Ed25519 to Curve25519 Key Converter
Convert Ed25519 signing keys to Curve25519 Diffie-Hellman keys online. Supports public and secret key conversion with full field arithmetic.
About
Ed25519 and Curve25519 share the same underlying finite field GF(2255 โ 19) but operate on birationally equivalent curves. Ed25519 uses a twisted Edwards curve for signatures. Curve25519 uses a Montgomery curve for Diffie-Hellman key exchange. Converting between them avoids distributing two separate public keys (saving 32 bytes), but no formal proof exists that reusing a single keypair across both protocols is universally safe. This tool performs the birational map on public keys and the SHA-512 clamping procedure on secret keys entirely client-side. No key material leaves your browser. The field arithmetic implements the full TweetNaCl limb representation with 16-element integer arrays and modular inversion via Fermat's little theorem.
Incorrect key conversion breaks encryption silently. A single flipped bit in the field inversion produces a valid-looking but wrong Curve25519 key, meaning messages encrypted to it are irrecoverable. This tool validates Ed25519 point decompression and rejects keys that do not lie on the curve. It handles the edge case where the input y-coordinate yields a non-square x2, returning an explicit error rather than garbage output. The conversion is compatible with libsodium, TweetNaCl, and agl/extra25519 implementations.
Formulas
The public key conversion decompresses the Ed25519 point and applies the Edwards-to-Montgomery birational equivalence.
Given compressed Ed25519 public key encoding y with sign bit s, recover x:
x2 = y2 โ 1d โ y2 + 1
where d = โ121665121666 โ GF(p)
Square root via x = (x2)p + 38 with conditional multiply by โโ1
Then the Montgomery u-coordinate:
u = 1 + y1 โ y โ GF(p)
The secret key conversion applies SHA-512 hashing followed by bit clamping.
h = SHA512(seed[0..31])
h[0] = h[0] โง 248
h[31] = h[31] โง 127
h[31] = h[31] โจ 64
curveSecretKey = h[0..31]
Where p = 2255 โ 19, seed is the first 32 bytes of the Ed25519 secret key, y is the decoded Edwards y-coordinate from the compressed public key, d is the Edwards curve constant, and u is the resulting Curve25519 u-coordinate (the output public key).
Reference Data
| Property | Ed25519 (Edwards) | Curve25519 (Montgomery) |
|---|---|---|
| Curve type | Twisted Edwards | Montgomery |
| Equation | โx2 + y2 = 1 + dx2y2 | v2 = u3 + 486662u2 + u |
| Field prime p | 2255 โ 19 | |
| Group order | 2252 + 27742317777372353535851937790883648493 | |
| Cofactor | 8 | |
| Key size (public) | 32 bytes | 32 bytes |
| Key size (secret) | 64 bytes (seed + pub) | 32 bytes |
| Primary use | Digital signatures | Key exchange (ECDH) |
| Coordinate system | Extended (x, y) | Montgomery u-coordinate |
| Compressed point encoding | y-coord + sign bit of x | u-coord (little-endian) |
| Constant d | โ121665 รท 121666 | N/A |
| Birational map (pub) | u = (1 + y) โ (1 โ y)โ1 | |
| Secret key transform | SHA-512 of seed, take first 32 bytes, clamp | |
| Clamping (secret) | Clear bits 0,1,2; clear bit 255; set bit 254 | |
| Compatible libraries | TweetNaCl, libsodium, agl/extra25519, Chaos.NaCl | |
| Incompatible approach | trevp/curve_sigs (converts opposite direction, stores sign bit in signature) | |
| Security caveat | No formal proof of cross-protocol safety exists | |
| Standard reference | RFC 8032 | RFC 7748 |