oauth2.dev

X25519

IESG

Registry Context

X25519 identifies an OKP key subtype used for ECDH-ES key agreement. It is not a signing key subtype.

Technical Summary

An X25519 JWK uses kty="OKP", crv="X25519", and a base64url-encoded public key in x. Private keys additionally contain d. RFC 8037 prohibits using X25519 for signing.

When Used

When representing X25519 keys as JWKs or performing ECDH-ES key agreement with X25519.

Normative Requirements

Unspecified actor

MUST NOT
2
  1. RFC 8037 - Section 2

    Include the "d" parameter..

    Condition: When representing a public X25519 key as a JWK.

    This parameter MUST NOT be present for public keys.

  2. RFC 8037 - Section 3.2

    Use the X25519 key subtype for signing..

    These subtypes MUST NOT be used for signing.

MUST
4
  1. RFC 8037 - Section 2

    Set the "kty" parameter to "OKP"..

    Condition: When representing an X25519 key as a JWK.

    The parameter "kty" MUST be "OKP".

  2. RFC 8037 - Section 2

    Include the "crv" parameter containing the key subtype..

    Condition: When representing an X25519 key as a JWK.

    The parameter "crv" MUST be present and contain the subtype of the key.

  3. RFC 8037 - Section 2

    Include the "x" parameter containing the base64url-encoded public key..

    Condition: When representing an X25519 key as a JWK.

    The parameter "x" MUST be present and contain the public key encoded using the base64url encoding.

  4. RFC 8037 - Section 2

    Include the "d" parameter containing the base64url-encoded private key..

    Condition: When representing a private X25519 key as a JWK.

    The parameter "d" MUST be present for private keys and contain the private key encoded using the base64url encoding.

REQUIRED
1
  1. RFC 8037 - Section 4

    Use a well-seeded cryptographic random number generator..

    Condition: When generating X25519 keys.

    If key generation or batch signature verification is performed, a well-seeded cryptographic random number generator is REQUIRED.

Validation Guidance

error

Reject an X25519 JWK unless kty is "OKP", crv is "X25519", and x is present and base64url encoded.

error

Reject a private X25519 JWK that omits d, and reject a public X25519 JWK that contains d.

error

Reject use of an X25519 key for signing.

error

For ECDH-ES, derive epk.x from the ephemeral private key and standard base point, and derive Z from the ephemeral private key and receiver public key, as described in RFC 8037 Section 3.2.1.

error

Ensure X25519 key generation uses a well-seeded cryptographic random number generator.

Security Notes

RFC 8037 - Section 4

Keep key material associated with its key subtype and verify that each algorithm is compatible with that subtype to prevent algorithm-mix-up attacks.

RFC 8037 - Section 4

The security considerations of RFC 7748 apply to X25519 use under RFC 8037.

RFC 8037 - Section 4

The JWA ECDH-ES KDF does not mix keys into the final shared secret; malicious key selection by either party can eliminate security.

Reference

Details

Entry Id
X25519
Curve Name
X25519
Curve Description
X25519 function key pairs
Jose Implementation Requirements
Optional
Change Controller
IESG
Reference
RFC8037 - Section 3.2