Randomized forward-secure Curve25519-AES256-CTR-HMAC-SHA512 for Pythonista
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.




An authenticated encryption mode. Works on Pythonista without installing any additional modules. (Pythonista includes, but does not document, the PyCrypto module.) To use with Python, do

pip install -r requirements.txt

To generate a keypair for yourself, do


Send k_curve25519.pub to whomever you want to message you.

To encrypt a message to a recipient, do

encrypt(recipient_public_key, 'message')

To decrypt a message encrypted under your public key, using a key saved in a keyfile, do


The public keys are just plain base64 files.

Encryption mode summary

Uses elliptic-curve Diffie-Hellman key exchange on djb's Curve25519, AES-256 in CTR mode, and HMAC-SHA512 over the encrypted message. The encryption and authentication keys are derived using a random nonce and the ECDH shared-secret. HMAC-SHA512 is used as the key-derivation-function.

This provides nonceless deniable encryption. Note that it leaks message length. This will be changed in a future version; a padding byte is included, so messages using this version are future-compatible.

The Curve25519 implementation in pure Python is directly adapted from djb's naclcrypto-20090310 spec.

(The Montgomery ladder routine has been converted to imperative form to avoid running out of stack-space on some Pythonista builds.)

encrypt generates an ephemeral keypair, derives an AES key and an HMAC key, and encrypts and authenticates a message.