Curve25519

Template:Short description In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents.^[1] The reference implementation is public domain software.^[2][3]

The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.^[4]

The curve used is ${\displaystyle y^2=x^3+486662x^2+x}$, a Montgomery curve, over the prime field defined by the prime number ${\displaystyle 2^{255}-19}$ (hence the numeric "Template:Val" in the name), and it uses the base point ${\displaystyle x=9}$. This point generates a cyclic subgroup whose order is the prime ${\displaystyle 2^{252}+27742317777372353535851937790883648493}$. This subgroup has a co-factor of Template:Val, meaning the number of elements in the subgroup is Template:Sfrac that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.^[5]

The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.^[6]

Curve25519 is constructed such that it avoids many potential implementation pitfalls.^[7]

The curve is birationally equivalent to a twisted Edwards curve used in the Ed25519^[8][9] signature scheme.^[10]

In 2005, Curve25519 was first released by Daniel J. Bernstein.^[5]

In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.^[11] While not directly related,^[12] suspicious aspects of the NIST's P curve constants^[13] led to concerns^[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.^[15][16]

Template:Blockquote

Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.^[17] Starting in 2014, OpenSSH^[18] defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.^[19] The use of the curve was eventually standardized for both key exchange and signature in 2020.^[20][21]

In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.^[22] Both are described in RFC 7748.^[23] A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519^[24] for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.^[25]

In February 2017, the DNSSEC specification for using Ed25519 and Ed448 was published as Template:IETF RFC, assigning algorithm numbers 15 and 16.^[26]

In 2018, DKIM specification was amended so as to allow signatures with this algorithm.^[27] Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519, Ed25519, X448, and Ed448 algorithms.^[28]

Template:Div col

• Libgcrypt^[29]
• libssh^[18][30]
• libssh2 (since version 1.9.0)
• NaCl^[31]
• GnuTLS^[32]
• mbed TLS (formerly PolarSSL)^[33]
• wolfSSL^[34]
• Botan^[35]
• SchannelTemplate:Efn^[36]
• Libsodium^[37]
• OpenSSL since version 1.1.0^[38]
• LibreSSL^[39]
• NSS since version 3.28^[40]
• Crypto++
• curve25519-dalek^[41]
• Bouncy Castle^[42]

Template:Div col end

• OMEMO, a proposed extension for XMPP (Jabber)^[43]
• Secure Shell
• Signal Protocol
• Matrix (protocol)
• Tox
• Zcash
• Transport Layer Security
• WireGuard

Template:Div col

• Conversations Android applicationTemplate:Efn
• Cryptocat^[44]Template:Efn
• DNSCrypt^[45]
• DNSCurve

• DNSSEC
• Dropbear^[30][46]
• Facebook Messenger Template:EfnTemplate:Efn
• Gajim via plugin^[47]Template:Efn
• GNUnet^[48]
• GnuPG
• Google AlloTemplate:EfnTemplate:Efn
• I2P^[49]
• IPFS^[50]
• iOS^[51]
• Monero^[52]
• OpenBSD and signifyTemplate:Efn
• OpenSSH^[30]Template:Efn
• Peerio^[53]
• Proton Mail^[54]
• PuTTY^[55]
• SignalTemplate:Efn
• Silent Phone
• SmartFTP^[30]
• SSHJ^[30]
• SQRL^[56]
• Threema Instant Messenger^[57]
• TinySSH^[30]
• TinyTERM^[30]
• Tor^[58]
• Viber^[59]
• WhatsAppTemplate:Efn^[60]
• Wire
• WireGuard

Template:End div col

Template:Notelist

Template:Reflist

• Template:Official website

Template:Cryptography public-key