Curve25519
What is Curve25519?
Curve25519A Montgomery elliptic curve designed by Daniel J. Bernstein, used in the X25519 Diffie-Hellman function specified in RFC 7748 with ~128-bit security.
Curve25519 is the Montgomery curve y^2 = x^3 + 486662 x^2 + x over the prime field 2^255 - 19, published by Daniel J. Bernstein in 2005. X25519, defined in RFC 7748, is the Elliptic Curve Diffie-Hellman key agreement that operates on Curve25519 using only the x-coordinate via the Montgomery ladder. It produces a 32-byte shared secret from 32-byte public and private keys with roughly 128 bits of security and a complete, constant-time, side-channel-resistant implementation. X25519 is the default key-exchange in TLS 1.3, SSH, WireGuard, Signal, Noise Protocol, Tor v3 onion services, and modern hybrid post-quantum exchanges. The closely related Ed25519 signature scheme uses the birationally equivalent twisted Edwards curve edwards25519.
● Examples
- 01
TLS 1.3 named group `x25519` is the default ECDH curve.
- 02
WireGuard performs an X25519 handshake to derive its session keys.
● Frequently asked questions
What is Curve25519?
A Montgomery elliptic curve designed by Daniel J. Bernstein, used in the X25519 Diffie-Hellman function specified in RFC 7748 with ~128-bit security. It belongs to the Cryptography category of cybersecurity.
What does Curve25519 mean?
A Montgomery elliptic curve designed by Daniel J. Bernstein, used in the X25519 Diffie-Hellman function specified in RFC 7748 with ~128-bit security.
How does Curve25519 work?
Curve25519 is the Montgomery curve y^2 = x^3 + 486662 x^2 + x over the prime field 2^255 - 19, published by Daniel J. Bernstein in 2005. X25519, defined in RFC 7748, is the Elliptic Curve Diffie-Hellman key agreement that operates on Curve25519 using only the x-coordinate via the Montgomery ladder. It produces a 32-byte shared secret from 32-byte public and private keys with roughly 128 bits of security and a complete, constant-time, side-channel-resistant implementation. X25519 is the default key-exchange in TLS 1.3, SSH, WireGuard, Signal, Noise Protocol, Tor v3 onion services, and modern hybrid post-quantum exchanges. The closely related Ed25519 signature scheme uses the birationally equivalent twisted Edwards curve edwards25519.
How do you defend against Curve25519?
Defences for Curve25519 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Curve25519?
Common alternative names include: X25519, curve25519-donna.
● Related terms
- cryptography№ 370
Ed25519
An EdDSA signature scheme over the twisted Edwards curve edwards25519, offering ~128-bit security with deterministic, fast, side-channel-resistant signing as defined in RFC 8032.
- cryptography№ 374
Elliptic Curve Cryptography (ECC)
A family of public-key algorithms based on the algebraic structure of elliptic curves over finite fields, offering equivalent security to RSA with much smaller keys.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- network-security№ 1244
WireGuard
A modern, minimal VPN protocol that uses a fixed set of state-of-the-art cryptographic primitives and runs as part of the Linux kernel.
- cryptography№ 846
Post-Quantum Cryptography
Classical cryptographic algorithms designed to remain secure against attacks by both classical and large-scale quantum computers.
● See also
- № 161ChaCha20-Poly1305