Curve25519
In
The original Curve25519 paper defined it as a
Mathematical properties
The curve used is , a
The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the
Curve25519 is constructed such that it avoids many potential implementation pitfalls.[7]
By design, Curve25519 is immune to timing attacks, and it accepts any 32-byte string as a valid public key and does not require validating that a given point belongs to the curve, or is generated by the base point.[citation needed]
The curve is
History
In 2005, Curve25519 was first released by Daniel J. Bernstein.[5]
In 2013, interest began to increase considerably when it was discovered that the
"I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."
— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)
Since 2013, Curve25519 has become the
In 2017, NIST announced that Curve25519 and
In 2018,
Also in 2018, RFC 8446 was published as the new
Libraries
Protocols
- OMEMO, a proposed extension for XMPP (Jabber)[42]
- Secure Shell
- Signal Protocol
- Matrix (protocol)
- Tox
- Zcash
- Transport Layer Security
- WireGuard
Applications
- Conversations Android application[b]
- Cryptocat[43][b]
- DNSCrypt[44]
- DNSCurve
- Dropbear[29][45]
- Gajim via plugin[46][b]
- GNUnet[47]
- GnuPG
- Google Allo[e][d]
- I2P[48]
- IPFS[49]
- iOS[50]
- Monero[51]
- OpenBSD[f]
- OpenSSH[29][g]
- Peerio[56]
- Proton Mail[57]
- PuTTY[58]
- Signal[d]
- Silent Phone
- SmartFTP[29]
- SSHJ[29]
- SQRL[59]
- Threema Instant Messenger[60]
- TinySSH[29]
- TinyTERM[29]
- Tor[61]
- Viber[62]
- WhatsApp[d][63]
- Wire
- WireGuard
Notes
- ^ Starting with Windows 10 (1607), Windows Server 2016
- ^ a b c Via the OMEMO protocol
- ^ Only in "secret conversations"
- ^ a b c d Via the Signal Protocol
- ^ Only in "incognito mode"
- ^ Used to sign releases and packages[52][53]
- ^ Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.[54][55]
References
- ^ Bernstein. "Irrelevant patents on elliptic-curve cryptography". cr.yp.to. Retrieved 2016-02-08.
- ^ A state-of-the-art Diffie-Hellman function by Daniel J. Bernstein"My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain."
- ^ "X25519". Crypto++. 5 March 2019. Archived from the original on 29 August 2020. Retrieved 3 February 2023.
- ^ "[Cfrg] 25519 naming". Retrieved 2016-02-25.
- ^ MR 2423191.
- ^ Lange, Tanja. "EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves". EFD / Explicit-Formulas Database. Retrieved 2016-02-08.
- ^ Bernstein, Daniel J.; Lange, Tanja (2017-01-22). "SafeCurves: Introduction". SafeCurves: choosing safe curves for elliptic-curve cryptography. Retrieved 2016-02-08.
- ^ Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2017-01-22). "Ed25519: high-speed high-security signatures". Retrieved 2019-11-09.
- ^ Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Yang, Bo-Yin (2011-09-26). "High-speed high-security signatures" (PDF). Retrieved 2019-11-09.
- MR 2565722.
- ^ Kelsey, John (May 2014). "Dual EC in X9.82 and SP 800-90" (PDF). National Institute of Standards in Technology. Retrieved 2018-12-02.
- ^ Green, Matthew (2015-01-14). "A Few Thoughts on Cryptographic Engineering: The Many Flaws of Dual_EC_DRBG". blog.cryptographyengineering.com. Retrieved 2015-05-20.
- ^ "SafeCurves: Introduction".
- ^ Maxwell, Gregory (2013-09-08). "[tor-talk] NIST approved crypto in Tor?". Retrieved 2015-05-20.
- ^ "SafeCurves: Rigidity". safecurves.cr.yp.to. Retrieved 2015-05-20.
- ^ "The NSA Is Breaking Most Encryption on the Internet - Schneier on Security". www.schneier.com. Retrieved 2015-05-20.
- ^ "Things that use Curve25519". Retrieved 2015-12-23.
- ^ a b Adamantiadis, Aris (2013-11-03). "OpenSSH introduces [email protected] key exchange !". libssh.org. Retrieved 2014-12-27.
- ^ "GnuPG - What's new in 2.1". August 2021.
- .
- .
- ^ "Transition Plans for Key Establishment Schemes". National Institute of Standards and Technology. 2017-10-31. Archived from the original on 2018-03-11. Retrieved 2019-09-04.
- ^ RFC 7748. Retrieved from rfc:7748.
- S2CID 241055751.
- ^ "Recommendations for Discrete Logarithm-Based Cryptography" (PDF).
- .
- .
- ^ Werner Koch (15 April 2016). "Libgcrypt 1.7.0 release announcement". Retrieved 22 April 2016.
- ^ a b c d e f g SSH implementation comparison. "Comparison of key exchange methods". Retrieved 2016-02-25.
- ^ "Introduction". yp.to. Retrieved 11 December 2014.
- ^ "nettle: curve25519.h File Reference". Fossies (doxygen documentation). Archived from the original on 2015-05-20. Retrieved 2015-05-19.
- ^ Limited, ARM. "PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL)". tls.mbed.org. Retrieved 2015-05-19.
- ^ "wolfSSL Embedded SSL/TLS Library | Products – wolfSSL".
- ^ "Botan: src/lib/pubkey/curve25519/curve25519.cpp Source File". botan.randombit.net.
- ^ Justinha. "TLS (Schannel SSP)". docs.microsoft.com. Retrieved 2017-09-15.
- ^ Denis, Frank. "Introduction · libsodium". libsodium.org.
- ^ "OpenSSL 1.1.0 Series Release Notes". OpenSSL Foundation. Archived from the original on 2018-03-17. Retrieved 2016-06-24.
- ^ "Add support for ECDHE with X25519. · openbsd/src@0ad90c3". GitHub.
- ^ "NSS 3.28 release notes". Archived from the original on 9 December 2017. Retrieved 25 July 2017.
- ^ "A pure-Rust implementation of group operations on ristretto255 and Curve25519". GitHub. Retrieved 14 April 2021.
- ^ "Ed25519.java". GitHub. 13 October 2021.
- ^ Straub, Andreas (25 October 2015). "OMEMO Encryption". conversations.im.
- ^ "Cryptocat - Security". crypto.cat. Archived from the original on 2016-04-07. Retrieved 2016-05-24.
- ^ Frank Denis. "DNSCrypt version 2 protocol specification". GitHub. Archived from the original on 2015-08-13. Retrieved 2016-03-03.
- ^ Matt Johnston. "Dropbear SSH - Changes". Retrieved 2016-02-25.
- ^ Bahtiar Gadimov; et al. "Gajim plugin for OMEMO Multi-End Message and Object Encryption". GitHub. Retrieved 2016-10-01.
- ^ "GNUnet 0.10.0". gnunet.org. Archived from the original on 9 December 2017. Retrieved 11 December 2014.
- ^ zzz (2014-09-20). "0.9.15 Release - Blog". Retrieved 20 December 2014.
- ^ "go-ipfs_keystore.go at master". Github.com. 30 March 2022.
- ^ "Apple Platform Security". Apple Support.
- ^ "MRL-0003 - Monero is Not That Mysterious" (PDF). getmonero.com. Archived from the original (PDF) on 2019-05-01. Retrieved 2018-06-05.
- ^ Murenin, Constantine A. (2014-01-19). Soulskill (ed.). "OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto". Slashdot. Retrieved 2014-12-27.
- ^ Murenin, Constantine A. (2014-05-01). timothy (ed.). "OpenBSD 5.5 Released". Slashdot. Retrieved 2014-12-27.
- ^ Friedl, Markus (2014-04-29). "ssh/kex.c#kexalgs". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-27.
- ^ Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.
- ^ "How does Peerio implement end-to-end encryption?". Peerio. Archived from the original on 2017-12-09. Retrieved 2015-11-04.
- ^ "Proton Mail now offers elliptic curve cryptography for advanced security and faster speeds". 25 April 2019.
- ^ "PuTTY Change Log". www.chiark.greenend.org.uk.
- ^ Steve Gibson (December 2019). "SQRL Cryptography whitepaper" (PDF).
- ^ "Threema Cryptography Whitepaper" (PDF).
- ^ Roger Dingledine & Nick Mathewson. "Tor's Protocol Specifications - Blog". Retrieved 20 December 2014.
- ^ "Viber Encryption Overview". Viber. 3 May 2016. Retrieved 24 September 2016.
- arXiv:1701.06817 [cs.CR].