Curve25519 is a pretty secure way to exchange a key. In the original Paper and on SafeCurves a lot of attacks and security aspects are mentioned:
Attacks:
- Brute force: This one is theoretically possible but not practical
- Small subgroup attacks: Pohlig Hellman and Lim Lee attacks are useless against Curve25519 mostly because of the chosen parameters.
- Pollard Rho and Kangaroo attacks: Curve25519 is not immune to those attacks, but still provides enough security ( round about $2^{125}$ )
- Batch discrete logarithms: Again Curve25519 is not immune but still provides enough security
- Transfer attacks: Algebraic attack against which Curve25519 is pretty much resistant
- Baby Step Giant Step: Is possible but the cyclic groups are too big.
Other security aspects:
- Rigidity: The origin for every Curve25519 parameter is provided
- Montgomery Ladder: Resistance against side channel attack
- Twist: The Twist of Curve25519 is secure, too
- Completeness: addition formula is complete
- Indistinguishability: No difference between a random string and a key
Since Curve25519 was published about 15 years ago my question is: Are there any (newer) attacks and/or security aspects I'm missing?
