Skip to content
Switch branches/tags

Latest commit


Failed to load latest commit information.
Latest commit message
Commit time


Convert Ed25519 signing key pair into Curve25519 key pair suitable for Diffie-Hellman key exchange. This means that by exchanging only 32-byte Ed25519 public keys users can both sign and encrypt with NaCl.

Note that there's currently no proof that this is safe to do. It is safer to share both Ed25519 and Curve25519 public keys (their concatenation is 64 bytes long).

Written by Dmitry Chestnykh in 2014-2016, using public domain code from TweetNaCl.js. Public domain. No warranty.

Thanks to @CodesInChaos and @nightcracker for showing how to convert Edwards coordinates to Montgomery coordinates.

Build Status


Via NPM:

$ npm install ed2curve

or just download ed2curve.js or ed2curve.min.js and include it after TweetNaCl.js:

<script src="nacl.min.js"></script>
<script src="ed2curve.min.js"></script>


ed2curve.convertKeyPair(keyPair) -> convertedKeyPair | null

Converts the given key pair as generated by TweetNaCl.js's nacl.sign.keyPair into a key pair suitable for operations which accept key pairs generated by This function is a combination of convertPublicKey and convertSecretKey.

Returns null if the public key in the given key pair is not a valid Ed25519 public key.

ed2curve.convertPublicKey(edPublicKey) -> curvePublicKey | null

Converts a 32-byte Ed25519 public key into a 32-byte Curve25519 public key and returns it.

Returns null if the given public key in not a valid Ed25519 public key.

ed2curve.convertSecretKey(edSecretKey) -> curveSecretKey

Converts a 64-byte Ed25519 secret key (or just the first 32-byte part of it, which is the secret value) into a 32-byte Curve25519 secret key and returns it.


(Note: example uses tweetnacl-util to convert bytes)

// Generate new sign key pair.
var myKeyPair = nacl.sign.keyPair();

// Share public key with a peer.

// Receive peer's public key.
var theirPublicKey = // ... receive

// Sign a message.
var message = nacl.util.decodeUTF8('Hello!');
var signedMessage = nacl.sign(message, myKeyPair.secretKey);

// Send message to peer. They can now verify it using
// the previously shared public key (myKeyPair.publicKey).
// ...

// Receive a signed message from peer and verify it using their public key.
var theirSignedMessage = // ... receive
var theirMessage =, theirPublicKey);
if (theirMessage) {
  // ... we got the message ...

// Encrypt a message to their public key.
// But first, we need to convert our secret key and their public key
// from Ed25519 into the format accepted by Curve25519.
// Note that peers are not involved in this conversion -- all they need
// to know is the signing public key that we already shared with them.

var theirDHPublicKey = ed2curve.convertPublicKey(theirPublicKey);
var myDHSecretKey = ed2curve.convertSecretKey(myKeyPair.secretKey);

var anotherMessage = nacl.util.decodeUTF8('Keep silence');
var encryptedMessage =, nonce, theirDHPublicKey, myDHSecretKey);

// When we receive encrypted messages from peers,
// we need to use converted keys to open them.

var theirEncryptedMessage = // ... receive
var decryptedMessage =, nonce, theirDHPublicKey, myDHSecretKey);


  • Requires TweetNaCl.js
  • Works in the same enviroments as it.

Other libraries

Some other libraries that can use a single Ed/Curve25519 key:


Convert Ed25519 signing keys into Curve25519 Diffie-Hellman keys




No packages published