X25519
Registry Context
X25519 identifies an OKP key subtype used for ECDH-ES key agreement. It is not a signing key subtype.
Technical Summary
An X25519 JWK uses kty="OKP", crv="X25519", and a base64url-encoded public key in x. Private keys additionally contain d. RFC 8037 prohibits using X25519 for signing.
When Used
When representing X25519 keys as JWKs or performing ECDH-ES key agreement with X25519.
Normative Requirements
Unspecified actor
RFC 8037 - Section 2
Include the "d" parameter..
Condition: When representing a public X25519 key as a JWK.
This parameter MUST NOT be present for public keys.
RFC 8037 - Section 3.2
Use the X25519 key subtype for signing..
These subtypes MUST NOT be used for signing.
RFC 8037 - Section 2
Set the "kty" parameter to "OKP"..
Condition: When representing an X25519 key as a JWK.
The parameter "kty" MUST be "OKP".
RFC 8037 - Section 2
Include the "crv" parameter containing the key subtype..
Condition: When representing an X25519 key as a JWK.
The parameter "crv" MUST be present and contain the subtype of the key.
RFC 8037 - Section 2
Include the "x" parameter containing the base64url-encoded public key..
Condition: When representing an X25519 key as a JWK.
The parameter "x" MUST be present and contain the public key encoded using the base64url encoding.
RFC 8037 - Section 2
Include the "d" parameter containing the base64url-encoded private key..
Condition: When representing a private X25519 key as a JWK.
The parameter "d" MUST be present for private keys and contain the private key encoded using the base64url encoding.
RFC 8037 - Section 4
Use a well-seeded cryptographic random number generator..
Condition: When generating X25519 keys.
If key generation or batch signature verification is performed, a well-seeded cryptographic random number generator is REQUIRED.
Validation Guidance
Reject an X25519 JWK unless kty is "OKP", crv is "X25519", and x is present and base64url encoded.
Reject a private X25519 JWK that omits d, and reject a public X25519 JWK that contains d.
Reject use of an X25519 key for signing.
For ECDH-ES, derive epk.x from the ephemeral private key and standard base point, and derive Z from the ephemeral private key and receiver public key, as described in RFC 8037 Section 3.2.1.
Ensure X25519 key generation uses a well-seeded cryptographic random number generator.
Security Notes
RFC 8037 - Section 4
Keep key material associated with its key subtype and verify that each algorithm is compatible with that subtype to prevent algorithm-mix-up attacks.
RFC 8037 - Section 4
The security considerations of RFC 7748 apply to X25519 use under RFC 8037.
RFC 8037 - Section 4
The JWA ECDH-ES KDF does not mix keys into the final shared secret; malicious key selection by either party can eliminate security.
Reference
Details
- Entry Id
X25519- Curve Name
X25519- Curve Description
X25519 function key pairs- Jose Implementation Requirements
Optional- Change Controller
IESG- Reference
RFC8037 - Section 3.2