Things that use Curve25519

14 Feb

Here’s a list of protocols and software that use or support the superfast, super secure Curve25519 ECDH function from Dan Bernstein. Note that Curve25519 ECDH should be referred to as X25519.

You may also be interested in this list of Ed25519 deployment.

This page is divided by Protocols, Networks, Operating Systems, Software, TLS Libraries, Libraries,Miscellaneous, Timeline notes, and Support coming soon.


  • DNS
    • DNSCurve — encrypted DNS between a resolver and authoritative server
    • DNSCrypt — encrypted DNS between a client and a resolver
  • Transport
    • CurveCP — a secure transport protocol
    • QUIC — a secure transport protocol
    • ZeroMQ — a secure transport protocol
    • Nitro — a library for painlessly writing scalable, fast, and secure message-passing network applications
    • lodp — Lightweight Obfuscated Datagram Protocol
    • RAET — (Reliable Asynchronous Event Transport) Protocol
    • SSH, thanks to the non-standard key exchange from the libssh team, adopted by OpenSSH and tinyssh
  • TLS
    • Nettle is the crypto library underneath GnuTLS
    • BoringSSL from Google
    • Other libraries are coming!
  • IPsec
    • OpenIKED — IKEv2 daemon which supports non-standard Curve25519
  • ZRTP
  • Other
    • TextSecure — encrypted messaging protocol derivative of OTR Messaging
    • Pond — forward secure, asynchronous messaging for the discerning
    • ZeroTier — Create flat virtual Ethernet networks of almost unlimited size
    • telehash — encrypted mesh protocol
    • bubblestorm — P2P group organization protocol
    • Apple AirPlay — stream content to HDTV/speakers


  • Tor — The Onion Router anonymity network
  • GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
  • URC — an IRC style, private, security aware, open source project
  • Serval — Mesh telecommunications
  • cjdns — encrypted ipv6 mesh networking
    • Plus the Enigmabox — a Hardware cjdns router

Operating Systems

  • OpenBSD — used in OpenSSH, OpenIKED, and in CVS over SSH
  • Apple iOS — the operating system used in the iPhone, iPad, and iPod Touch
  • Android — ships with Chrome, which uses Curve25519 in QUIC
  • Cyanogenmod — version 11+ ships with TextSecure
  • All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project


  • DNS
  • Web browsers
  • CurveCP related
    • CurveProtect — securing major protocols with CurveCP. Also supports DNSCurve.
    • qremote — an experimental drop-in replacement for qmail’s qmail-remote with CurveCP support
    • curvetun — a lightweight curve25519-based IP tunnel
    • spiral-swarm — easy local file transfer with curvecp [ author recommends another project ]
    • QuickTun — “probably the simplest VPN tunnel software ever”
    • jeremywohl-curvecp — “A Go CurveCP implementation I was sandboxing; non-functional.”
    • curvecp.go — Go implementation of the CurveCP protocol
    • curvecp — Automatically exported from
    • urcd — the most private, secure, open source, “Internet Relay Chat” style chat network
  • MinimaLT related (all Pre-Alpha, not production ready, please contribute!)
    • The MinimaLT authors will soon release beta code. But some people are so excited about the protocol that they’ve written approximations based on published descriptions of it. Since I’m excited about MinimaLT as well, and since it shows serious public interest, I’m listing the following here.
    • mltpipepy — spiped style tunnel for the MinimaLT protocol implemented in Python 3
    • nimbus-network-minimalt — C implementation of MinimaLT
    • MinimaLT-experimental — an approximation of the MinimaLT protocol, in javascript
    • safeweb — Proposition of a faster and more secure Web (MinimaLT + DNSNMC)
    • Github lists something called “minimalt-go” by nimbus-network. It’s not MinimaLT! At a glance it uses the NSA/NIST curve P-256, and AES. Not X25519 and Salsa20 like MinimaLT.
  • Tox Software
    • Tox — Free, secure, Skype alternative
    • toxcore — an easy to use, all-in-one communication platform
    • uTox — Lightweight Tox client
    • qTox — Powerful Tox client that follows the Tox design guidelines
    • Toxy — Metro-style tox client for Windows
    • CzeTox — School project: Tox client in Qt (alpha code)
    • OneTox — Tox client for the Universal Windows Platform
    • toxcore-vs — All necessary libs to build static toxcore using Visual Studio 2013
    • toxic — CLI Tox client
  • SSH Software
    • OpenSSH — Secure Shell from the OpenBSD project
    • TinySSH — a small SSH server with state-of-the-art cryptography
    • Win32-OpenSSH — Win32 port of OpenSSH
    • asyncssh — an asynchronous SSH2 client and server atop asyncio
    • pssht — SSH server written in PHP
    • SmartFTP — an FTP, SSH, SFTP client
    • Dropbear — an SSH server and client
    • Tera Term — SSH client for Windows
  • Other Software
    • Tor — The Onion Router
    • TextSecure — secure text messaging
    • OpenIKED — IKEv2 daemon for IPsec, from the OpenBSD project
    • WhatsAppnot all platforms implement X25519! To be safe, use TextSecure
    • Signal Desktop — Signal Private Messenger for the Desktop
    • Signal — Free, world-wide, private messaging and phone calls for iPhone
    • textsecure-go — TextSecure client package for Go
    • tweetnacl-tools — Tools for using TweetNaCl
    • haskell-tor — A Haskell implementation of the Tor protocol
    • Secrete — ECIES implementation with Curve25519
    • Tinfoil Chat NaCl — a high assurance encryption plugin for Pidgin IM
    • vcrypt — Toolkit for multi-factor, multi-role encryption
    • KinomaJS — A JavaScript runtime optimized for the applications that power IoT devices
    • srlog2 — Secure Remote Log Transmission System
    • encryptify — encryptify encrypts files
    • gobox — Trivial CLI wrapper around go.crypto/nacl/box
    • zkm — Zero Knowledge Messaging
    • qabel-core — Implementation of Qabel-Core in Java
    • Rubinius Language Platform — a modern language platform that supports a number of programming languages
    • servertail — quickly and easily see real time output of log files on your servers
    • cryptomirror — explores ways to make crypto user-friendly in non-crypto friendly environments
    • couch-box — Asymmetric encrypted CouchDB documents, powered by NaCl’s curve25519-xsalsa20-poly1305
    • saltcellar — libsodium based file encryption
    • SQRL — Secure Quick Reliable Login
    • curve-keygen — a utility to generate Curve25519 keypairs
    • confidential-publishing — Code for “A decentralized approach to publish confidential data”
    • cryptutils — Various crypto utilties based on a common NaCl/Ed25519 core
    • SMSSecure — fork of TextSecure which adds encrypted SMS support
    • gr-nacl — GNU Radio module for data encryption using NaCl library
    • up — sending a file from one computer to another using the nacl library
    • quicbench — HTTP/QUIC load test and benchmark tool
    • session25519 — Derive curve25519 key pair from email/password via scrypt
    • Bleep — Private instant messaging via secure, distributed technology
    • pcp — Pretty Curved Privacy
    • opake — Messaging with in-browser encryption using curve25519
    • CurvedSalsa — encrypt/decrypt files with Salsa20 & Curve25519
    • asignify — Yet another signify tool
    • nymphemeral — an ephemeral nymserver GUI client
    • hs-noise — encrypted networking in Haskell
    • CPGB — Curve Privacy Guard B, a secure replacement for GPG using ECC
    • SigmaVPN — simple, light-weight and modular VPN software for UNIX systems
    • fastd — Fast and Secure Tunneling Daemon
    • Simply Good Privacy — PGP-like system without web of trust
    • PoSH-Sodium — Powershell module to wrap libsodium-net methods
    • midgetpack — a multiplatform secure ELF packer
    • dhbitty — a small public key encryption program written in C
    • Threema — encrypted messaging app (closed source)
    • tappet — a tiny encrypted UDP tunnel using TweetNaCl
    • Osteria — secure point-to-point messenger
    • mcrypt — Message Crypto – Encrypt and sign individual messages
    • chdkripto — CHDK firmware – crypto modules (work in progress)
    • CurveLock — message and file encryption for Windows
    • Securecom Text — a messaging app for easy private communication with friends
    • srndv2 — some random news daemon (version 2)
    • GoVPN — simple high-performance secure VPN using DH-EKE
    • Core Secret — Secure secret sharing between Bluetooth Low Energy peers on iOS
    • AxolotlKit — a free implementation of the Axolotl protocol
    • pyaxo — A python implementation of the Axolotl ratchet protocol
    • reop — reasonable expectation of privacy
    • SUPERCOP — a cryptographic benchmarking suite

TLS Libraries

  • BoringSSL
  • Others coming soon, which is next?!



  • Dan Bernstein: “An attacker who spends a billion dollars on special-purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1000000000000000000000000000 of breaking Curve25519 after a year of computation.”
  • Dmitry Chestnykh: “You can write a program to generate Curve25519 private key faster than PGP generates its private key.”
  • Adam Langley: “Of the concrete implementations of Diffie-Hellman, curve25519 is the fastest, common one. There are some faster primitives in eBACS, but the ones that are significantly faster are also significantly weaker.”
  • Matthew Green: “Any potential ‘up my sleeve’ number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using ‘up my sleeve’ constants). This is why I think we all should embrace DJB’s curve25519.”
  • Frederic Jacobs: “It’s incredible to realize that the TextSecure protocol enabled the largest end-to-end encrypted messaging deployement in history.”
  • GnuPG: “For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein’s Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won’t wait any longer and go ahead using the proposed format for this signing algorithm.”
  • Ian Grigg: “In the past, things like TLS, PGP, IPSec and others encouraged you to slice and dice the various algorithms as a sort of alphabet soup mix. Disaster. What we got for that favour was code bloat, insecurity at the edges, continual arguments as to what is good & bad, focus on numbers & acronyms, distraction from user security, entire projects that rate your skills in cryptoscrabble, committeeitus, upgrade nightmares, pontification … Cryptoplumbing shouldn’t be like eating spagetti soup with a toothpick. There should be One Cipher Suite and that should do for everyone, everytime. There should be no way for users to stuff things up by tweaking a dial they read about in some slashdot tweakabit article while on the train to work… Picking curve25519xsalsa20poly1305 is good enough for that One True CipherSuite motive alone… It’s an innovation! Adopt it.”
  • wolfSSL: “Curve25519 so far is destroying the key agreement and generation benchmarks of previous curves, putting up numbers for both key agreement and generation that are on average 86 percent faster than those of NIST curves.”
  • Adam Langley: “Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don’t believe there’s anything needed to get that working save for switching out the algorithms.”

Timeline notes

X25519 support coming soon!

  • MinimaLT — A super fast, super secure transport protocol
  • TLS — Transport Layer Security
  • Ethos — An operating system to make it far easier to write applications that withstand attack
  • wolfSSL — for use in TLS
  • Microsoft TLS
  • dnsdist — a highly DNS-, DoS- and abuse-aware loadbalancer (adding DNSCrypt support)
  • curvecp-javascript — CurveCP protocol implementation in pure Javascript
  • php71_crypto — Pluggable Cryptography Interface for PHP 7.1
  • jc_curve25519 — Javacard implementation of Curve25519 (prototype, work-in-progress)
  • ConnectBot — the first SSH client for Android
  • sshlib — ConnectBot’s SSH library
  • Cyberduck — Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows
  • djbdnscurve6 — dnscache with DNSCurve & IPv6 support
  • JackPair — secure your voice phone calls against wiretapping
  • PuTTY — A Free Telnet/SSH Client
  • cjdrs — cjdns implementation in Rust
  • freepass — “TODO SQRL”
  • molch — An implementation of the axolotl ratchet based on libsodium
  • libsodium-laravel — Laravel integration for lib sodium
  • mute — secure messaging (currently in alpha release)
  • Tahoe-LAFS — Free and Open cloud storage system
  • Cloudflare“once QUIC makes the move from experimental to beta we’ll be sure to make it available for our customers.”
  • gospdyquic — SPDY/QUIC support for Go
  • Tox.NET — WIP reimplementation of Tox in C#
  • opt-cryptobox — Optimized cryptobox self-contained library
  • goquic — QUIC support for Go
  • SC4 — Strong Crypto for Mere Mortals
  • End-To-End — a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP
  • Yahoo End-To-End — Use OpenPGP encryption in Yahoo mail.
  • TextSecure-Browser — TextSecure as a Chrome Extension
  • curve_tun — TCP tunnels secured by Curve25519
  • Dust — A Blocking-Resistant Internet Transport Protocol
  • Twisted Python SSH — event-driven Python
  • pouch-box — Asymmetric encrypted PouchDB, powered by NaCl’s curve25519-xsalsa20-poly1305
  • Blight — a Tox client written in Racket that utilizes libtoxcore-racket
  • GnuPG — end-to-end encrypted email. Note: Alternatives like reop support Curve25519 now.
  • Noise — a secure transport protocol.
  • BitTorrent Live — uses crypto_box from NaCl
  • strongSwan — IPsec for Linux
  • TextSecureKit — a boilerplate for Mac & iOS apps
  • libopenssh — turn OpenSSH into a library



One Response to “Things that use Curve25519”

  1. Reggie Norrid July 22, 2018 at 9:06 am #

    Got the subscription of a, supposedly premium, VPN service last September and since then I have had issues with its desktop client. Whenever I update the app, an error pops up which I am not too sure about, but after that the client doesn’t run. I talked with the support and they took 10 hours to respond and when they did, they asked me to reinstall the app and then update. Tried that and again the same issue. Through updates worked fine on my android phone. They said there may be a problem in their app, so they will look into it. A whole month passed and didn’t hear from them. i changed it with FastestVPN a couple of months back and really happy with their desktop client, no server connection issues, no client issues.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: