]>
Elliptic Curve Diffie-Hellman Key Agreement using Curve25519 for
Transport Layer Security (TLS)
SJD ABsimon@josefsson.orgTLS, Elliptic Curve Cryptography, Curve25519,
Diffie-HellmanThis document specifies the use of Curve25519 for key
exchange in the Transport Layer Security (TLS) protocol.In , a new elliptic curve
function for use in cryptographic applications was specified.
Curve25519 is a Diffie-Hellman function
designed with performance and security in mind. defines the usage of elliptic
curves for authentication and key agreement in TLS 1.0 and TLS
1.1, and these mechanisms are also applicable to TLS 1.2 . The use of ECC curves for key exchange
requires the definition and assignment of additional NamedCurve
IDs. This document specify that value for Curve25519, as well as the
minor changes in key selection and representation that are required to
accomodate for Curve25519's slightly different nature.This document only describes usage of Curve25519 for ephemeral key
exchange (ECDHE), not for use with long-term keys embedded in PKIX
certificates (ECDH_ECDSA and ECDH_ECDSA).Curve25519 is not directly suitable for authentication, and
thus not applicable for signing of e.g. PKIX certificates. See
draft-josefsson-eddsa-ed25519 for a parallel effort. and related standards define an elliptic curve over GF(p) as the
set of solutions of the equation y^2 = x^3 + a x + b (commonly
referred to as a short Weierstrass equation) with both x and y
in GF(p), plus the point at infinity. For each curve, a point
G is fixed, generating a subgroup of large (prime) order N.The Diffie-Hellman key exchange is then defined as follows:
each party generates a random number 1 <= d < N (the private
key), computes Q = d G (the public key). The parties exchange
their public keys and compute the shared secret as Z = d
Q_peer. defines formats for representing
public keys during the exchange, and extensions for negotiating
the format used by each party and the underlying curve used by
both parties.While retaining the same overall structure for the
Diffie-Hellman key exchange, Curve25519 makes some changes to
the way the curve equation is presented, private keys are
selected and public keys exchanged, in order to ease secure and
efficient implementations.The following subsections describe the differences between
using Curve25519 and the curves defined by RFC 4492 for key
exchange in TLS.Curve negotiation is the same for Curve25519 as for other
curves, but is restricted to using the named_curve type in
the ServerKeyEchange message: the explicit_prime type is
only suited to curves in short Weierstrass form. This
document adds a new NamedCurve value for Curve25519 as
follows.The curve is suitable for use with DTLS .Since Curve25519 is not designed to be used in signatures,
clients who offer ECDHE_ECDSA ciphersuites and advertise
support Curve25519 in the elliptic_curves ClientHello
extension SHOULD also advertise support for at least one
other curve, suitable for ECDSA. Servers MUST NOT select an
ECDHE_ECDSA ciphersuite if the only common curve is
Curve25519.Private keys MUST be selected as specified in . That is, private keys are
255-bits numbers with the following properties: the most
significant bit (bit 254) is set, and the three least
significants bits are cleared; the remaining bits (3 to 253
included) are chosen uniformly at random.For ECDHE, public keys need to be transmitted in the
ServerKeyExchange and ClientKeyExchange messages, both of
which encode it as follows.For short Weierstrass curves, the contents of ECPoint.point
are defined by X9.62. For Curve25519, the ECpoint structure
is the same, but the contents of ECPoint.point are encoded
and interpreted as follows: each peer's public key is a
number between 0 and 2^255 - 20 included, and ECPoint.point
contains the 32 bytes string representing this number in big
endian convention. (The receiving party can accept any 32
bytes string, interpreted as a 256 bits number, as public
key: by design, no validation is needed.)Note that ECPoint.point differs from the definition of
public keys in in two ways: (1) the
byte-ordering is big-endian, wich is more uniform with how
big integers are represented in TLS, and (2) there is an
additional length byte (so ECpoint.point is actually 33
bytes), again for uniformity (and extensibility).Since only one point format can be used with Curve25519,
which is distinct from the formats used by short Weierstrass
curves, the contents of the "Supported Point Formats"
extension is irrelevant for this curve. Peers do not need to
advertise support for the above point format in any way (nor
check that the orther party supports it) when planning to
use Curve25519 for key agreement: support for Curve25519
implies support for the above point format, which is tied to
it.As in the standard Elliptic Curve Diffie-Hellman protocol
, each party computes the shared
secret by multiplying the peer's public value (seen as a
point on the curve) by its own private value, except that in
the case of Curve25519, only the x coordinate is computed.
This is merely an internal detail since specifies that only the x coordinate
is used as the premaster secret anyway.Again, in line with and as a
departure from the convention chosen in , the x coordinate is converted to
a bytes string using big endian order. As in , leading zeros are preserved, so the
premaster secret is always a 32 bytes string with
Curve25519.IANA is requested to assign numbers for Curve25519 listed in
to the Transport Layer Security (TLS)
Parameters registry EC Named Curve as
follows. ValueDescriptionDTLS-OKReferenceTBD1curve25519YThis docThe security considerations of and
most of the security considerations of apply accordingly.Curve25519 was specifically designed so that secure, fast
implementations are easier to produce. In particular, no
validation of public keys is required, and point multiplication
(using only the x coordinate) can be efficiently computed with a Montgomery ladder using a
constant number of operations (since the actual bit length of
the private key is fixed), which avoids a number of
side-channel attacks. However, in the fight against
side-channel leaks, implementors should also pay attention to
the following points:
In the Montgomery ladder, avoid branches depending on
secret data (the individual bits of the secret key);In the same place, avoid memory access patterns dependant
on secret data;Either avoid data-dependant branches and memory access
patterns in the underlying field arithmetic (that is, the
bignum arithmetic, including the mod 2^255-19 operation)
or randomize projective (that is, x/z) coordinates by
multiplying both x and z with the same 256-bit value,
chosen at random.Some of the curves defined in , namely
all whose name ends with r1 or r2, have been advertised as
pseudo-randomly chosen, but the lack of verifiability of the
seeds has raised concerns that the those curves might be weaker
than expected aginst some attackers. The Koblitz curves (those
whose name end with k1) of do not
suffer from this problem, but are char2 curves and there seems
to be a consensus that curves over prime fields are a safer bet
against future progress in discrete log computation. The
Brainpool curves are prime curves
generated in a fully verifiable pseudo-random way to avoid
manipulation concerns, but do not perform as well due to the
use of pseudo-random primes. Curve22519 is also chosen in a
fully verifiable way, but offers better performances (better
than the curves form ) while
facilitating secure implementations as mentioned above. See
also .
Curve25519: new Diffie-Hellman speed records
&rfc4492;
&rfc5246;
&rfc6347;
Transport Layer Security (TLS) ParametersInternet Assigned Numbers AuthoritySafeCurves: choosing safe curves for elliptic-curve
cryptography.Explicit-Formulas Database: XZ coordinates for
Montgomery curves
&rfc7027;
Standards for Efficient Cryptography (SEC) 1This section provides some test vectors for example
Diffie-Hellman key exchanges using Curve25519. The following
notations are used:
the secret key of party Athe public key of party Athe secret key of party Bthe public key of party Bthe shared secret that results from
completion of the Diffie-Hellman computation, i.e., the
hex representation of the pre-master secret.The field elements x_A, x_B, and x_S are represented as
hexadecimal values using the FieldElement-to-OctetString
conversion method specified in .