from Crypto.Util import number CURVE_P = (2**255 - 19) CURVE_A = 121665 def curve25519_monty(x1, z1, x2, z2, qmqp): a = (x1 + z1) * (x2 - z2) % CURVE_P b = (x1 - z1) * (x2 + z2) % CURVE_P x4 = (a + b) * (a + b) % CURVE_P e = (a - b) * (a - b) % CURVE_P z4 = e * qmqp % CURVE_P a = (x1 + z1) * (x1 + z1) % CURVE_P b = (x1 - z1) * (x1 - z1) % CURVE_P x3 = a * b % CURVE_P g = (a - b) % CURVE_P h = (a + CURVE_A * g) % CURVE_P z3 = (g * h) % CURVE_P return x3, z3, x4, z4 def curve25519_mult(n, q): nqpqx, nqpqz = q, 1 nqx, nqz = 1, 0 for i in range(255, -1, -1): if (n >> i) & 1: nqpqx,nqpqz,nqx,nqz = curve25519_monty(nqpqx, nqpqz, nqx, nqz, q) else: nqx,nqz,nqpqx,nqpqz = curve25519_monty(nqx, nqz, nqpqx, nqpqz, q) return nqx, nqz def curve25519(secret, basepoint): a = ord(secret[0]) a &= 248 b = ord(secret[31]) b &= 127 b |= 64 s = chr(a) + secret[1:-1] + chr(b) s = number.bytes_to_long(s[::-1]) basepoint = number.bytes_to_long(basepoint[::-1]) x, z = curve25519_mult(s, basepoint) zmone = number.inverse(z, CURVE_P) z = x * zmone % CURVE_P return number.long_to_bytes(z)[::-1] if __name__ == "__main__": from crypto.aeswrap import AESUnwrap from Crypto.Hash import SHA256 z="04000000080000000200000048000000000000000000000000000000000000000000000002917dc2542198edeb1078c4d1ebab74d9ca87890657ba02b9825dadf20a002f44360c6f87743fac0236df1f9eedbea801e31677aef3a09adfb4e10a37ae27facf419ab3ea3f39f4".decode("hex") mysecret = "99b66345829d8c05041eea1ba1ed5b2984c3e5ec7a756ef053473c7f22b49f14".decode("hex") mypublic = "b1c652786697a5feef36a56f36fde524a21193f4e563627977ab515f600fdb3a".decode("hex") hispublic = z[36:36+32] #c4d9fe462a2ebbf0745195ce7dc5e8b49947bbd5b42da74175d5f8125b44582b shared = curve25519(mysecret, hispublic) print shared.encode("hex") h = SHA256.new() h.update('\x00\x00\x00\x01') h.update(shared) h.update(hispublic) h.update(mypublic) md = h.digest() #e442c81b91ea876d3cf42d3aea75f4b0c3f90f9fd045e1f5784b91260f3bdc9c print AESUnwrap(md, z[32+36:]).encode("hex")