Curve25519 for ephemeral key exchange in Transport Layer Security (TLS)

The information below is for an old version of the document
Document Type Active Internet-Draft (tls WG)
Last updated 2015-06-12
Replaces draft-josefsson-tls-curve25519
Stream IETF
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream WG state WG Document
Document shepherd Joseph Salowey
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Joseph A. Salowey" <>
Network Working Group                                       S. Josefsson
Internet-Draft                                                    SJD AB
Updates: 4492, 5246 (if approved)                    M. Pegourie-Gonnard
Intended status: Informational                    Independent / PolarSSL
Expires: December 11, 2015                                  June 9, 2015

Curve25519 for ephemeral key exchange in Transport Layer Security (TLS)


   This document specifies the use of Curve25519 for ephemeral key
   exchange in the Transport Layer Security (TLS) protocol, as well as
   its DTLS variant.  It updates RFC 5246 (TLS 1.2) and RFC 4492
   (Elliptic Curve Cryptography for TLS).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 11, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Josefsson & Pegourie-GonExpires December 11, 2015               [Page 1]
Internet-Draft             Curve25519 for TLS                  June 2015

1.  Introduction

   In [Curve25519] [I-D.irtf-cfrg-curves], a new elliptic curve function
   for use in cryptographic applications was specified.  Curve25519 is a
   Diffie-Hellman function designed with performance and security in

   [RFC4492] defines the usage of elliptic curves for authentication and
   key agreement in TLS 1.0 and TLS 1.1, and these mechanisms are also
   applicable to TLS 1.2 [RFC5246].  The use of ECC curves for key
   exchange requires the definition and assignment of additional
   NamedCurve IDs.  This document specify that value for Curve25519, as
   well as the minor changes in key selection and representation that
   are required to accommodate for Curve25519's slightly different

   This document only describes usage of Curve25519 for ephemeral key
   exchange (ECDHE).  It does not define its use for signature, since
   the primitive considered here is a Diffie-Hellman function; the
   related signature scheme, Ed25519, is outside the scope of this
   document.  The use of Curve25519 with long-term keys embedded in
   X.509 certificates is also out of scope here.

1.1.  Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  Data Structures and Computations

2.1.  Cryptographic computations

   All cryptographic computations are done using the Curve25519 function
   defined in [Curve25519] [I-D.irtf-cfrg-curves].  In this memo, this
   function is considered as a black box that takes as input a (secret
   key, public key) pair and outputs a public key.  Public keys are
   defined as strings of 32 bytes.  Secret keys are defined as 255 bits
   numbers such as the high-order bit (bit 254) is set, and the three
   lowest-order bits are unset.  In addition, a common public key,
   denoted by G, is shared by all users.

   An ECDHE key exchange using Curve25519 goes as follows.  Each party
   picks a secret key d uniformly at random and computes the
   corresponding public key x = Curve25519(d, G).  Parties exchange
   their public keys (see Section 2.3) and compute a shared secret as
   x_S = Curve25519(d, x_peer).  This shared secret is used directly as

Josefsson & Pegourie-GonExpires December 11, 2015               [Page 2]
Internet-Draft             Curve25519 for TLS                  June 2015

   the premaster secret, which is always exactly 32 bytes when ECDHE
   with Curve25519 is used.

   A complete description of the Curve25519 function, as well as a few
   implementation notes, are provided in Appendix A.
Show full document text