Best Crypto – Things that use Curve25519
Things that use Curve25519
Updated: January 13, 2017
Here’s a list of protocols and software that use or support the superfast, super secure Curve25519 ECDH function from Dan Bernstein. Note that Curve25519 ECDH should be referred to as X25519.
This page is divided by Protocols, Networks, Operating Systems, Hardware, Software, TLS Libraries, Libraries, Miscellaneous, Timeline notes, and Support coming soon.
You may also be interested in this list of Ed25519 deployment.
Background info:
It has become increasingly common for "Curve25519" to refer to an elliptic curve, while the original paper defined "Curve25519" as an X-coordinate DH system using that curve. "Ed25519" unambiguously refers to an Edwards-coordinate signature system using that curve. Kenny and others in Toronto recommended changing terminology to clearly separate these three items. Let me suggest the following terminology: * "X25519" is the recommended Montgomery-X-coordinate DH function. * "Ed25519" is the recommended Edwards-coordinate signature system. * "Curve25519" is the underlying elliptic curve.
Protocols
- DNS
- Transport
- CurveCP — a secure transport protocol
- QUIC — a secure transport protocol
- Noise — a framework for crypto protocols based on Diffie-Hellman key agreement
- Nitro — a very fast, flexible, high-level network communication library
- lodp — Lightweight Obfuscated Datagram Protocol
- CUSP — a reliable and secure general purpose transport designed with peer-to-peer (P2P) networking in mind
- Dust — A Polymorphic Engine for Filtering-Resistant Transport Protocols
- RAET — (Reliable Asynchronous Event Transport) Protocol
- Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity
- SSH, thanks to the curve25519-sha256@libssh.org key exchange from the libssh team, adopted by OpenSSH and Tinyssh
- Other
- TLS
- IPsec
- OpenIKED — IKEv2 daemon which supports non-standard Curve25519
- ZRTP
- ZRTPCPP — GNU ZRTP C++
- Other
- Signal Protocol — encrypted messaging protocol derivative of OTR Messaging
- Pond — forward secure, asynchronous messaging for the discerning project in stasis
- ZeroTier — Create flat virtual Ethernet networks of almost unlimited size
- telehash — encrypted mesh protocol
- Olm — A Cryptographic Ratchet
- bubblestorm — P2P group organization protocol
- Apple AirPlay — stream content to HDTV/speakers
Networks
- Tor — The Onion Router anonymity network
- GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
- URC — an IRC style, private, security aware, open source project
- Serval — Mesh telecommunications
- SAFE — A new Secure way to access a world of existing apps where the security of your data is put above all else
- Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger
- cjdns — encrypted ipv6 mesh networking
- Plus the Enigmabox — a Hardware cjdns router
Operating Systems
- OpenBSD — used in OpenSSH, OpenIKED, and in CVS over SSH
- Apple iOS — the operating system used in the iPhone, iPad, and iPod Touch
- Android — ships with Chrome, which supports X25519 for TLS and QUIC
- All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project
Hardware
- SC4 HSM — a fully-open USB2 HSM (hardware-secure module)
Software
- DNS
- CurveDNS — a DNSCurve Forwarding Authoritative Name Server also on github
- djbdns dnscurve patch — adds DNSCurve support to dnscache
- dqcache — Recursive DNS/DNSCurve server also on github
- dq — a command-line tool to debug DNS/DNScurve
- pymdscurve & dnspythoncurve — python authoritative server & recursive resolver
- dnscrypt-proxy — securing communications between a client and a DNS resolver
- SimpleDnsCrypt — A simple management tool for dnscrypt-proxy
- dnscrypt-win-client — DNSCrypt for Windows (OpenDNS front-end to dnscrypt-proxy)
- dnscrypt-win-client — DNSCrypt for Windows (Noxwizard front-end to dnscrypt-proxy)
- dnscrypt-osxclient — Mac OSX application to control the DNSCrypt Proxy
- dnscrypt-proxy-cydia — DNSCrypt for jailbroken iOS/Apple devices via Cydia
- dnscrypt-proxy-gui — Qt/KF5 GUI wrapped over dnscrypt-proxy
- dnscrypt-wrapper — add dnscrypt support to any name resolver
- Pcap_DNSProxy — A local DNS server base on WinPcap and LibPcap
- dnsdist — a highly DNS-, DoS- and abuse-aware loadbalancer (supports DNSCrypt)
- Web browsers & and clients
- Google Chrome — for TLS and QUIC
- Iridium — a browser securing your privacy (supports X25519 for TLS and QUIC)
- Opera
- VapidSSL — a TLS 1.2 client derived from BoringSSL
- Web Servers
- Caddy — Caddy 0.9+ supports QUIC
- All webservers built with OpenSSL 1.1.0+
- CurveCP related
- CurveProtect — securing major protocols with CurveCP. Also supports DNSCurve.
- qremote — an experimental drop-in replacement for qmail’s qmail-remote with CurveCP support
- curvevpn — based on CurveCP
- curvetun — a lightweight curve25519-based IP tunnel
- spiral-swarm — easy local file transfer with curvecp [ author recommends another project ]
- QuickTun — “probably the simplest VPN tunnel software ever”
- jeremywohl-curvecp — “A Go CurveCP implementation I was sandboxing; non-functional.”
- curvecp — CurveCP programs, linked with TweetNaCl and built statically with Musl libc
- curvecp.go — Go implementation of the CurveCP protocol
- curvecp — Automatically exported from code.google.com/p/curvecp
- urcd — the most private, secure, open source, “Internet Relay Chat” style chat network
Introducing python-ed25519
Ed25519 is an implementation of Schnorr Signatures in a particular elliptic curve (Curve25519) that enables very high speed operations. It also has a few nice features to make the algorithm safer and easier to use.
I’ve published some MIT-licensed Python bindings to djb++’s portable C implementation of this signature scheme. They’re available here:
https://github.com/warner/python-ed25519
or easy_install ed25519
Some Highlights:
-
signing keys and verifing keys are both just 32 bytes
-
signatures are 64 bytes
-
key generation and signing each take about 2ms on my 2010 MacBookPro
-
signature verification takes about 6ms
-
128-bit security level, comparable to AES-128, SHA256, and 3072-bit RSA
-
No entropy needed during signing (signatures are deterministic)
There are amd64-specific assembly versions that run even faster, in just a few hundred microseconds, and for bulk operations you can do batch verification faster than one-at-a-time verification. So you can perform thousands of operations per second with this algorithm (and hundreds with this particular implementation).
It’s very exciting to finally have short+fast signatures (and also, through Curve25519, key-agreement and encryption): it opens up a lot of new possibilities. When public-key encryption was first invented, keys took so long to generate that folks assumed that each human would have just one: all sorts of mental baggage was built up around this restriction (ideas like never sharing signing keys, keys representing people, and the need to distribute keys separately from fingerprints). When you can easily generate a new key for each message or object or operation, we can let go of some of those psychological fetters and build something new.
(Note that “Curve25519” uses the same basic curve equation, but only provides Diffie-Hellman key agreement [and, by extension, public-key encryption]. It can’t be used to create signatures that can be verified by third parties: for that you need Ed25519. A portable Curve25519 implementation can be found in curve25519-donna, and includes a Python binding that I wrote too).
Reference:
https://ianix.com/pub/curve25519-deployment.html
https://blog.mozilla.org/warner/2011/11/21/introducing-python-ed25519/