Curve25519 is very popular when you’re dealing with modern software that uses Elliptic-curve cryptography. A lot of protocols use it, so a lot of programs end up benefiting from supporting it.
But all of the documentation for it is written by using Curve25519 as a Montgomery curve. This is a pain, because a lot of other curves are specified as Weierstrass curves. If you already have code for handling those, you don’t always want to bother writing code for other kinds of curves.
Well, good news. These curve forms can be converted to one another. Wikipedia has a helpful section about converting Montgomery curves to Weierstrass curves. Let’s go through it step by step, and get ourselves all the constants and helpers to use Curve25519 if all we have is code that can use Weierstrass curves.
You don’t need to go through the steps just to use Curve25519. Feel free to just grab the final values.
First of all, the constants P and BASE are the same in both forms.
In code, these can be written as:
P = 57896044618658097711785492504343953926634992332820282019728792003956564819949
# or
P = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed
BASE = 9
I am including both decimal and hexadecimal formats here, because in the past I’ve found useful pages by searching the web for these constants.
As a quick reminder, a Montgomery curve looks like this.
By^2 = x^3 + Ax^2 + x
For Curve25519, A is 486662 and B is 1. So the formula becomes:
y^2 = x^3 + 486662x^2 + x
In comparison, a Weierstrass curve has the following format.
y^2 = x^3 + Ax + B
To refer to A and B in the Montgomery and Weierstrass forms, I’ll refer to them as M_A, M_B, W_A and W_B.
The Wikipedia page tells us that
W_A = \frac{3 - {M_A}^2}{3 {M_B}^2}
Applying this formula to our M_A and M_B values gives us the following W_A.
WA = 19298681539552699237261830834781317975544997444273427339909597334573241639236
# or
WA = 0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa984914a144
Let’s do the same for W_B. Wikipedia says
W_B = \frac{2{M_A}^3 - 9{M_A}}{27{M_B}^3}
Applying this to our M_A and M_B gives us the following W_B.
WB = 55751746669818908907645289078257140818241103727901012315294400837956729358436
# or
WB = 0x7b425ed097b425ed097b425ed097b425ed097b425ed097b4260b5e9c7710c864