Curve25519

In cryptography, Curve25519 is an elliptic curve offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest ECC curves and is not covered by any known patents. The reference implementation is public domain software.I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry. In cryptography, Curve25519 is an elliptic curve offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest ECC curves and is not covered by any known patents. The reference implementation is public domain software. The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function. The curve used is y 2 = x 3 + 486662 x 2 + x {displaystyle y^{2}=x^{3}+486662x^{2}+x} , a Montgomery curve, over the prime field defined by the prime number 2 255 − 19 {displaystyle 2^{255}-19} , and it uses the base point x = 9 {displaystyle x=9} . This point generates a cyclic subgroup whose order is the prime 2 252 + 27742317777372353535851937790883648493 {displaystyle 2^{252}+27742317777372353535851937790883648493} and is of index 8 {displaystyle 8} . Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack. The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates. Curve25519 is constructed such that it avoids many potential implementation pitfalls. By design, it is immune to timing attacks and it accepts any 32-byte string as a valid public key and does not require validating that a given point belongs to the curve, or is generated by the base point. The curve is birationally equivalent to a twisted Edwards curve used in Ed25519 signature scheme. Curve25519 was first released by Daniel J. Bernstein in 2005, but interest increased considerably after 2013 when it was discovered that the NSA had potentially implemented a backdoor into Dual_EC_DRBG. While not directly related, suspicious aspects of the NIST's P curve constants led to concerns that the NSA had chosen values that gave them an advantage in factoring public keys. Since then, Curve25519 has become the de facto alternative to P-256, and is used in a wide variety of applications. Starting in 2014, OpenSSH defaults to Curve25519-based ECDH. Behavior for general SSH protocol is still being standardized as of 2018. In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government. Both are described in RFC 7748.