Curve25519

Curve25519 is an elliptic curve offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest ECC curves, it is not covered by any known patents,^[1] and it is less susceptible to weak random-number-generators.

Mathematical Properties

The curve used is y² = x³ + 486662x² + x, a Montgomery curve, over the prime field defined by the prime number 2²⁵⁵ − 19, and it uses the base point x = 9. Protocol uses compressed elliptic point (only X coordinates), so it allows for efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.^[2]

Curve25519 is constructed such that it avoids many potential implementation pitfalls.^[3] By design, it avoids many side channel attacks and issues with poor-quality random-number-generators.

The curve is birationally equivalent to Ed25519, a Twisted Edwards curve.^[4]

Popularity

Curve25519 was first released by Daniel J. Bernstein in 2005,^[5] but interest increased considerably after 2013 when it was discovered that the NSA had backdoored Dual EC DRBG. While not directly related,^[6] suspicious aspects of the NIST's P curve constants led to concerns^[7] that the NSA had chosen values that gave them an advantage in factoring^[8] public keys,

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.^[9] – Bruce Schneier, prominent security researcher

Since then, Curve25519 has become the de-facto alternative to P-256, and is used in a wide variety of applications.^[10] In 2014 OpenSSH^[11] defaults to Curve25519-based ECDH.

Libraries

• libssh^[11]
• NaCl^[12]
• GnuTLS^[13]
• mbed TLS (formerly PolarSSL)^[14]
• wolfSSL^[15]
• Botan^[16]

Applications

• OpenSSH
  • Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.^[17][18]
• OpenBSD (used to sign releases and packages^[19][20])
• Tor^[21]
• I2P^[22]
• DNSCurve
• TextSecure
• GNUnet^[23]
• iOS^[24]
• Peerio^[25]
• minilock^[26]

See also

• Ed25519

References

1. ↑ Lua error in package.lua at line 80: module 'strict' not found.
2. ↑ Lua error in package.lua at line 80: module 'strict' not found.
3. ↑ Lua error in package.lua at line 80: module 'strict' not found.
4. ↑ Lua error in package.lua at line 80: module 'strict' not found.
5. ↑ Lua error in package.lua at line 80: module 'strict' not found.
6. ↑ Lua error in package.lua at line 80: module 'strict' not found.
7. ↑ Lua error in package.lua at line 80: module 'strict' not found.
8. ↑ Lua error in package.lua at line 80: module 'strict' not found.
9. ↑ Lua error in package.lua at line 80: module 'strict' not found.
10. ↑ Lua error in package.lua at line 80: module 'strict' not found.
11. ↑ ^{11.0 11.1} Lua error in package.lua at line 80: module 'strict' not found.
12. ↑ Lua error in package.lua at line 80: module 'strict' not found.
13. ↑ Lua error in package.lua at line 80: module 'strict' not found.
14. ↑ Lua error in package.lua at line 80: module 'strict' not found.
15. ↑ http://www.wolfssl.com/wolfSSL/Products-wolfssl.html
16. ↑ http://botan.randombit.net/doxygen/curve25519_8cpp_source.html
17. ↑ Lua error in package.lua at line 80: module 'strict' not found.
18. ↑ Lua error in package.lua at line 80: module 'strict' not found.
19. ↑ Lua error in package.lua at line 80: module 'strict' not found.
20. ↑ Lua error in package.lua at line 80: module 'strict' not found.
21. ↑ Lua error in package.lua at line 80: module 'strict' not found.
22. ↑ Lua error in package.lua at line 80: module 'strict' not found.
23. ↑ Lua error in package.lua at line 80: module 'strict' not found.
24. ↑ iOS Security Guide
25. ↑ How does Peerio implement end-to-end encryption
26. ↑ miniLock File Encryption

External links

• Official website