Jump to content

Curve25519

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Shaddim (talk | contribs) at 09:42, 15 February 2016 (+ref for PD). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Curve25519 is an elliptic curve offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest ECC curves, it is not covered by any known patents,[1] and it is less susceptible to weak random-number-generators. The reference implementation is public domain software.[2]

Mathematical Properties

The curve used is y2 = x3 + 486662x2 + x, a Montgomery curve, over the prime field defined by the prime number 2255 − 19, and it uses the base point x = 9. Protocol uses compressed elliptic point (only X coordinates), so it allows for efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.[3]

Curve25519 is constructed such that it avoids many potential implementation pitfalls.[4] By design, it avoids many side channel attacks and issues with poor-quality random-number-generators.

The curve is birationally equivalent to Ed25519, a Twisted Edwards curve.[5]

Popularity

Curve25519 was first released by Daniel J. Bernstein in 2005,[6] but interest increased considerably after 2013 when it was discovered that the NSA had implemented a backdoor into Dual EC DRBG. While not directly related,[7] suspicious aspects of the NIST's P curve constants led to concerns[8] that the NSA had chosen values that gave them an advantage in factoring[9] public keys,

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.[10]Bruce Schneier, prominent security researcher

Since then, Curve25519 has become the de-facto alternative to P-256, and is used in a wide variety of applications.[11] In 2014 OpenSSH[12] defaults to Curve25519-based ECDH.

Libraries

Applications

See also

References

  1. ^ Bernstein. "Irrelevant patents on elliptic-curve cryptography". cr.yp.to. Retrieved 2016-02-08.
  2. ^ A state-of-the-art Diffie-Hellman function by Daniel J. Bernstein"My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain. "
  3. ^ Lange, Tanja. "EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves". EFD / Explicit-Formulas Database. Retrieved 8 February 2016.
  4. ^ "SafeCurves: Introduction". safecurves.cr.yp.to. Retrieved 2016-02-08.
  5. ^ Bernstein, Daniel J.; Lange, Tanja (2007). Kurosawa, Kaoru (ed.). Faster addition and doubling on elliptic curves. Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. Vol. 4833. Berlin: Springer. pp. 29–50. doi:10.1007/978-3-540-76900-2_3. ISBN 978-3-540-76899-9. MR 2565722.
  6. ^ Bernstein, Daniel J. (2006). Yung, Moti; Dodis, Yevgeniy; Kiayias, Aggelos; et al. (eds.). Curve25519: New Diffie-Hellman Speed Records (PDF). Public Key Cryptography. Lecture Notes in Computer Science. Vol. 3958. New York: Springer. pp. 207–228. doi:10.1007/11745853_14. ISBN 978-3-540-33851-2. MR 2423191.
  7. ^ Green, Matthew (January 14, 2015). "A Few Thoughts on Cryptographic Engineering: The Many Flaws of Dual_EC_DRBG". blog.cryptographyengineering.com. Retrieved 2015-05-20.
  8. ^ Maxwell, Gregory (Sun Sep 8 13:44:57 UTC 2013). "[tor-talk] NIST approved crypto in Tor?". Retrieved 2015-05-20. {{cite web}}: Check date values in: |date= (help)
  9. ^ "SafeCurves: Rigidity". safecurves.cr.yp.to. Retrieved 2015-05-20.
  10. ^ "The NSA Is Breaking Most Encryption on the Internet - Schneier on Security". www.schneier.com. Retrieved 2015-05-20.
  11. ^ "Things that use Curve25519". Retrieved 2015-12-23.
  12. ^ a b Adamantiadis, Aris (2013-11-03). "OpenSSH introduces curve25519-sha256@libssh.org key exchange !". libssh.org. Retrieved 2014-12-27.
  13. ^ "Introduction". yp.to. Retrieved 11 December 2014.
  14. ^ "nettle: curve25519.h File Reference - doxygen documentation | Fossies Dox". fossies.org. Retrieved 2015-05-19.
  15. ^ Limited, ARM. "PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL)". tls.mbed.org. Retrieved 2015-05-19. {{cite web}}: |last= has generic name (help)
  16. ^ https://www.wolfssl.com/wolfSSL/Products-wolfssl.html
  17. ^ http://botan.randombit.net/doxygen/curve25519_8cpp_source.html
  18. ^ Friedl, Markus (2014-04-29). "ssh/kex.c#kexalgs". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-27.
  19. ^ Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.
  20. ^ Murenin, Constantine A. (2014-01-19). Soulskill (ed.). "OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto". Slashdot. Retrieved 2014-12-27.
  21. ^ Murenin, Constantine A. (2014-05-01). timothy (ed.). "OpenBSD 5.5 Released". Slashdot. Retrieved 2014-12-27.
  22. ^ Roger Dingledine & Nick Mathewson. "Tor's Protocol Specifications - Blog". Retrieved 20 December 2014.
  23. ^ zzz (2014-09-20). "0.9.15 Release - Blog". Retrieved 20 December 2014.
  24. ^ "GNUnet 0.10.0". gnunet.org. Retrieved 11 December 2014.
  25. ^ iOS Security Guide
  26. ^ How does Peerio implement end-to-end encryption
  27. ^ miniLock File Encryption
Retrieved from "https://en.wikipedia.org/w/index.php?title=Curve25519&oldid=705072260"