Contents

Curve25519

The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.^[4]

The curve used is ${\displaystyle y^{2}=x^{3}+486662x^{2}+x}$, a Montgomery curve, over the prime field defined by the prime number ${\displaystyle 2^{255}-19}$ (hence the numeric "25519" in the name), and it uses the base point ${\displaystyle x=9}$. This point generates a cyclic subgroup whose order is the prime ${\displaystyle 2^{252}+27742317777372353535851937790883648493}$. This subgroup has a co-factor of ${\displaystyle 8}$, meaning the number of elements in the subgroup is ${\displaystyle 1/8}$ that of the elliptic curve group. Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.^[5]

The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.^[6]

Curve25519 is constructed such that it avoids many potential implementation pitfalls.^[7]

By design, Curve25519 is immune to timing attacks, and it accepts any 32-byte string as a valid public key and does not require validating that a given point belongs to the curve, or is generated by the base point.^{[citation needed]}

The curve is birationally equivalent to a twisted Edwards curve used in the Ed25519^[8][9] signature scheme.^[10]

In 2005, Curve25519 was first released by Daniel J. Bernstein.^[5]

In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.^[11] While not directly related,^[12] suspicious aspects of the NIST's P curve constants^[13] led to concerns^[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.^[15][16]

"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."

— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)

Since 2013, Curve25519 has become the de facto alternative to P-256, being used in a wide variety of applications.^[17] Starting in 2014, OpenSSH^[18] defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.^[19] The use of the curve was eventually standardized for both key exchange and signature in 2020.^[20][21]

In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.^[22] Both are described in RFC 7748.^[23] A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519^[24] for digital signatures. The 2023 update of Special Publication 800-186 allows usage of Curve25519.^[25]

In 2018, DKIM specification was amended so as to allow signatures with this algorithm.^[26]

Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It recommends support for X25519, Ed25519, X448, and Ed448 algorithms.^[27]

• OMEMO, a proposed extension for XMPP (Jabber)^[42]
• Secure Shell
• Signal Protocol
• Matrix (protocol)
• Tox
• Zcash
• Transport Layer Security
• WireGuard

• Official website