This contains a collection of pure-python functions to implement Curve25519-based cryptography, including:

• Diffie-Hellman Key Agreement
• Ed25519 digital signatures
• SPAKE2 Password Authenticated Key Agreement

You almost certainly want to use pynacl or python-ed25519 instead, which are python bindings to djb's C implementations of Curve25519/Ed25519 (and the rest of the NaCl suite).

Bad things about this module:

• much slower than C
• not written by djb, so probably horribly buggy and insecure
• very much not constant-time: leaks hamming weights like crazy

Good things about this module:

• can be used without a C compiler
• compatible with python2 and python3
• exposes enough point math (addition and scalarmult) to implement SPAKE2

The pure-python functions are considerably slower than their pynacl (libsodium) equivalents, using python-2.7.9 on my 2.6GHz Core-i7:

This library is conservative, and performs full subgroup-membership checks on decoded points, which adds considerable overhead. The Curve25519/Ed25519 algorithms were designed to not require these checks, so a careful application might be able to improve on this slightly (Ed25519 verify down to 6.2ms, DH-finish to 3.2ms).

The sample Diffie-Hellman key-agreement code in dh.py is not actually Curve25519: it uses the Ed25519 curve, which is sufficiently similar for security purposes, but won't interoperate with a proper Curve25519 implementation. It is included just to exercise the API and obtain a comparable performance number.

The Ed25519 implementation should be compatible with other versions, and includes the known-answer-tests from https://ed25519.cr.yp.to/software.html to confirm this.

The SPAKE2 implementation is new, and there's nothing else for it to interoperate with yet.

This code is adapted and modified from a number of original sources, including:

• https://bitbucket.org/dholth/ed25519ll
• https://ed25519.cr.yp.to/python/ed25519.py
• https://ed25519.cr.yp.to/software.html
• https://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html

Many thanks to Ron Garret, Daniel Holth, and Matthew Dempsky.

This software is released under the MIT license.