diff --git a/core/SConscript.firmware b/core/SConscript.firmware
index fa38b8b80d..629341eaf2 100644
--- a/core/SConscript.firmware
+++ b/core/SConscript.firmware
@@ -121,6 +121,7 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/ed25519-donna/ed25519-sha3.c',
     'vendor/trezor-crypto/ed25519-donna/ed25519.c',
     'vendor/trezor-crypto/ed25519-donna/modm-donna-32bit.c',
+    'vendor/trezor-crypto/elligator2.c',
     'vendor/trezor-crypto/groestl.c',
     'vendor/trezor-crypto/hasher.c',
     'vendor/trezor-crypto/hmac.c',
diff --git a/core/SConscript.unix b/core/SConscript.unix
index 4a8bb342ef..5cb787d956 100644
--- a/core/SConscript.unix
+++ b/core/SConscript.unix
@@ -122,6 +122,7 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/ed25519-donna/ed25519-sha3.c',
     'vendor/trezor-crypto/ed25519-donna/ed25519.c',
     'vendor/trezor-crypto/ed25519-donna/modm-donna-32bit.c',
+    'vendor/trezor-crypto/elligator2.c',
     'vendor/trezor-crypto/groestl.c',
     'vendor/trezor-crypto/hasher.c',
     'vendor/trezor-crypto/hmac.c',
diff --git a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-elligator2.h b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-elligator2.h
new file mode 100644
index 0000000000..8bbfd7910d
--- /dev/null
+++ b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-elligator2.h
@@ -0,0 +1,64 @@
+/*
+ * This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "py/objstr.h"
+
+#include "embed/extmod/trezorobj.h"
+
+#include "elligator2.h"
+
+/// package: trezorcrypto.elligator2
+
+/// def map_to_curve25519(input: bytes) -> bytes:
+///     """
+///     Maps a 32-byte input to a curve25519 point.
+///     """
+mp_obj_t mod_trezorcrypto_elligator2_map_to_curve25519(mp_obj_t input) {
+  mp_buffer_info_t input_buffer_info = {0};
+  mp_get_buffer_raise(input, &input_buffer_info, MP_BUFFER_READ);
+  if (input_buffer_info.len != 32) {
+    mp_raise_ValueError("Invalid input length");
+  }
+
+  vstr_t output_vstr = {0};
+  vstr_init_len(&output_vstr, 32);
+  int res = map_to_curve_elligator2_curve25519(input_buffer_info.buf,
+                                               (uint8_t *)output_vstr.buf);
+  if (res != true) {
+    mp_raise_ValueError(NULL);
+  }
+
+  return mp_obj_new_str_from_vstr(&mp_type_bytes, &output_vstr);
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_1(
+    mod_trezorcrypto_elligator2_map_to_curve25519_obj,
+    mod_trezorcrypto_elligator2_map_to_curve25519);
+
+STATIC const mp_rom_map_elem_t mod_trezorcrypto_elligator2_globals_table[] = {
+    {MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_elligator2)},
+    {MP_ROM_QSTR(MP_QSTR_map_to_curve25519),
+     MP_ROM_PTR(&mod_trezorcrypto_elligator2_map_to_curve25519_obj)},
+};
+STATIC MP_DEFINE_CONST_DICT(mod_trezorcrypto_elligator2_globals,
+                            mod_trezorcrypto_elligator2_globals_table);
+
+STATIC const mp_obj_module_t mod_trezorcrypto_elligator2_module = {
+    .base = {&mp_type_module},
+    .globals = (mp_obj_dict_t *)&mod_trezorcrypto_elligator2_globals,
+};
diff --git a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto.c b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto.c
index ebd9ce34a0..8d4c2d02fa 100644
--- a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto.c
+++ b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto.c
@@ -55,6 +55,7 @@ static void wrapped_ui_wait_callback(uint32_t current, uint32_t total) {
 #include "modtrezorcrypto-crc.h"
 #include "modtrezorcrypto-curve25519.h"
 #include "modtrezorcrypto-ed25519.h"
+#include "modtrezorcrypto-elligator2.h"
 #include "modtrezorcrypto-groestl.h"
 #include "modtrezorcrypto-hmac.h"
 #include "modtrezorcrypto-nist256p1.h"
@@ -102,6 +103,8 @@ STATIC const mp_rom_map_elem_t mp_module_trezorcrypto_globals_table[] = {
      MP_ROM_PTR(&mod_trezorcrypto_curve25519_module)},
     {MP_ROM_QSTR(MP_QSTR_ed25519),
      MP_ROM_PTR(&mod_trezorcrypto_ed25519_module)},
+    {MP_ROM_QSTR(MP_QSTR_elligator2),
+     MP_ROM_PTR(&mod_trezorcrypto_elligator2_module)},
 #if !BITCOIN_ONLY
     {MP_ROM_QSTR(MP_QSTR_monero), MP_ROM_PTR(&mod_trezorcrypto_monero_module)},
 #endif
diff --git a/core/mocks/generated/trezorcrypto/elligator2.pyi b/core/mocks/generated/trezorcrypto/elligator2.pyi
new file mode 100644
index 0000000000..c1e1bae8da
--- /dev/null
+++ b/core/mocks/generated/trezorcrypto/elligator2.pyi
@@ -0,0 +1,8 @@
+from typing import *
+
+
+# extmod/modtrezorcrypto/modtrezorcrypto-elligator2.h
+def map_to_curve25519(input: bytes) -> bytes:
+    """
+    Maps a 32-byte input to a curve25519 point.
+    """
diff --git a/core/src/trezor/crypto/__init__.py b/core/src/trezor/crypto/__init__.py
index 2c7b0cd045..c08024842f 100644
--- a/core/src/trezor/crypto/__init__.py
+++ b/core/src/trezor/crypto/__init__.py
@@ -4,6 +4,7 @@ from trezorcrypto import (  # noqa: F401
     bip39,
     chacha20poly1305,
     crc,
+    elligator2,
     hmac,
     pbkdf2,
     random,