J u m p t o c o n t e n t
M a i n m e n u
M a i n m e n u
N a v i g a t i o n
● M a i n p a g e
● C o n t e n t s
● C u r r e n t e v e n t s
● R a n d o m a r t i c l e
● A b o u t W i k i p e d i a
● C o n t a c t u s
● D o n a t e
C o n t r i b u t e
● H e l p
● L e a r n t o e d i t
● C o m m u n i t y p o r t a l
● R e c e n t c h a n g e s
● U p l o a d f i l e
S e a r c h
Search
A p p e a r a n c e
● C r e a t e a c c o u n t
● L o g i n
P e r s o n a l t o o l s
● C r e a t e a c c o u n t
● L o g i n
P a g e s f o r l o g g e d o u t e d i t o r s l e a r n m o r e
● C o n t r i b u t i o n s
● T a l k
( T o p )
1
M a t h e m a t i c a l p r o p e r t i e s
2
H i s t o r y
3
L i b r a r i e s
4
P r o t o c o l s
5
A p p l i c a t i o n s
6
N o t e s
7
R e f e r e n c e s
8
E x t e r n a l l i n k s
T o g g l e t h e t a b l e o f c o n t e n t s
C u r v e 2 5 5 1 9
1 0 l a n g u a g e s
● Č e š t i n a
● D e u t s c h
● E s p a ñ o l
● F r a n ç a i s
● I t a l i a n o
● ע ב ר י ת
● 日 本 語
● Р у с с к и й
● T ü r k ç e
● 中 文
E d i t l i n k s
● A r t i c l e
● T a l k
E n g l i s h
● R e a d
● E d i t
● V i e w h i s t o r y
T o o l s
T o o l s
A c t i o n s
● R e a d
● E d i t
● V i e w h i s t o r y
G e n e r a l
● W h a t l i n k s h e r e
● R e l a t e d c h a n g e s
● U p l o a d f i l e
● S p e c i a l p a g e s
● P e r m a n e n t l i n k
● P a g e i n f o r m a t i o n
● C i t e t h i s p a g e
● G e t s h o r t e n e d U R L
● D o w n l o a d Q R c o d e
● W i k i d a t a i t e m
P r i n t / e x p o r t
● D o w n l o a d a s P D F
● P r i n t a b l e v e r s i o n
A p p e a r a n c e
F r o m W i k i p e d i a , t h e f r e e e n c y c l o p e d i a
The original Curve25519 paper defined it as a Diffie–Hellman (DH ) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.[4]
Mathematical properties
[ edit ]
The curve used is
y
2
=
x
3
+
486662
x
2
+
x
{\displaystyle y^{2}=x^{3}+486662x^{2}+x}
, a Montgomery curve , over the prime field defined by the prime number
2
255
−
19
{\displaystyle 2^{255}-19}
(hence the numeric "25519" in the name), and it uses the base point
x
=
9
{\displaystyle x=9}
. This point generates a cyclic subgroup whose order is the prime
2
252
+
27742317777372353535851937790883648493
{\displaystyle 2^{252}+27742317777372353535851937790883648493}
. This subgroup has a co-factor of
8
{\displaystyle 8}
, meaning the number of elements in the subgroup is
1
/
8
{\displaystyle 1/8}
that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.[5]
The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH , using only XZ coordinates.[6]
Curve25519 is constructed such that it avoids many potential implementation pitfalls.[7]
By design, Curve25519 is immune to timing attacks, and it accepts any 32-byte string as a valid public key and does not require validating that a given point belongs to the curve, or is generated by the base point.[citation needed ]
The curve is birationally equivalent to a twisted Edwards curve used in the Ed25519 [8] [9] signature scheme.[10]
History
[ edit ]
In 2005, Curve25519 was first released by Daniel J. Bernstein .[5]
In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.[11] While not directly related,[12] suspicious aspects of the NIST's P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.[15] [16]
"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."
—
Bruce Schneier , The NSA Is Breaking Most Encryption on the Internet (2013)
Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.[17] Starting in 2014, OpenSSH [18] defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.[19] The use of the curve was eventually standardized for both key exchange and signature in 2020.[20] [21]
In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.[22] Both are described in RFC 7748.[23] A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519 [24] for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.[25]
In 2018, DKIM specification was amended so as to allow signatures with this algorithm.[26]
Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519 , Ed25519 , X448 , and Ed448 algorithms.[27]
Libraries
[ edit ]
libssh[18] [29]
libssh2 (since version 1.9.0)
NaCl [30]
GnuTLS [31]
mbed TLS (formerly PolarSSL)[32]
wolfSSL [33]
Botan [34]
Schannel [a] [35]
Libsodium [36]
OpenSSL since version 1.1.0[37]
LibreSSL [38]
NSS since version 3.28[39]
Crypto++
curve25519-dalek [40]
Bouncy Castle [41]
Protocols
[ edit ]
Applications
[ edit ]
Cryptocat [43] [b]
DNSCrypt [44]
DNSCurve
Dropbear [29] [45]
Facebook Messenger [c] [d]
Gajim via plugin[46] [b]
GNUnet [47]
GnuPG
Google Allo [e] [d]
I2P [48]
IPFS [49]
iOS [50]
Monero [51]
OpenBSD [f]
OpenSSH [29] [g]
Peerio [56]
Proton Mail [57]
PuTTY [58]
Signal [d]
Silent Phone
SmartFTP [29]
SSHJ[29]
SQRL [59]
Threema Instant Messenger [60]
TinySSH[29]
TinyTERM[29]
Tor [61]
Viber [62]
WhatsApp [d] [63]
Wire
WireGuard
Notes
[ edit ]
^ Starting with Windows 10 (1607), Windows Server 2016
^ a b c Via the OMEMO protocol
^ Only in "secret conversations"
^ a b c d Via the Signal Protocol
^ Only in "incognito mode"
^ Used to sign releases and packages[52] [53]
^ Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL .[54] [55]
References
[ edit ]
^ A state-of-the-art Diffie-Hellman function by Daniel J. Bernstein "My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain."
^ "X25519" . Crypto++ . 5 March 2019. Archived from the original on 29 August 2020. Retrieved 3 February 2023 .
^ "[Cfrg] 25519 naming" . Retrieved 2016-02-25 .
^ a b Bernstein, Daniel J. (2006). "Curve25519: New Diffie-Hellman Speed Records" (PDF) . In Yung, Moti; Dodis, Yevgeniy; Kiayias, Aggelos; et al. (eds.). Public Key Cryptography - PKC 2006 . Public Key Cryptography. Lecture Notes in Computer Science. Vol. 3958. New York: Springer. pp. 207–228. doi :10.1007/11745853_14 . ISBN 978-3-540-33851-2 . MR 2423191 .
^ Lange, Tanja . "EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves" . EFD / Explicit-Formulas Database . Retrieved 2016-02-08 .
^ Bernstein, Daniel J.; Lange, Tanja (2017-01-22). "SafeCurves: Introduction" . SafeCurves: choosing safe curves for elliptic-curve cryptography . Retrieved 2016-02-08 .
^ Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2017-01-22). "Ed25519: high-speed high-security signatures" . Retrieved 2019-11-09 .
^ Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2011-09-26). "High-speed high-security signatures" (PDF) . Retrieved 2019-11-09 .
^ Bernstein, Daniel J. ; Lange, Tanja (2007). "Faster addition and doubling on elliptic curves" . In Kurosawa, Kaoru (ed.). Advances in Cryptology – ASIACRYPT 2007 . Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. Vol. 4833. Berlin: Springer. pp. 29–50. doi :10.1007/978-3-540-76900-2_3 . ISBN 978-3-540-76899-9 . MR 2565722 .
^ Kelsey, John (May 2014). "Dual EC in X9.82 and SP 800-90" (PDF) . National Institute of Standards in Technology . Retrieved 2018-12-02 .
^ Green, Matthew (2015-01-14). "A Few Thoughts on Cryptographic Engineering: The Many Flaws of Dual_EC_DRBG" . blog.cryptographyengineering.com . Retrieved 2015-05-20 .
^ "SafeCurves: Introduction" .
^ Maxwell, Gregory (2013-09-08). "[tor-talk] NIST approved crypto in Tor?" . Retrieved 2015-05-20 .
^ "SafeCurves: Rigidity" . safecurves.cr.yp.to . Retrieved 2015-05-20 .
^ "The NSA Is Breaking Most Encryption on the Internet - Schneier on Security" . www.schneier.com . Retrieved 2015-05-20 .
^ "Things that use Curve25519" . Retrieved 2015-12-23 .
^ a b Adamantiadis, Aris (2013-11-03). "OpenSSH introduces curve25519-sha256@libssh.org key exchange !" . libssh.org . Retrieved 2014-12-27 .
^ "GnuPG - What's new in 2.1" . August 2021.
^ A. Adamantiadis; libssh; S. Josefsson; SJD AB; M. Baushke; Juniper Networks, Inc. (February 2020). Secure Shell (SSH) Key Exchange Method Using Curve25519 and Curve448 . doi :10.17487/RFC8731 . RFC 8731 .
^ B. Harris; L. Velvindron (February 2020). Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol . doi :10.17487/RFC8709 . RFC 8709 .
^ "Transition Plans for Key Establishment Schemes" . National Institute of Standards and Technology . 2017-10-31. Archived from the original on 2018-03-11. Retrieved 2019-09-04 .
^ RFC 7748. Retrieved from rfc:7748.
^ Regenscheid, Andrew (31 October 2019). "FIPS PUB 186-5" . National Institute of Standards and Technology (Withdrawn Draft). doi :10.6028/NIST.FIPS.186-5-draft . S2CID 241055751 .
^ "Recommendations for Discrete Logarithm-Based Cryptography" (PDF) .
^ John Levine (September 2018). A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) . IETF . doi :10.17487/RFC8463 . RFC 8463 .
^ E Rescorla (September 2018). The Transport Layer Security (TLS) Protocol Version 1.3 . IETF . doi :10.17487/RFC8446 . RFC 8446 .
^ Werner Koch (15 April 2016). "Libgcrypt 1.7.0 release announcement" . Retrieved 22 April 2016 .
^ a b c d e f g SSH implementation comparison. "Comparison of key exchange methods" . Retrieved 2016-02-25 .
^ "Introduction" . yp.to . Retrieved 11 December 2014 .
^ "nettle: curve25519.h File Reference" . Fossies (doxygen documentation). Archived from the original on 2015-05-20. Retrieved 2015-05-19 .
^ Limited, ARM. "PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL)" . tls.mbed.org . Retrieved 2015-05-19 .
^ "wolfSSL Embedded SSL/TLS Library | Products – wolfSSL" .
^ "Botan: src/lib/pubkey/curve25519/curve25519.cpp Source File" . botan.randombit.net .
^ Justinha. "TLS (Schannel SSP)" . docs.microsoft.com . Retrieved 2017-09-15 .
^ Denis, Frank. "Introduction · libsodium" . libsodium.org .
^ "OpenSSL 1.1.0 Series Release Notes" . OpenSSL Foundation . Archived from the original on 2018-03-17. Retrieved 2016-06-24 .
^ "Add support for ECDHE with X25519. · openbsd/src@0ad90c3" . GitHub .
^ "NSS 3.28 release notes" . Archived from the original on 9 December 2017. Retrieved 25 July 2017 .
^ "A pure-Rust implementation of group operations on ristretto255 and Curve25519" . GitHub . Retrieved 14 April 2021 .
^ "Ed25519.java" . GitHub . 13 October 2021.
^ Straub, Andreas (25 October 2015). "OMEMO Encryption" . conversations.im .
^ "Cryptocat - Security" . crypto.cat . Archived from the original on 2016-04-07. Retrieved 2016-05-24 .
^ Frank Denis. "DNSCrypt version 2 protocol specification" . GitHub . Archived from the original on 2015-08-13. Retrieved 2016-03-03 .
^ Matt Johnston. "Dropbear SSH - Changes" . Retrieved 2016-02-25 .
^ Bahtiar Gadimov; et al. "Gajim plugin for OMEMO Multi-End Message and Object Encryption" . GitHub . Retrieved 2016-10-01 .
^ "GNUnet 0.10.0" . gnunet.org . Archived from the original on 9 December 2017. Retrieved 11 December 2014 .
^ zzz (2014-09-20). "0.9.15 Release - Blog" . Retrieved 20 December 2014 .
^ "go-ipfs_keystore.go at master" . Github.com. 30 March 2022.
^ "Apple Platform Security" . Apple Support .
^ "MRL-0003 - Monero is Not That Mysterious" (PDF) . getmonero.com . Archived from the original (PDF) on 2019-05-01. Retrieved 2018-06-05 .
^ Murenin, Constantine A. (2014-01-19). Soulskill (ed.). "OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto" . Slashdot . Retrieved 2014-12-27 .
^ Murenin, Constantine A. (2014-05-01). timothy (ed.). "OpenBSD 5.5 Released" . Slashdot . Retrieved 2014-12-27 .
^ Friedl, Markus (2014-04-29). "ssh/kex.c#kexalgs" . BSD Cross Reference, OpenBSD src/usr.bin/ . Retrieved 2014-12-27 .
^ Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL" . Slashdot . Retrieved 2014-12-26 .
^ "How does Peerio implement end-to-end encryption?" . Peerio . Archived from the original on 2017-12-09. Retrieved 2015-11-04 .
^ "Proton Mail now offers elliptic curve cryptography for advanced security and faster speeds" . 25 April 2019.
^ "PuTTY Change Log" . www.chiark.greenend.org.uk .
^ Steve Gibson (December 2019). "SQRL Cryptography whitepaper" (PDF) .
^ "Threema Cryptography Whitepaper" (PDF) .
^ Roger Dingledine & Nick Mathewson. "Tor's Protocol Specifications - Blog" . Retrieved 20 December 2014 .
^ "Viber Encryption Overview" . Viber. 3 May 2016. Retrieved 24 September 2016 .
^ Nidhi Rastogi; James Hendler (2017-01-24). "WhatsApp security and role of metadata in preserving privacy". arXiv :1701.06817 [cs.CR ].
External links
[ edit ]
t
e
Algorithms
Theory
Standardization
Topics
R e t r i e v e d f r o m " https://en.wikipedia.org/w/index.php?title=Curve25519&oldid=1215355953 "
C a t e g o r y :
● E l l i p t i c c u r v e s
H i d d e n c a t e g o r i e s :
● A r t i c l e s w i t h s h o r t d e s c r i p t i o n
● S h o r t d e s c r i p t i o n m a t c h e s W i k i d a t a
● A l l a r t i c l e s w i t h u n s o u r c e d s t a t e m e n t s
● A r t i c l e s w i t h u n s o u r c e d s t a t e m e n t s f r o m A p r i l 2 0 2 3
● T h i s p a g e w a s l a s t e d i t e d o n 2 4 M a r c h 2 0 2 4 , a t 1 7 : 1 0 ( U T C ) .
● T e x t i s a v a i l a b l e u n d e r t h e C r e a t i v e C o m m o n s A t t r i b u t i o n - S h a r e A l i k e L i c e n s e 4 . 0 ;
a d d i t i o n a l t e r m s m a y a p p l y . B y u s i n g t h i s s i t e , y o u a g r e e t o t h e T e r m s o f U s e a n d P r i v a c y P o l i c y . W i k i p e d i a ® i s a r e g i s t e r e d t r a d e m a r k o f t h e W i k i m e d i a F o u n d a t i o n , I n c . , a n o n - p r o f i t o r g a n i z a t i o n .
● P r i v a c y p o l i c y
● A b o u t W i k i p e d i a
● D i s c l a i m e r s
● C o n t a c t W i k i p e d i a
● C o d e o f C o n d u c t
● D e v e l o p e r s
● S t a t i s t i c s
● C o o k i e s t a t e m e n t
● M o b i l e v i e w