// glossary / curve25519

Curve25519 / X25519.

The encryption half of the modern OpenPGP keypair. Where Ed25519 signs, X25519 (also written Cv25519 in OpenPGP listings) handles the encryption side via elliptic-curve Diffie-Hellman. Small, fast, strong margin — and the standard pairing with Ed25519 on contemporary keys.

// definition

Curve25519 is an elliptic curve designed for fast, secure Diffie-Hellman key agreement. In OpenPGP it's used (under the name X25519 or Cv25519) as the encryption subkey algorithm — when someone encrypts to you, your public Curve25519 key is what the encryption is to.

What it is.

Curve25519 is a specific elliptic curve specified by Daniel J. Bernstein in 2005, chosen for its security properties, performance, and resistance to certain implementation pitfalls that have caused trouble with other curves. The key agreement protocol on top of it is X25519 — and in OpenPGP, the encryption operation uses X25519 to derive a shared secret that wraps the actual session key.

You'll see it called several names in different contexts:

Curve25519 — the curve itself.
X25519 — the Diffie-Hellman key agreement on that curve (standardized in RFC 7748).
Cv25519 — how GnuPG and some OpenPGP tools label it in listings.
ECDH-Curve25519 — the explicit OpenPGP integration name.

All four refer to the same underlying cryptography in practice.

Why it matters.

Curve25519 is the encryption counterpart to Ed25519's signatures. Together they form the standard modern OpenPGP keypair: Ed25519 primary key for signing and certification, Curve25519 subkey for encryption. The combination is the recommended default for new keys generated by GnuPG 2.1+, OpenKeychain, PGPony, and other current tools.

Compared to RSA encryption, Curve25519:

Uses 256-bit public keys instead of 3072+ bit RSA keys for equivalent security.
Generates keys in milliseconds instead of seconds.
Has constant-time implementations available that resist timing side channels.
Avoids parameter-selection footguns that have caused real attacks on other ECC curves.

// in a key listing

pub ed25519 2026-01-15 [SC] AAAA BBBB CCCC DDDD EEEE FFFF 1111 2222 3333 4444 uid [ultimate] You <you@example.com> sub cv25519 2026-01-15 [E] ← Curve25519 encryption subkey

The cv25519 label on the subkey is GnuPG's way of saying "Curve25519 ECDH encryption subkey." The [E] at the end marks it as the Encryption capability.

// in PGPony When you generate a key with the Ed25519+Cv25519 algorithm option, PGPony creates an Ed25519 primary key for signing and a Curve25519 subkey for encryption. The combination is the default and recommended choice.

Related terms

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store Get it on Google Play