# Ed25519: High-Speed, High-Security Digital Signatures Ed25519 is an Edwards-curve Digital Signature Algorithm (EdDSA) instantiated with Curve25519. Designed by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang, it was introduced in 2011 and has since become the preferred signature scheme across SSH, TLS 1.3, cryptocurrency systems, and secure messaging protocols. It is standardized in [RFC 8032](https://datatracker.ietf.org/doc/html/rfc8032) and approved by NIST in [FIPS 186-5](https://csrc.nist.gov/pubs/fips/186-5/final) (2023). ## Quick Facts | Property | Value | |---|---| | **Type** | Edwards-curve Digital Signature Algorithm (EdDSA) | | **Curve** | Twisted Edwards curve birationally equivalent to Curve25519 | | **Security level** | ~128-bit | | **Private key size** | 32 bytes (256 bits) | | **Public key size** | 32 bytes (256 bits) | | **Signature size** | 64 bytes (512 bits) | | **Signing** | Deterministic (no random nonce required) | | **Hash function** | SHA-512 | | **Standards** | RFC 8032, FIPS 186-5 | | **Year introduced** | 2011 | | **Authors** | D.J. Bernstein, N. Duif, T. Lange, P. Schwabe, B.-Y. Yang | ## What Is Ed25519 Ed25519 is a specific instantiation of the EdDSA (Edwards-curve Digital Signature Algorithm) signature scheme. It operates on the Edwards form of Curve25519, a Montgomery curve designed by Daniel J. Bernstein in 2006. The curve's group order is approximately 2^252, providing roughly 128 bits of security against the best-known attacks. The scheme signs and verifies messages using elliptic-curve arithmetic on this curve. A private key is a 32-byte random seed. The corresponding public key is a 32-byte compressed point on the curve, derived by hashing the seed with SHA-512 and performing a scalar multiplication on the curve's base point. Ed25519 is deterministic: signing the same message with the same key always produces the same signature. This eliminates an entire class of vulnerabilities caused by weak or repeated random number generation during signing -- the exact flaw that [led to the PlayStation 3 ECDSA private key compromise](https://en.wikipedia.org/wiki/PlayStation_3_homebrew#Private_key_compromised) in 2010. ### Formal Definition - **Curve**: The twisted Edwards curve -x^2 + y^2 = 1 + d*x^2*y^2 over GF(2^255 - 19), where d = -121665/121666. - **Base point (B)**: The unique point with y-coordinate 4/5 and positive x-coordinate. - **Group order (L)**: 2^252 + 27742317777372353535851937790883648493. - **Cofactor (h)**: 8. For the full mathematical specification, see [Parameters](/specification/parameters.md) and [Algorithm](/specification/algorithm.md). ## Key Properties ### Deterministic Signing Ed25519 derives the per-message nonce from a hash of the private key and the message itself, not from a random number generator. This means: - Identical inputs always produce identical signatures. - No dependency on the quality of the system's random number generator at signing time. - Immune to nonce-reuse attacks that have broken ECDSA deployments in practice. ### Compact Keys and Signatures At 32 bytes for both public keys and private keys, and 64 bytes for signatures, Ed25519 is far more compact than RSA. An RSA-3072 public key is 384 bytes -- 12 times larger. In bandwidth-constrained protocols like SSH, TLS handshakes, and blockchain transactions, this difference is significant. ### Fast Operations Ed25519 was designed with performance as an explicit goal. The original paper reports signing at over 100,000 operations per second and verification at over 70,000 operations per second on a contemporary Intel Xeon processor (2.4 GHz Westmere). Modern hardware achieves substantially higher throughput. The algorithm uses the extended twisted Edwards coordinate system to avoid expensive field inversions during point addition. ### Resistance to Side-Channel Attacks The algorithm's operations are designed to be constant-time. There are no secret-dependent branches or memory lookups, making it resistant to timing attacks and cache-timing attacks. This is a design-level property, not an implementation afterthought. ### No Exotic Number Theory Assumptions Ed25519's security relies on the hardness of the elliptic-curve discrete logarithm problem (ECDLP) over Curve25519. The curve parameters were chosen to be "rigid" -- derived from small, verifiable constants -- eliminating concerns about backdoored curve parameters that have been raised about some NIST curves (P-256 in particular). ## Performance Benchmark figures vary with hardware and implementation. The following are representative for optimized implementations on modern x86-64 processors: | Operation | Speed (ops/sec) | Notes | |---|---|---| | Key generation | ~100,000+ | Single SHA-512 hash + one scalar multiplication | | Signing | ~100,000+ | Deterministic, no RNG call needed | | Verification | ~70,000+ | Single-signature verification | | Batch verification | Higher per-op | Amortized cost decreases with batch size | Verification is the most common operation in most deployments (every peer verifies, only the signer signs), and Ed25519 verification is roughly 3x faster than ECDSA P-256 verification and orders of magnitude faster than RSA-2048 verification in typical implementations. ## Comparison With Other Signature Schemes | Property | Ed25519 | ECDSA P-256 | RSA-2048 | RSA-4096 | |---|---|---|---|---| | **Security level** | ~128-bit | ~128-bit | ~112-bit | ~140-bit | | **Public key size** | 32 bytes | 64 bytes | 256 bytes | 512 bytes | | **Signature size** | 64 bytes | 64 bytes | 256 bytes | 512 bytes | | **Signing speed** | Very fast | Fast | Slow | Very slow | | **Verification speed** | Very fast | Fast | Fast (small e) | Slow | | **Deterministic signing** | Yes (by design) | Optional (RFC 6979) | N/A | N/A | | **Nonce-misuse resistance** | Immune | Vulnerable without RFC 6979 | N/A | N/A | | **Rigid parameters** | Yes | Debated | N/A | N/A | | **FIPS approved** | Yes (FIPS 186-5) | Yes | Yes | Yes | For detailed comparisons, see: [Ed25519 vs RSA](/comparison/vs-rsa.md), [Ed25519 vs ECDSA](/comparison/vs-ecdsa.md), [Ed25519 vs Ed448](/comparison/vs-ed448.md). ## Standardization Ed25519 is standardized and recognized by all major standards bodies: - **RFC 8032** (2017) -- "Edwards-Curve Digital Signature Algorithm (EdDSA)" defines Ed25519 and Ed448. This is the primary IETF specification. - **FIPS 186-5** (2023) -- NIST's Digital Signature Standard now includes EdDSA (Ed25519 and Ed448), making Ed25519 approved for U.S. federal government use. - **RFC 8709** (2020) -- Defines Ed25519 public key and signature format for SSH. - **RFC 8410** (2018) -- Defines Ed25519 key encoding in X.509 certificates and PKCS#8 private keys. - **RFC 8446** (2018) -- TLS 1.3 includes Ed25519 as a supported signature algorithm. See [RFC 8032 Explained](/specification/rfc8032.md) for a plain-language walkthrough of the specification. ## Where Ed25519 Is Used Ed25519 has achieved broad adoption across security-critical systems: ### Authentication and Transport - **OpenSSH** -- Default key type since OpenSSH 6.5 (2014). `ssh-ed25519` is the recommended key type. - **TLS 1.3** -- Supported signature scheme in the TLS 1.3 handshake (RFC 8446). - **WireGuard** -- Uses Curve25519 for key exchange (the underlying curve). - **DNSSEC** -- Ed25519 is defined for DNSSEC via RFC 8080. ### Software Signing and Supply Chain - **Git** -- Supports Ed25519 for commit and tag signing (since Git 2.34). - **Minisign / Signify** -- Lightweight signing tools using Ed25519. - **PASETO** -- Platform-Agnostic Security Tokens (v2/v4) use Ed25519. ### Blockchain and Cryptocurrency - **Solana** -- All transaction signatures use Ed25519. - **Cardano** -- Uses Ed25519 (extended variant) for transaction signing. - **Stellar** -- Ed25519 for account keys and transaction signatures. - **Monero** -- Uses a variant of EdDSA on Curve25519. ### Messaging and End-to-End Encryption - **Signal Protocol** -- Uses Ed25519 for identity keys and signatures. - **Matrix / Element** -- Ed25519 for device verification and cross-signing. - **age** -- Modern file encryption tool uses X25519 (key exchange on the same curve). For a comprehensive list, see [Adoption](/adoption/index.md). ## How Ed25519 Works A high-level summary of the three core operations: ### Key Generation 1. Generate 32 bytes of cryptographically secure random data. This is the private key seed. 2. Hash the seed with SHA-512 to produce 64 bytes. The first 32 bytes are clamped and used as the scalar `a`. The last 32 bytes are used later during signing. 3. Compute the public key as `A = a * B`, where B is the curve base point. See [Key Generation Guide](/guide/key-generation.md). ### Signing 1. Hash the private key seed with SHA-512. Use the second half of the hash, combined with the message, to deterministically derive a nonce `r`. 2. Compute `R = r * B`. 3. Compute `S = r + SHA-512(R || A || M) * a mod L`. 4. The signature is `(R, S)`, encoded as 64 bytes. See [Signing Guide](/guide/signing.md). ### Verification 1. Parse the signature as `(R, S)` and the public key as `A`. 2. Compute `k = SHA-512(R || A || M)`. 3. Verify that `S * B = R + k * A`. See [Verification Guide](/guide/verification.md). For the full algorithm, see [Algorithm](/specification/algorithm.md). ## Security Considerations Ed25519 provides strong security guarantees, but correct implementation matters: - **128-bit security**: The best-known attack on Curve25519's ECDLP requires ~2^128 operations. - **Cofactor pitfalls**: The curve has cofactor 8, which can cause issues in protocols that do not account for small-subgroup elements. RFC 8032 specifies checks to mitigate this. - **No quantum resistance**: Ed25519, like all elliptic-curve schemes, is vulnerable to Shor's algorithm on a sufficiently large quantum computer. Post-quantum migration planning is advisable for long-term secrets. - **Implementation quality varies**: Some libraries have had vulnerabilities related to signature malleability, missing cofactor checks, or incorrect clamping. Use well-audited implementations. See [Security Strengths](/security/strengths.md), [Known Vulnerabilities](/security/vulnerabilities.md), [Unsafe Libraries](/security/unsafe-libraries.md), and [Quantum Resistance](/security/quantum.md). ## Implementations Ed25519 is available in all major languages and cryptographic libraries: | Language / Library | Notes | |---|---| | **C** -- libsodium, OpenSSL (1.1.1+), ref10 | libsodium is the most widely recommended | | **Python** -- PyNaCl, cryptography, ed25519 | PyNaCl wraps libsodium | | **Go** -- crypto/ed25519 (stdlib) | In the standard library since Go 1.13 | | **Rust** -- ed25519-dalek, ring | ed25519-dalek is the dominant crate | | **JavaScript** -- @noble/ed25519, tweetnacl-js | @noble/ed25519 is a modern audited choice | | **Java** -- Bouncy Castle, java.security (JDK 15+) | JDK 15 added native EdDSA support | See [Implementations](/implementations/index.md) for code examples and library comparisons. ## History - **2005** -- Daniel J. Bernstein publishes Curve25519, a Montgomery curve for Diffie-Hellman key exchange. - **2008** -- Bernstein, Birkner, Joye, Lange, and Peters describe fast group operations on twisted Edwards curves. - **2011** -- Bernstein, Duif, Lange, Schwabe, and Yang publish "High-speed high-security signatures" introducing Ed25519. The reference implementation achieves unprecedented speed. - **2017** -- RFC 8032 standardizes EdDSA (Ed25519 and Ed448). - **2023** -- NIST approves Ed25519 in FIPS 186-5, completing its transition from an academic proposal to a government-approved standard. See [History](/history/index.md) and [Authors](/history/authors.md). ## Authors Ed25519 was designed by: - **Daniel J. Bernstein** -- University of Illinois at Chicago / Technische Universiteit Eindhoven - **Niels Duif** -- Technische Universiteit Eindhoven - **Tanja Lange** -- Technische Universiteit Eindhoven - **Peter Schwabe** -- Radboud Universiteit Nijmegen - **Bo-Yin Yang** -- Academia Sinica The original paper, "High-speed high-security signatures," was published in 2011 and is available at [https://ed25519.cr.yp.to/](https://ed25519.cr.yp.to/). ## Recipes (Copy-Paste Ready) Task-oriented guides with runnable commands and code. See [all recipes](/recipes/index.md). | Task | Command | |------|---------| | Generate SSH key | `ssh-keygen -t ed25519 -C "you@example.com"` | | Sign git commits | `git config --global gpg.format ssh && git config --global user.signingkey ~/.ssh/id_ed25519.pub` | | Sign a file | `openssl pkeyutl -sign -inkey key.pem -in file.txt -out file.sig` | | Encrypt with age | `age -R ~/.ssh/id_ed25519.pub -o secret.enc secret.txt` | | Generate WireGuard key | `wg genkey \| tee private.key \| wg pubkey > public.key` | ## Site Navigation - **Recipes**: [SSH for GitHub](/recipes/ssh-github.md) | [Git Signing](/recipes/git-signing.md) | [File Signing](/recipes/file-signing.md) | [age Encryption](/recipes/age-encryption.md) | [JWT EdDSA](/recipes/jwt-eddsa.md) | [WireGuard](/recipes/wireguard.md) | [FIDO2](/recipes/fido2-ssh.md) | [TLS Certs](/recipes/tls-certificate.md) | [Solana](/recipes/solana.md) | [Key Conversion](/recipes/key-conversion.md) - **Specification**: [Algorithm](/specification/algorithm.md) | [Parameters](/specification/parameters.md) | [RFC 8032 Explained](/specification/rfc8032.md) - **Guides**: [Key Generation](/guide/key-generation.md) | [Signing](/guide/signing.md) | [Verification](/guide/verification.md) | [SSH](/guide/ssh.md) - **Comparisons**: [vs RSA](/comparison/vs-rsa.md) | [vs ECDSA](/comparison/vs-ecdsa.md) | [vs Ed448](/comparison/vs-ed448.md) - **Security**: [Strengths](/security/strengths.md) | [Vulnerabilities](/security/vulnerabilities.md) | [Unsafe Libraries](/security/unsafe-libraries.md) | [Quantum](/security/quantum.md) - **Implementations**: [Overview](/implementations/index.md) | [Python](/implementations/python.md) | [Go](/implementations/go.md) | [Rust](/implementations/rust.md) | [JavaScript](/implementations/javascript.md) | [C/C++](/implementations/c-cpp.md) - **Adoption**: [SSH](/adoption/ssh.md) | [TLS](/adoption/tls.md) | [Blockchain](/adoption/blockchain.md) | [Messaging](/adoption/messaging.md) - **Resources**: [Papers](/resources/papers.md) | [Glossary](/resources/glossary.md) | [History](/history/index.md)