密码学

首页 > 密码学

Curve25519

2018-12-24 03:12:30     所属分类:椭圆曲线密码学

在密码学中,Curve25519是一种椭圆曲线,被设计用于椭圆曲线迪菲-赫尔曼(ECDH)密钥交换方法,可用作提供128 bit的安全金钥。它是不被任何已知专利覆盖的最快ECC曲线之一。[1]其参考实现是公共领域软件。[2]

最初的Curve25519草稿将其定义成一个迪菲-赫尔曼(DH)函数。在那之后Daniel J. Bernstein提出Curve25519应被作为底层曲线的名称,而将X25519作为其DH函数的名称。[3]

目录

  • 1 数学属性
  • 2 普及
    • 2.1
    • 2.2 协议
    • 2.3 应用
  • 3 脚注
  • 4 参见
  • 5 引用
  • 6 外部链接

数学属性

所用的曲线是y2 = x3 + 486662x2 + x,蒙哥马利曲线,在由素数2255 − 19定义的素数场的二次扩展上,并且使用基点x = 9。这个基点有顺序[4].

该协议使用压缩椭圆点(仅X座标),因此它允许在ECDH中高效地使用Montgomery梯子,仅使用XZ座标。[5]

Curve25519的构造使其避免了许多潜在的实现缺陷。[6] 根据设计,它不受定时攻击的影响,并且它接受任何32字节的字符串作为有效的公钥,并且不需要验证。

该曲线在双有理几何上等同于Ed25519英语Ed25519签名方案中使用的扭曲Edwards曲线。[7]

普及

  • Libgcrypt[8]
  • libssh[9]
  • NaCl[10]
  • GnuTLS[11]
  • mbed TLS (前称 PolarSSL)[12]
  • wolfSSL[13]
  • Botan[14]
  • SChannel[a][15]
  • Libsodium[16]
  • OpenSSL 自版本 1.1.0[17]
  • LibreSSL[18]
  • NaCl for Tcl — 一个对 Tcl 语言的端口[19]
  • NSS 自版本 3.28[20]
  • Monocypher[21]
  • Crypto++

协议

  • OMEMO, 一个对XMPP (Jabber)的建议性扩展[22]
  • Secure Shell
  • Signal Protocol
  • Tox
  • Zcash
  • TLS

应用

  • Conversations Android application[b]
  • Cryptocat[23][b]
  • DNSCrypt[24]
  • DNSCurve
  • Dropbear[9][25]
  • Facebook Messenger [c][d]
  • Gajim via plugin[26][b]
  • GNUnet[27]
  • GnuPG
  • Google Allo[e][d]
  • I2P[28]
  • IPFS[29]
  • iOS[30]
  • Monero[31]
  • OpenBSD[f]
  • OpenSSH[9][g]
  • Peerio[36]
  • PuTTY[37]
  • Signal[d]
  • Silent Phone
  • SmartFTP[9]
  • SSHJ[9]
  • Threema Instant Messenger[38]
  • TinySSH[9]
  • TinyTERM[9]
  • Tor[39]
  • Viber[40]
  • WhatsApp[d]
  • Wire

脚注

  1. ^ 从Windows 10 (1607)及Windows Server 2016开始使用。
  2. ^ 2.0 2.1 2.2 Via the OMEMO protocol
  3. ^ Only in "secret conversations"
  4. ^ 4.0 4.1 4.2 4.3 Via the Signal Protocol
  5. ^ Only in "incognito mode"
  6. ^ Used to sign releases and packages[32][33]
  7. ^ Exclusive key exchange in OpenSSH 6.7 when compiled without OpenSSL.[34][35]

参见

  • EdDSA § Ed25519

引用

  1. ^ Bernstein. Irrelevant patents on elliptic-curve cryptography. cr.yp.to. [2016-02-08]. 
  2. ^ A state-of-the-art Diffie-Hellman function by Daniel J. Bernstein"My curve25519 library computes the Curve25519 function at very high speed. The library is in the public domain. "
  3. ^ [Cfrg] 25519 naming. [2016-02-25]. 
  4. ^ 引用错误:没有为名为:2的参考文献提供内容
  5. ^ Lange, Tanja. EFD / Genus-1 large-characteristic / XZ coordinates for Montgomery curves. EFD / Explicit-Formulas Database. [8 February 2016]. 
  6. ^ SafeCurves: Introduction. safecurves.cr.yp.to. [2016-02-08]. 
  7. ^ Bernstein, Daniel J.; Lange, Tanja. Kurosawa, Kaoru, 编. Faster addition and doubling on elliptic curves. Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. Berlin: Springer: 29–50. 2007. ISBN 978-3-540-76899-9. MR 2565722. doi:10.1007/978-3-540-76900-2_3. 
  8. ^ Werner Koch. Libgcrypt 1.7.0 release announcement. 15 April 2016 [22 April 2016]. 
  9. ^ 9.0 9.1 9.2 9.3 9.4 9.5 9.6 SSH implementation comparison. Comparison of key exchange methods. [2016-02-25]. 
  10. ^ Introduction. yp.to. [11 December 2014]. 
  11. ^ nettle: curve25519.h File Reference - doxygen documentation | Fossies Dox. fossies.org. [2015-05-19]. (原始内容存档于2015-05-20). 
  12. ^ Limited, ARM. PolarSSL 1.3.3 released - Tech Updates - mbed TLS (Previously PolarSSL). tls.mbed.org. [2015-05-19]. 
  13. ^ wolfSSL Embedded SSL/TLS Library - wolfSSL Products. 
  14. ^ Botan: src/lib/pubkey/curve25519/curve25519.cpp Source File. botan.randombit.net. 
  15. ^ Justinha. TLS (Schannel SSP). docs.microsoft.com. [2017-09-15] (美国英语). 
  16. ^ Denis, Frank. Introduction · libsodium. libsodium.org. 
  17. ^ Inc., OpenSSL Foundation,. OpenSSL. www.openssl.org. [2016-06-24]. 
  18. ^ Add support for ECDHE with X25519. · openbsd/src@0ad90c3. GitHub. 
  19. ^ Tclers Wiki - NaCl for Tcl. 
  20. ^ NSS 3.28 release notes. [25 July 2017]. 
  21. ^ Monocypher Manual. [2017-08-03]. 
  22. ^ Straub, Andreas. OMEMO Encryption. conversations.im. 25 October 2015. 
  23. ^ Cryptocat - Security. crypto.cat. [2016-05-24]. 
  24. ^ Frank Denis. DNSCrypt version 2 protocol specification. [2016-03-03]. (原始内容存档于2015-08-13). 
  25. ^ Matt Johnston. Dropbear SSH - Changes. [2016-02-25]. 
  26. ^ Bahtiar Gadimov; 等. Gajim plugin for OMEMO Multi-End Message and Object Encryption. [2016-10-01]. 
  27. ^ GNUnet 0.10.0. gnunet.org. [11 December 2014]. 
  28. ^ zzz. 0.9.15 Release - Blog. 2014-09-20 [20 December 2014]. 
  29. ^ https://github.com/ipfs/go-ipfs/blob/master/core/commands/keystore.go#L68
  30. ^ iOS Security Guide (PDF). 
  31. ^ MRL-0003 - Monero is Not That Mysterious (PDF). getmonero.com. 
  32. ^ Murenin, Constantine A. Soulskill, 编. OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto. Slashdot. 2014-01-19 [2014-12-27]. 
  33. ^ Murenin, Constantine A. timothy, 编. OpenBSD 5.5 Released. Slashdot. 2014-05-01 [2014-12-27]. 
  34. ^ Friedl, Markus. ssh/kex.c#kexalgs. BSD Cross Reference, OpenBSD src/usr.bin/. 2014-04-29 [2014-12-27]. 
  35. ^ Murenin, Constantine A. Soulskill, 编. OpenSSH No Longer Has To Depend On OpenSSL. Slashdot. 2014-04-30 [2014-12-26]. 
  36. ^ How does Peerio implement end-to-end encryption?. Peerio. 
  37. ^ PuTTY Change Log. www.chiark.greenend.org.uk. 
  38. ^ Threema Cryptography Whitepaper (PDF). 
  39. ^ Roger Dingledine & Nick Mathewson. Tor's Protocol Specifications - Blog. [20 December 2014]. 
  40. ^ Viber Encryption Overview. Viber. 3 May 2016 [24 September 2016]. 

外部链接

  • 官方网站

相关推荐