ECC in Practice

Every OpenSSH server uses Ed25519 host keys since 2014. Every Signal message is authenticated with Ed25519. WireGuard uses Curve25519 for key exchange. The shift from ECDSA to Ed25519 eliminated an entire category of catastrophic nonce reuse vulnerabilities.

• **OpenSSH**: Ed25519 host and user keys since 6.5 (2014). Deterministic signatures require no CSPRNG entropy during signing.
• **Signal**: Curve25519 for X3DH, Ed25519 for identity signatures. End-to-end security for 2+ billion users.
• **PlayStation 3 hack (2010)**: ECDSA with constant k=1 exposed the signing private key. All PS3 software could be signed as official.
• **Solana blockchain**: Ed25519 for all transactions. Deterministic nonce is critical for reproducibility in smart contracts.

ECDH: Key Exchange on Curves

ECDH uses scalar multiplication for key exchange: Alice sends aG, Bob sends bG. Shared secret = a(bG) = b(aG) = abG. An eavesdropper sees G, aG, bG but cannot compute abG without solving ECDLP.

X25519 (ECDH over Curve25519) is the default key exchange in TLS 1.3, SSH, Signal, and WireGuard. Raw output must be processed through HKDF to derive actual encryption keys.

ECDSA: Signatures on Elliptic Curves

ECDSA creates signatures using a random nonce k per signature. Reusing k for two different messages allows private key recovery via simple algebra. Sony PlayStation 3 was broken this way in 2010 because k was a constant value.

ECDSA nonce reuse is catastrophic: given (r,s1),(r,s2) on different messages with same k, the private key d = (s1*m2 - s2*m1) / (r*(s2-s1)) mod n. Sony PS3 used k=1 for all signatures.

EdDSA and Ed25519: Deterministic Signatures

EdDSA replaces ECDSA random nonce with one derived deterministically from the private key and message via a hash, eliminating catastrophic nonce reuse risk. Ed25519 uses a Twisted Edwards curve over the same field as Curve25519.

Ed25519 is used in OpenSSH (since 6.5), Signal, age, Tor, and Solana. NIST approved Ed25519 in FIPS 186-5 (2023). Go standard library added it in 1.13.

Curve25519: Designed for Security

Curve25519 (Bernstein, 2006) was designed with explicit, published justifications for every parameter: prime 2^255-19 for fast arithmetic, Montgomery form enabling constant-time x-coordinate-only ECDH, cofactor 8, and nothing-up-my-sleeve constants.

NIST P-256 derives parameters from a SHA-1 hash of an undisclosed seed. Curve25519 parameters are fully transparent, making backdoor claims falsifiable by anyone.

Summary

• **ECDH**: shared = abG. Must pass through HKDF. X25519 (Curve25519) is TLS 1.3 default.
• **ECDSA**: (r,s) signature with random nonce k. Nonce reuse reveals private key. Used in Bitcoin, legacy TLS.
• **EdDSA/Ed25519**: deterministic nonce k = H(key||msg). No CSPRNG dependency. ~3x faster than P-256 ECDSA.
• **Curve25519**: nothing-up-my-sleeve design, constant-time Montgomery ladder, x-coordinate-only ECDH.

Related Topics

ECC in practice powers all modern secure channels:

• ECC Mathematics — Scalar multiplication and ECDLP underlying ECDH and ECDSA.
• Digital Signatures — DSA, Schnorr, and multi-signatures as alternatives to ECDSA.
• TLS 1.3 — X25519 ECDH and P-256 ECDSA are TLS 1.3 primary algorithms.

Вопросы для размышления

• PS3 used constant k=1 in ECDSA. Write out the algebra showing how to recover d from two signatures.
• Why does Signal use Curve25519 for key exchange and Ed25519 for signatures? Could one key serve both roles?
• ECDH with Curve25519 uses only x-coordinates. Why is this not possible with short Weierstrass P-256?

Связанные уроки

• net-23-https-tls
• net-35-wireguard