Ed25519: high-speed high-security signatures

Introduction
Software
Papers

Software

The Ed25519 software is available as the crypto_sign/ed25519 subdirectory of the SUPERCOP benchmarking tool, starting in version 20110629. This software will also be integrated into the next release of the Networking and Cryptography library (NaCl).

The Ed25519 software consists of three separate implementations, all providing the same interface:

  • amd64-51-30k. Assembly-language implementation for the amd64 architecture, using radix 2^51 and a 30KB precomputed table.
  • amd64-64-24k. Assembly-language implementation for the amd64 architecture, using radix 2^64 and a 24KB precomputed table.
  • ref. Slow but relatively simple and portable C implementation.
Both SUPERCOP and NaCl automatically select the fastest implementation on each computer.

Alternate implementations

There is a very slow but very concise Python implementation, consisting of four files: This implementation does not include protection against side-channel attacks.

Copyrights

The Ed25519 software is in the public domain.

Patents

The authors have not been notified of any claims of patent problems wth Ed25519. Even if such claims are made in the future, the authors will continue to make the Ed25519 software available for practical use in countries where practical use is legal, and for research and experimentation in countries where research and experimentation are legal.

Readers interested in the scope of various cryptographic patents might find the following links helpful:

  • Expired 29 April 1997: US 4200770, public-key cryptography. Prior art: Diffie and Hellman, June 1976.
  • Expired 16 October 2007: US 4964164, batch RSA signing.
  • Expired 19 February 2008: US 4995082, Schnorr signatures.
  • Expired 17 September 2011: US 5159632, elliptic-curve arithmetic mod p with reduction using "shift and add operations". Prior art: Bender and Castagnoli, 1989.
  • Expired 17 September 2011: US 5271061. Prior art: Bender and Castagnoli, 1989.
  • Expired 17 September 2011: US 5463690. Prior art: Bender and Castagnoli, 1989.
  • Expired 13 August 2012: US 5299262, fixed-base-point exponentiation. Prior art: Pippenger, 1976.
  • Expired 15 September 2013: US 5347581, batch verification. Prior art: Lilien and Bhargava, 1984.
  • Expires 29 July 2014: US 6141420, point compression. Prior art: Miller, 1985; Harper, Menezes, and Vanstone, 1992.
  • Expires 6 June 2015: US 5999627, fixed-base-point exponentiation. Prior art: Pippenger, 1976.

Version

This is version 2013.09.16 of the software.html web page.