Skip to content

Best Crypto – Things that use Curve25519


Things that use Curve25519

Updated: January 13, 2017

Here’s a list of protocols and software that use or support the superfast, super secure Curve25519 ECDH function from Dan Bernstein. Note that Curve25519 ECDH should be referred to as X25519.

This page is divided by Protocols, Networks, Operating Systems, Hardware, Software, TLS Libraries, Libraries, Miscellaneous, Timeline notes, and Support coming soon.

You may also be interested in this list of Ed25519 deployment.

Background info:

It has become increasingly common for "Curve25519" to refer to an
elliptic curve, while the original paper defined "Curve25519" as an
X-coordinate DH system using that curve. "Ed25519" unambiguously refers
to an Edwards-coordinate signature system using that curve.

Kenny and others in Toronto recommended changing terminology to clearly
separate these three items. Let me suggest the following terminology:

   * "X25519" is the recommended Montgomery-X-coordinate DH function.
   * "Ed25519" is the recommended Edwards-coordinate signature system.
   * "Curve25519" is the underlying elliptic curve.


  • DNS
    • DNSCurve — encrypted DNS between a resolver and authoritative server
    • DNSCrypt — encrypted DNS between a client and a resolver
  • Transport
    • CurveCP — a secure transport protocol
    • QUIC — a secure transport protocol
    • Noise — a framework for crypto protocols based on Diffie-Hellman key agreement
    • Nitro — a very fast, flexible, high-level network communication library
    • lodp — Lightweight Obfuscated Datagram Protocol
    • CUSP — a reliable and secure general purpose transport designed with peer-to-peer (P2P) networking in mind
    • Dust — A Polymorphic Engine for Filtering-Resistant Transport Protocols
    • RAET — (Reliable Asynchronous Event Transport) Protocol
    • Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity
    • SSH, thanks to the key exchange from the libssh team, adopted by OpenSSH and Tinyssh
  • Other
    • obfs4 — a look-like nothing obfuscation protocol
    • Riffle — an efficient communication system with strong anonymity
    • OMEMO — an XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption
  • TLS
    • Nettle is the crypto library underneath GnuTLS
    • BoringSSL from Google
    • Other libraries are coming!
  • IPsec
    • OpenIKED — IKEv2 daemon which supports non-standard Curve25519
  • ZRTP
  • Other
    • Signal Protocol — encrypted messaging protocol derivative of OTR Messaging
    • Pond — forward secure, asynchronous messaging for the discerning project in stasis
    • ZeroTier — Create flat virtual Ethernet networks of almost unlimited size
    • telehash — encrypted mesh protocol
    • Olm — A Cryptographic Ratchet
    • bubblestorm — P2P group organization protocol
    • Apple AirPlay — stream content to HDTV/speakers


  • Tor — The Onion Router anonymity network
  • GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
  • URC — an IRC style, private, security aware, open source project
  • Serval — Mesh telecommunications
  • SAFE — A new Secure way to access a world of existing apps where the security of your data is put above all else
  • Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger
  • cjdns — encrypted ipv6 mesh networking
    • Plus the Enigmabox — a Hardware cjdns router

Operating Systems

  • OpenBSD — used in OpenSSH, OpenIKED, and in CVS over SSH
  • Apple iOS — the operating system used in the iPhone, iPad, and iPod Touch
  • Android — ships with Chrome, which supports X25519 for TLS and QUIC
  • All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project


  • SC4 HSM — a fully-open USB2 HSM (hardware-secure module)


  • DNS
  • Web browsers & and clients
    • Google Chrome — for TLS and QUIC
    • Iridium — a browser securing your privacy (supports X25519 for TLS and QUIC)
    • Opera
    • VapidSSL — a TLS 1.2 client derived from BoringSSL
  • Web Servers
    • Caddy — Caddy 0.9+ supports QUIC
    • All webservers built with OpenSSL 1.1.0+
  • CurveCP related
    • CurveProtect — securing major protocols with CurveCP. Also supports DNSCurve.
    • qremote — an experimental drop-in replacement for qmail’s qmail-remote with CurveCP support
    • curvevpn — based on CurveCP
    • curvetun — a lightweight curve25519-based IP tunnel
    • spiral-swarm — easy local file transfer with curvecp [ author recommends another project ]
    • QuickTun — “probably the simplest VPN tunnel software ever”
    • jeremywohl-curvecp — “A Go CurveCP implementation I was sandboxing; non-functional.”
    • curvecp — CurveCP programs, linked with TweetNaCl and built statically with Musl libc
    • curvecp.go — Go implementation of the CurveCP protocol
    • curvecp — Automatically exported from
    • urcd — the most private, secure, open source, “Internet Relay Chat” style chat network


Introducing python-ed25519

Ed25519 is an implementation of Schnorr Signatures in a particular elliptic curve (Curve25519) that enables very high speed operations. It also has a few nice features to make the algorithm safer and easier to use.

I’ve published some MIT-licensed Python bindings to djb++’s portable C implementation of this signature scheme. They’re available here:
or easy_install ed25519


Some Highlights:

  • signing keys and verifing keys are both just 32 bytes

  • signatures are 64 bytes

  • key generation and signing each take about 2ms on my 2010 MacBookPro

  • signature verification takes about 6ms

  • 128-bit security level, comparable to AES-128, SHA256, and 3072-bit RSA

  • No entropy needed during signing (signatures are deterministic)

There are amd64-specific assembly versions that run even faster, in just a few hundred microseconds, and for bulk operations you can do batch verification faster than one-at-a-time verification. So you can perform thousands of operations per second with this algorithm (and hundreds with this particular implementation).

It’s very exciting to finally have short+fast signatures (and also, through Curve25519, key-agreement and encryption): it opens up a lot of new possibilities. When public-key encryption was first invented, keys took so long to generate that folks assumed that each human would have just one: all sorts of mental baggage was built up around this restriction (ideas like never sharing signing keys, keys representing people, and the need to distribute keys separately from fingerprints). When you can easily generate a new key for each message or object or operation, we can let go of some of those psychological fetters and build something new.

(Note that “Curve25519” uses the same basic curve equation, but only provides Diffie-Hellman key agreement [and, by extension, public-key encryption]. It can’t be used to create signatures that can be verified by third parties: for that you need Ed25519. A portable Curve25519 implementation can be found in curve25519-donna, and includes a Python binding that I wrote too).


Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: