y2 = x3 + 486662×2 + x
Curve25519 was first released by Daniel J. Bernstein in 2005, but interest increased considerably after 2013 when it was discovered that the NSA had implemented a backdoor into Dual EC DRBG.
In cryptography, Curve25519 is an elliptic curve offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest ECC curves; it is not covered by any known patents, and it is less susceptible to weak random-number generators. The reference implementation is public domain software.
The curve used is y2 = x3 + 486662x2 + x, a Montgomery curve, over the prime field defined by the prime number 2255 − 19, and it uses the base point x = 9. The protocol uses compressed elliptic point (only X coordinates), so it allows for efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.
Curve25519 is constructed such that it avoids many potential implementation pitfalls. By design, it avoids many side channel attacks and issues with poor-quality random-number-generators.
The curve is birationally equivalent to Ed25519, a Twisted Edwards curve.
Read more via: