In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme.
Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.
Using a prime order subgroup prevents mounting a Pohlig–Hellman algorithm attack.
[5] In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.
[11] While not directly related,[12] suspicious aspects of the NIST's P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.
[17] Starting in 2014, OpenSSH[18] defaults to Curve25519-based ECDH and GnuPG adds support for Ed25519 keys for signing and encryption.
[19] The use of the curve was eventually standardized for both key exchange and signature in 2020.
[20][21] In 2017, NIST announced that Curve25519 and Curve448 would be added to Special Publication 800-186, which specifies approved elliptic curves for use by the US Federal Government.
[23] A 2019 draft of "FIPS 186-5" notes the intention to allow usage of Ed25519[24] for digital signatures.
[25] In February 2017, the DNSSEC specification for using Ed25519 and Ed448 was published as RFC 8080, assigning algorithm numbers 15 and 16.