Why is Curve25519 mostly used for key exchange?

Question

When i studied the Applications where Curve25519 is used, i found out, that it is mostly used for the key exchange. Examples are the Signal Protocol and Threema. I know, that Curve25519 has a pretty fast arithmetic, so my first idea was, that it is used to decrease the server load. Am i right with my idea? Can someone give me a better answer?

Edit: I understand that my question may be not clear enough: Why is it not used for encryption/decryption of messages, when used in messenger like Threema?

Answer 1

A number of reasons contribute to this.

Curve25519 has a non-governmental origin.

It's a curve that's very safe by design, and impregnable to many side-channel and other weaknesses that other curves suffer from.

Also, it's a curve with 'nothing up my sleeve' coefficients.

Unlike the NSA curves, which NIST endorse.

Although not directly related, after the backdoor in Dual_EC_DRBG had been exposed, suspicious aspects of the NIST's P curve constants led to concerns that the NSA had chosen values that gave them an advantage in finding private keys. Since then, many protocols and programs started to use Curve25519 as an alternative to NIST P-256 curve.

As Kelalaka states, the constant time scalar multiplication provided by the Montgomery ladder is also pretty cool.

You cannot directly encrypt arbitrary amounts of data direct with elliptic curves.

The public key is a point on the curve and the private key is a number.

There isn't an elegant mechanism to directly encrypt (generalised ElGamal notwithstanding).

That's why key agreement revolves around finding a shared point on the curve and using a digest of the x co-ordinate of that shared point to use with a fast, secure symmetric cipher.

Answer 2

In general, asymmetric cryptography (which includes elliptic curve crypto, RSA, Diffie-Hellman, etc) is orders of magnitude slower than symmetric cryptography (e.g., AES). Curve 25519 is fast compared to other asymmetric cryptography, but still very slow compared to symmetric encryption.

Because of this, asymmetric cryptography is mostly used to set up symmetric keys for further use in symmetric cryptography (key exchange, hybrid encryption, etc), or for electronic signatures (where it is applied to a hash of a document/message, and not the full document/message, for the same inefficiency reason).

Thus you expect asymmetric cryptography (and as a side effect, Curve 25519) in contexts such as:

• Key exchange
• Signatures (check out EdDSA/Ed25519 to see how Curve 25519 appears there)
• Hybrid encryption (e.g. https://tools.ietf.org/id/draft-barnes-cfrg-hpke-00.html , and similar ideas are in PGP)

The list is far from exhaustive, but should give you an idea where to look.

So I think that the question to your answer is that it is not specific to Curve 25519 at all -- you could probably observe the same for any asymmetric cryptographic scheme: messages are likely to be encrypted using a symmetric cipher such as AES for efficiency, and the key for that is set up using key exchange or inside the hybrid encryption, for which Curve 25519 might be used.