introduction}} led to concerns{{Cite web|url = https://lists.torproject.org/pipermail/tor-talk/2013-September/029956.html|title = [tor-talk] NIST approved crypto in Tor?|date = 2013-09-08|access-date = 2015-05-20|first = Gregory|last = Maxwell}} that the NSA had chosen values that gave them an advantage in breaking the encryption.{{Cite web|title = SafeCurves: Rigidity|url = https://safecurves.cr.yp.to/rigid.html|website = safecurves.cr.yp.to|access-date = 2015-05-20}}{{Cite web|title = The NSA Is Breaking Most Encryption on the Internet - Schneier on Security|url = https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929|website = www.schneier.com|access-date = 2015-05-20}}
{{Blockquote|"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."
|author=Bruce Schneier |title=The NSA Is Breaking Most Encryption on the Internet (2013)}}
Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.{{cite web|url=https://ianix.com/pub/curve25519-deployment.html|title=Things that use Curve25519|access-date=2015-12-23}} Starting in 2014, OpenSSH{{cite web|url=https://www.libssh.org/2013/11/03/openssh-introduces-curve25519-sha256libssh-org-key-exchange/|title=OpenSSH introduces curve25519-sha256@libssh.org key exchange ! |first=Aris |last=Adamantiadis |date=2013-11-03 |work=libssh.org |access-date=2014-12-27}} defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.{{Cite web|url=https://gnupg.org/faq/whats-new-in-2.1.html|title = GnuPG - What's new in 2.1|date = August 2021}} The use of the curve was eventually standardized for both key exchange and signature in 2020.{{cite ietf |rfc=8731 |title=Secure Shell (SSH) Key Exchange Method Using Curve25519 and Curve448 |author1=A. Adamantiadis |author2=libssh |author3=S. Josefsson |author4=SJD AB |author5=M. Baushke |author6=Juniper Networks, Inc. |date=February 2020}}{{cite ietf |rfc=8709 |title=Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol |author1=B. Harris |author2=L. Velvindron | date=February 2020}}
In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.{{Cite web|url=https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes|title=Transition Plans for Key Establishment Schemes|date=2017-10-31|website=National Institute of Standards and Technology|language=EN-US|access-date=2019-09-04|archive-date=2018-03-11|archive-url=https://web.archive.org/web/20180311141933/https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes|url-status=dead}} Both are described in RFC 7748.RFC 7748. Retrieved from rfc:7748. A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519{{cite journal |title=FIPS PUB 186-5 |website=National Institute of Standards and Technology |type=Withdrawn Draft |doi=10.6028/NIST.FIPS.186-5-draft |url=https://csrc.nist.gov/publications/detail/fips/186/5/draft|last1=Regenscheid|first1=Andrew|date=31 October 2019|s2cid=241055751}} for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.{{Cite web|url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf|title=Recommendations for Discrete Logarithm-Based Cryptography}}
In February 2017, the DNSSEC specification for using Ed25519 and Ed448 was published as {{IETF RFC|8080}}, assigning algorithm numbers 15 and 16.{{cite web|title=Domain Name System Security (DNSSEC) Algorithm Numbers|publisher=Internet Assigned Numbers Authority|date=2024-12-05|access-date=2024-12-27|url=https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml}}
In 2018, DKIM specification was amended so as to allow signatures with this algorithm.{{cite IETF |title=A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) |rfc=8463 |author=John Levine |date=September 2018 |publisher=IETF}}
Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519, Ed25519, X448, and Ed448 algorithms.{{cite IETF |title=The Transport Layer Security (TLS) Protocol Version 1.3 |rfc=8446 |author=E Rescorla|date=September 2018 |publisher=IETF}}
Libraries
{{div col}}
- Libgcrypt{{cite web |url=https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000386.html |title=Libgcrypt 1.7.0 release announcement |author=Werner Koch |date=15 April 2016 |access-date=22 April 2016|author-link=Werner Koch }}
- libssh{{cite web|url=http://ssh-comparison.quendi.de/comparison/kex.html|title=Comparison of key exchange methods|author=SSH implementation comparison|access-date=2016-02-25}}
- libssh2 (since version 1.9.0)
- NaCl{{cite web|url=https://nacl.cr.yp.to/|title=Introduction|work=yp.to|access-date=11 December 2014}}
- GnuTLS{{Cite web|title = nettle: curve25519.h File Reference |type=doxygen documentation |website=Fossies |url = http://fossies.org/dox/nettle-3.1.1/curve25519_8h.html |access-date = 2015-05-19|archive-url = https://web.archive.org/web/20150520171756/http://fossies.org/dox/nettle-3.1.1/curve25519_8h.html|archive-date = 2015-05-20}}
- mbed TLS (formerly PolarSSL){{Cite web|title = PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL)|url = https://tls.mbed.org/tech-updates/releases/polarssl-1.3.3-released|website = tls.mbed.org|access-date = 2015-05-19|first = ARM|last = Limited}}
- wolfSSL{{Cite web|url=https://www.wolfssl.com/products/wolfssl/|title=wolfSSL Embedded SSL/TLS Library | Products – wolfSSL}}
- Botan{{cite web|url=http://botan.randombit.net/doxygen/curve25519_8cpp_source.html|title=Botan: src/lib/pubkey/curve25519/curve25519.cpp Source File|website=botan.randombit.net}}
- Schannel{{efn|Starting with Windows 10 (1607), Windows Server 2016|name=|group=}}{{Cite web|url=https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server|title=TLS (Schannel SSP)|last=Justinha|website=docs.microsoft.com|language=en-us|access-date=2017-09-15}}
- Libsodium{{cite web|url=https://libsodium.org|title=Introduction · libsodium|first=Frank|last=Denis|website=libsodium.org}}
- OpenSSL since version 1.1.0{{Cite web|url=https://www.openssl.org/news/openssl-1.1.0-notes.html|title=OpenSSL 1.1.0 Series Release Notes |website=OpenSSL Foundation |access-date=2016-06-24|archive-date=2018-03-17|archive-url=https://web.archive.org/web/20180317162208/https://www.openssl.org/news/openssl-1.1.0-notes.html}}
- LibreSSL{{cite web|url=https://github.com/openbsd/src/commit/0ad90c3e6b15b9b6b8463a8a0f87d70c83a07ef4|title=Add support for ECDHE with X25519. · openbsd/src@0ad90c3|website=GitHub}}
- NSS since version 3.28{{Cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes|title=NSS 3.28 release notes|access-date=25 July 2017|archive-date=9 December 2017|archive-url=https://web.archive.org/web/20171209152048/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes|url-status=dead}}
- Crypto++
- curve25519-dalek{{Cite web|url=https://github.com/dalek-cryptography/curve25519-dalek/|title=A pure-Rust implementation of group operations on ristretto255 and Curve25519|website=GitHub |access-date=14 April 2021}}
- Bouncy Castle{{cite web|url=https://github.com/bcgit/bc-java/blob/bc3b92f1f0e78b82e2584c5fb4b226a13e7f8b3b/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java|title=Ed25519.java|website=GitHub|date=13 October 2021}}
{{div col end}}
Protocols
- OMEMO, a proposed extension for XMPP (Jabber){{cite web|url=https://conversations.im/xeps/multi-end.html#usecases-setup|title=OMEMO Encryption|first=Andreas|last=Straub|date=25 October 2015|website=conversations.im}}
- Secure Shell
- Signal Protocol
- Matrix (protocol)
- Tox
- Zcash
- Transport Layer Security
- WireGuard
Applications
{{div col|colwidth=16em}}
- Conversations Android application{{efn|name=OMEMO|Via the OMEMO protocol}}
- Cryptocat{{Cite web|url=https://crypto.cat/security.html#encryption|title=Cryptocat - Security|website=crypto.cat|access-date=2016-05-24|archive-url=https://web.archive.org/web/20160407125207/https://crypto.cat/security.html#encryption|archive-date=2016-04-07}}{{efn|name=OMEMO}}
- DNSCrypt{{cite web|url=https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.txt/|title=DNSCrypt version 2 protocol specification|author=Frank Denis|website=GitHub|access-date=2016-03-03|archive-url=https://web.archive.org/web/20150813075450/https://github.com/jedisct1/dnscrypt-proxy/blob/master/DNSCRYPT-V2-PROTOCOL.txt|archive-date=2015-08-13}}
- DNSCurve
- DNSSEC
- Dropbear{{cite web|url=https://matt.ucc.asn.au/dropbear/CHANGES|title=Dropbear SSH - Changes|author=Matt Johnston|access-date=2016-02-25}}
- Facebook Messenger {{efn|Only in "secret conversations"}}{{efn|name=SIGNAL|Via the Signal Protocol}}
- Gajim via plugin{{cite web|url= https://github.com/omemo/gajim-omemo|title= Gajim plugin for OMEMO Multi-End Message and Object Encryption|author= Bahtiar Gadimov|website= GitHub|display-authors=etal|access-date= 2016-10-01}}{{efn|name=OMEMO}}
- GNUnet{{cite web|url=https://gnunet.org/gnunet0-10-0|title=GNUnet 0.10.0|work=gnunet.org|access-date=11 December 2014|archive-date=9 December 2017|archive-url=https://web.archive.org/web/20171209100204/https://gnunet.org/gnunet0-10-0}}
- GnuPG
- Google Allo{{efn|Only in "incognito mode"}}{{efn|name=SIGNAL}}
- I2P{{cite web|url=https://geti2p.net/en/blog/post/2014/09/20/0.9.15-Release|title=0.9.15 Release - Blog|author=zzz|date=2014-09-20|access-date=20 December 2014}}
- IPFS{{cite web |title=go-ipfs_keystore.go at master |date=30 March 2022 |url=https://github.com/ipfs/go-ipfs/blob/master/core/commands/keystore.go#L68 |publisher=Github.com}}
- iOS{{Cite web|url=https://support.apple.com/guide/security/welcome/web|title=Apple Platform Security|website=Apple Support}}
- Monero{{cite web|url=https://lab.getmonero.org/pubs/MRL-0003.pdf|title=MRL-0003 - Monero is Not That Mysterious|website=getmonero.com|access-date=2018-06-05|archive-url=https://web.archive.org/web/20190501100100/https://lab.getmonero.org/pubs/MRL-0003.pdf|archive-date=2019-05-01}}
- OpenBSD and signify{{efn|Used to sign releases and packages{{cite web |url=http://bsd.slashdot.org/story/14/01/19/0124202/openbsd-moving-towards-signed-packages-based-on-d-j-bernstein-crypto |title= OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto |first=Constantine A. |last=Murenin |editor=Soulskill |date=2014-01-19 |access-date=2014-12-27 |publisher=Slashdot}}{{cite web |url=http://bsd.slashdot.org/story/14/05/01/1656209/openbsd-55-released |title= OpenBSD 5.5 Released |first=Constantine A. |last=Murenin |editor=timothy |date=2014-05-01 |access-date=2014-12-27 |publisher=Slashdot}}}}
- OpenSSH{{efn|Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.{{cite web |url=http://bxr.su/OpenBSD/usr.bin/ssh/kex.c#kexalgs |title=ssh/kex.c#kexalgs |first=Markus |last=Friedl |website=BSD Cross Reference, OpenBSD src/usr.bin/ |date=2014-04-29 |access-date=2014-12-27 }}{{cite web |url=http://it.slashdot.org/story/14/04/30/1822209/openssh-no-longer-has-to-depend-on-openssl |title= OpenSSH No Longer Has To Depend On OpenSSL |first=Constantine A. |last=Murenin |editor=Soulskill |date=2014-04-30 |access-date=2014-12-26 |publisher=Slashdot}}}}
- Peerio{{cite web|url=https://peerio.zendesk.com/hc/en-us/articles/204155895-How-does-Peerio-implement-end-to-end-encryption|title=How does Peerio implement end-to-end encryption?|website=Peerio|access-date=2015-11-04|archive-date=2017-12-09|archive-url=https://web.archive.org/web/20171209100137/https://peerio.zendesk.com/hc/en-us/articles/204155895-How-does-Peerio-implement-end-to-end-encryption}}
- Proton Mail{{cite web|url=https://proton.me/blog/elliptic-curve-cryptography|title=Proton Mail now offers elliptic curve cryptography for advanced security and faster speeds|date=25 April 2019}}
- PuTTY{{cite web|url=http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html|title=PuTTY Change Log|website=www.chiark.greenend.org.uk}}
- Signal{{efn|name=SIGNAL}}
- Silent Phone
- SmartFTP
- SSHJ
- SQRL{{cite web|url=https://www.grc.com/sqrl/SQRL_Cryptography.pdf|title=SQRL Cryptography whitepaper|author=Steve Gibson|date=December 2019}}
- Threema Instant Messenger{{Cite web|url=https://threema.ch/press-files/cryptography_whitepaper.pdf|title=Threema Cryptography Whitepaper}}
- TinySSH
- TinyTERM
- Tor{{cite web|url=https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt?id=b5b771b19df9fc052b424228045409467a7b6414#n81|title=Tor's Protocol Specifications - Blog|author=Roger Dingledine & Nick Mathewson|access-date=20 December 2014}}
- Viber{{cite web|title=Viber Encryption Overview|url=https://www.viber.com/en/security-overview|publisher=Viber|access-date=24 September 2016|date=3 May 2016}}
- WhatsApp{{efn|name=SIGNAL}}{{Cite arXiv |title=WhatsApp security and role of metadata in preserving privacy |author=Nidhi Rastogi |author2=James Hendler| date=2017-01-24|class=cs.CR |eprint = 1701.06817}}
- Wire
- WireGuard
{{end div col}}
Notes
{{notelist}}
References
{{reflist|30em}}
External links
- {{official website|https://cr.yp.to/ecdh.html}}
{{Cryptography public-key}}