To download and unpack the latest version of lib25519:

wget -m https://lib25519.cr.yp.to/lib25519-latest-version.txt
version=$(cat lib25519.cr.yp.to/lib25519-latest-version.txt)
wget -m https://lib25519.cr.yp.to/lib25519-$version.tar.gz
tar -xzf lib25519.cr.yp.to/lib25519-$version.tar.gz
cd lib25519-$version

Then install.

Archives and changelog (reverse chronological)

lib25519-20260614.tar.gz browse

Add many new and improved arm64 implementations.

Support bignum_inv_p25519 in use-s2n-bignum.

Remove use of rodata for the nG tables in use-s2n-bignum. Teach checkinsns how to skip nG tables at the end of a code section.

Add --prioritizeverified option.

Upgrade to cryptoint 20250414. Make more use of cryptoint, as in SUPERCOP.

Replace shrq %rcx,%rbx with shrq %cl,%rbx for portability to more assemblers.

Support Python 3.14 in fulltest, copying djbsort patch supplied by Georg Sauthoff.

Copy checkinsns improvements, checknamespace improvements, and hostsanitize improvements from libmceliece.

Add initial support for $CROSS and $DESTDIR.

Add initial tweaks for Fil-C support. (But Fil-C is starting to add support for inline assembly so some of these tweaks can disappear later.)

Include auto-generator for compilers/*.

Speed comparison: Bump to current versions of OpenSSL and s2n-bignum. Add a few more microarchitectures. Pin benchmarks to core 0 to avoid questions about big-little CPUs.

Change HTML style, in particular for better usability on phones.

lib25519-20241004.tar.gz browse

Announce latest version on front page.

Upgrade to cryptoint 20241003.

Use the cryptoint big-endian load/store functions in various SHA-512 functions. In particular, this ports wflip to big-endian CPUs; thanks to Jan Mojzis for pointing out the portability issue.

Include crypto_declassify.h for non-valgrind builds, and include crypto_asm_rodata.h for default builds. Thanks to Jan Mojzis.

Align constants in crypto_nP/montgomery25519/amd64-avx512-8x1-ns10l-maax/shared-consts.c.

lib25519-20240928.tar.gz browse

Add mGnP/ed25519/arm64-maa4-{int,red}mul.

Add multiscalar/ed25519/amd64-{maa4,maax,mxaa}-opt, multiscalar/ed25519/amd64-{maa4,maax,mxaa}-p3-opt, multiscalar/ed25519/arm64-maa4-{int,red}mul, multiscalar/ed25519/arm64-maa4-{int,red}mul-p3.

Use nsquare more in fe25519_pow2523.c.

Replace fe25519_cmov.c with fe25519_cmov.S.

Speed up double_scalarmult, arm64-maa4-{int,red}mul/mladder.S, arm64-maa4-{int,red}mul/fe25519_nsquare.S, arm64-maa4-{int,red}mul/ge25519_base.S.

Switch speed measurements from medians to interquartile means.

Upgrade from inttypes to cryptoint 20240806, and use cryptoint more systematically.

Support valgrind in lib25519-test, with help from configure.

Split command/lib25519-test.c into multiple .c files.

Support finer-grained command-line splits in lib25519-test. Add lib25519-fulltest. Document lib25519-fulltest as being required for support.

Move some entries not supported by valgrind from compilers to skipcompilers.

Rename --no as --no-.

Rename ALIGN as CRYPTO_ALIGN. Systematically use CRYPTO_ALIGN.

Use hidden visibility for crypto_* symbols. Use ASM_HIDDEN in more .S files.

Use .note.GNU-stack more.

Handle checkinsns etc. on shared directories.

Move cat result-impl to default for better visibility.

Recognize sun4v as sparc64.

For donna_c64: Change uint128_t to my_uint128_t; switch from mode TI to unsigned __int128; import load/store fixes from upstream; compile only for 64-bit architectures.

Handle implarchreq better in configure.

Make dispatch/ifunc.do work with configure --noclean.

Add note.GNU-stack to assembly.

Sort directory order in scripts-build/ofiles. Thanks to Jan Mojzis.

For use-s2n-bignum, insist locally on precomputed SHA-256 checksums.

lib25519-20240321.tar.gz browse

Add ./use-s2n-bignum compile-time option, along with lib25519+s2n benchmarks and separate s2n-bignum benchmarks.

Speed up amd64-{maa4,maax,mxaa} for nP, nG, mGnP. Add amd64-avx512-8x1-ns10l-maax for nP.

Add initial code for 64-bit ARM.

MacOS X port: dylib; deal with s and S in checknamespace; use -flat_namespace so lib25519-test can substitute randombytes; add crypto_asm_rodata.h abstraction; expand #define for assembly to eliminate semicolons.

Add benchmarks for more platforms.

Support empty compiler lists.

Improve selection for Zen 2, Zen 3, and Golden Cove.

Add background colors to speed table.

Improve HTML formatting for code.

Add NGI0 information.

lib25519-20230630.tar.gz browse

Add powbatch, nPbatch, and multiscalar APIs with various implementations for basic amd64, BMI, ADX, AVX2, and AVX-512, plus portable implementations.

Include benchmarks on more microarchitectures. Add auto-generated table in documentation summarizing speeds, with OpenSSL speeds as a baseline for comparison.

For compatibility with musl etc., support constructor as an alternative to ifunc for dispatch. Select constructor automatically if an ifunc compile-time test fails, or if --notryifunc is passed to ./configure.

Add command-line interface for shell scripts.

Rely on separate libcpucycles to automatically use RDPMC etc., and separate librandombytes to automatically use getrandom etc.

Reorganize documentation into doc/*.md directory, with auto-generation of HTML and manual pages.

Inside auto-generation of command/lib25519-test.c, automatically cache Python computations of nP etc.

Reorganize precomputed tests to handle APIs with variable-length inputs and outputs.

Import infrastructure improvements from libmceliece.

lib25519-20221222.tar.gz browse

lib25519-20220726.tar.gz browse

lib25519-20220426.tar.gz browse

---

Version: This is version 2026.06.14 of the "Download" web page.