Ed25519
What is Ed25519?
Ed25519An EdDSA signature scheme over the twisted Edwards curve edwards25519, offering ~128-bit security with deterministic, fast, side-channel-resistant signing as defined in RFC 8032.
Ed25519 is the most widely deployed instance of the Edwards-curve Digital Signature Algorithm (EdDSA), specified in RFC 8032. It uses the twisted Edwards curve edwards25519 (birationally equivalent to Curve25519) over the prime field 2^255 - 19, producing 32-byte public keys and 64-byte signatures with approximately 128 bits of security. Signing is deterministic: the per-signature nonce is derived from the private key and message via SHA-512, eliminating the catastrophic nonce-reuse failure that affects ECDSA. Implementations are constant-time and complete-formula, making side-channel attacks much harder. Ed25519 is the default in OpenSSH, WireGuard, GnuPG, TLS 1.3, Signal, and modern code-signing systems.
● Examples
- 01
OpenSSH `ssh-keygen -t ed25519` host and user keys.
- 02
Solana, Cardano, and other blockchains use Ed25519 for transaction signing.
● Frequently asked questions
What is Ed25519?
An EdDSA signature scheme over the twisted Edwards curve edwards25519, offering ~128-bit security with deterministic, fast, side-channel-resistant signing as defined in RFC 8032. It belongs to the Cryptography category of cybersecurity.
What does Ed25519 mean?
An EdDSA signature scheme over the twisted Edwards curve edwards25519, offering ~128-bit security with deterministic, fast, side-channel-resistant signing as defined in RFC 8032.
How does Ed25519 work?
Ed25519 is the most widely deployed instance of the Edwards-curve Digital Signature Algorithm (EdDSA), specified in RFC 8032. It uses the twisted Edwards curve edwards25519 (birationally equivalent to Curve25519) over the prime field 2^255 - 19, producing 32-byte public keys and 64-byte signatures with approximately 128 bits of security. Signing is deterministic: the per-signature nonce is derived from the private key and message via SHA-512, eliminating the catastrophic nonce-reuse failure that affects ECDSA. Implementations are constant-time and complete-formula, making side-channel attacks much harder. Ed25519 is the default in OpenSSH, WireGuard, GnuPG, TLS 1.3, Signal, and modern code-signing systems.
How do you defend against Ed25519?
Defences for Ed25519 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Ed25519?
Common alternative names include: EdDSA over edwards25519, RFC 8032 Ed25519.
● Related terms
- cryptography№ 258
Curve25519
A Montgomery elliptic curve designed by Daniel J. Bernstein, used in the X25519 Diffie-Hellman function specified in RFC 7748 with ~128-bit security.
- cryptography№ 369
ECDSA
The elliptic-curve variant of the Digital Signature Algorithm, standardized in FIPS 186, producing compact signatures whose security relies on the elliptic-curve discrete logarithm problem.
- cryptography№ 321
Digital Signature
A public-key cryptographic mechanism that proves the authenticity, integrity and non-repudiation of a message or document.
- cryptography№ 374
Elliptic Curve Cryptography (ECC)
A family of public-key algorithms based on the algebraic structure of elliptic curves over finite fields, offering equivalent security to RSA with much smaller keys.
- cryptography№ 879
Public-Key Cryptography
A branch of cryptography that uses paired public and private keys to enable encryption, key exchange, digital signatures, and authentication without a pre-shared secret.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
● See also
- № 980secp256k1
- № 109BLS Signature