Ed25519
Generated by GPT-5-miniExpansion Funnel Raw 78 → Dedup 0 → NER 0 → Enqueued 0
| Ed25519 | |
|---|---|
| Name | Ed25519 |
| Type | Digital signature algorithm |
| Designers | Daniel J. Bernstein, Tanja Lange, Peter Schwabe, Niels Duif |
| Introduced | 2011 |
| Based on | Twisted Edwards curve, Curve25519 |
| Key size | 256 bits (public key) |
| Signature size | 64 bytes |
| License | Various (open-source implementations) |
Ed25519 is a public-key digital signature scheme widely used for high-performance cryptography. It was introduced by Daniel J. Bernstein and collaborators as a fast, secure signature system built on an elliptic curve, and quickly gained adoption across software from OpenSSH to Signal (software), and standards bodies such as the Internet Engineering Task Force and the FIDO Alliance. Its design emphasizes resilience against implementation pitfalls that affected earlier schemes used by projects like PGP and SSL.
Overview
Ed25519 is an instance of Edwards-curve Digital Signature Algorithm (EdDSA) instantiated over the Curve25519 curve parameters developed in research by Daniel J. Bernstein and colleagues. The algorithm produces 64-byte signatures and 32-byte public keys, aiming to replace legacy schemes such as RSA (cryptosystem) and DSA in applications like OpenSSH, GnuPG, Tor (anonymity network), and WireGuard. Major vendors and projects including Google, Microsoft, Apple Inc., and Mozilla have incorporated Ed25519 into products and libraries alongside standards work by IETF working groups and influence from cryptographers at institutions such as Technische Universiteit Eindhoven and CWI (Centrum Wiskunde & Informatica).
Design and Algorithms
The algorithm uses a twisted Edwards curve, leveraging the same finite field arithmetic that underpins Curve25519 but adapted for signature operations in EdDSA. Key generation derives a 32-byte seed using a cryptographically secure random source, then expands it with a hash function specified by the designers, akin to techniques used in proposals by Bruce Schneier and later formalizations by researchers affiliated with ETH Zurich and CNRS. Signing employs hash-based deterministic nonces to avoid vulnerabilities seen in schemes used by projects like Sony and incidents surrounding PlayStation 3 cryptography failures. Verification computes group operations on the curve using formulas refined by authors including Tanja Lange and Peter Schwabe to resist side-channel leakage described in literature from NIST and academic conferences such as CRYPTO and EUROCRYPT.
Security Properties and Analysis
Ed25519’s security rests on the hardness of the elliptic curve discrete logarithm problem over the curve defined by Curve25519 parameters, a premise studied in work from Dan Bernstein’s group and analyzed at venues like IEEE Symposium on Security and Privacy and ACM CCS. It mitigates common implementation weaknesses by using deterministic signing (reducing reliance on entropy as in the Sony PlayStation ecdsa failures) and cofactor handling to defend against small-subgroup attacks documented in papers by researchers at University of California, Berkeley and University of Cambridge. Cryptanalysis by teams from Microsoft Research, Imperial College London, and Max Planck Institute for Software Systems has not produced practical breaks, though security proofs reference oracles and assumptions similar to those in work by Oded Goldreich and Silvio Micali. Standards scrutiny by IETF and recommendations from NIST influence parameter choices and implementation guidance.
Implementations and Libraries
Ed25519 has extensive open-source and commercial implementations used in projects like OpenSSL, LibreSSL, BoringSSL, libsodium, TweetNaCl, and GnuTLS. Implementations exist in programming ecosystems supported by Google’s Go (programming language), Rust (programming language) libraries such as those from the Rust Foundation, and bindings for Python (programming language) via libraries maintained by contributors from Red Hat and Canonical (company). Hardware and firmware support appears in Intel and ARM cryptographic extensions, and integrated tokens from vendors like Yubico and TREZOR offer Ed25519 key operations alongside standards from the FIDO Alliance and ISO committees. Audits and formal verification efforts have been undertaken by groups at Microsoft Research and academic teams at ETH Zurich and Radboud University Nijmegen.
Performance and Applications
Ed25519 was designed for fast signing and verification with small key and signature sizes, leading to broad use in latency-sensitive systems such as WireGuard, OpenSSH, Signal (software), WhatsApp, Telegram Messenger integrations, and blockchain projects including Stellar (payment network), Monero, and various Ethereum-adjacent systems. Benchmarks published by implementers from Cloudflare, Fastly, and Akami show competitive performance against ECDSA on secp256k1 and secp256r1 in both software and hardware-accelerated contexts. Its deterministic nature and compact representation make it suitable for constrained environments such as Bluetooth Low Energy devices, Smart Cards, and embedded platforms developed by companies like NXP Semiconductors and Microchip Technology.
Interoperability and Standards
Ed25519 is specified in RFCs published by the Internet Engineering Task Force and included in cryptographic profiles for protocols maintained by OpenSSH, OpenPGP (standards work involving IETF and implementers), and messaging standards influenced by Signal Protocol development. Interoperability considerations involve encoding conventions and compatibility with libraries such as OpenSSL and libsodium, and guidance has been coordinated with standards organizations like IETF, ISO, and national bodies referenced by NIST advisories. Adoption across ecosystems by companies such as Google, Apple Inc., Microsoft, and projects like Tor (anonymity network) underscores ongoing efforts to harmonize usage, key formats, and migration paths from legacy algorithms such as RSA (cryptosystem) and ECDSA.