Things that use Ed25519

Updated: September 22, 2020

Here's a list of protocols and software that use or support the superfast, super secure Ed25519 public-key signature system from Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.

This page is organized by Protocols, Networks, Operating Systems, Hardware, Software, SSH Software, TLS Libraries, NaCl Crypto Libraries, Libraries, Miscellaneous, Timeline notes, and Support coming soon.

You may also be interested in this list of Curve25519 ECDH deployment.

Protocols

TLS 1.3 — Transport Layer Security

SSH — thanks to work done by the OpenSSH team, adopted also by TinySSH and others

Signal Protocol — encrypted messaging protocol derivative of OTR Messaging

cryptosphere — Encrypted peer-to-peer web application platform for decentralized, privacy-preserving applications

saltpack — a modern crypto messaging format

ORDO — Ordered Representation for Distinguished Objects: A Certificate Format

RAET — (Reliable Asynchronous Event Transport) Protocol

roughtime — secure time synchronisation

Dat — a new p2p hypermedia protocol

TCN — Temporary Contact Numbers, a decentralized, privacy-first contact tracing protocol

Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity

Chain Key Derivation — a deterministic key derivation scheme

S/MIME 4.0 — Secure/Multipurpose Internet Mail Extensions

BLEMeshChat — 100% sneakernet chat via Bluetooth LE Mesh, for iOS and Android

(n+1)sec — a free, end-to-end secure, synchronous protocol for group chat

PASETO — a specification and reference implementation for secure stateless tokens

Networks

Tor — The Onion Router anonymity network

Zcash — a privacy-protecting, digital currency built on strong science (used in JoinSplit signatures)

I2P — an anonymous network

GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services

Serval — Mesh telecommunications

Peergos — An end-to-end encrypted, peer-to-peer file storage, sharing and communication network

Yggdrasil — a fully end-to-end encrypted network

URC — an IRC style, private, security aware, open source project

Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger

Sia — Blockchain-based marketplace for file storage

cjdns — encrypted ipv6 mesh networking

Operating systems

OpenBSD — used in OpenSSH, signify, and in CVS over SSH

OpenWrt — used in package signing

All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project

Software projects signed with Ed25519

OpenBSD signs releases, packages, patches, and binary updates with Ed25519 via signify

M:Tier signs OpenBSD packages and binary updates with Ed25519 via signify

WireGuard for Windows updates are signed with Ed25519 via signify

WireGuard for Android kernel modules are signed with Ed25519 via signify

minisign signs releases with Ed25519 via minisign

libsodium signs releases with Ed25519 via minisign

dnscrypt-proxy signs its resolver list with Ed25519 via minisign

SimpleDnsCrypt signs packages with Ed25519 via minisign

dnscrypt-osxclient signs packages with Ed25519 via minisign

Markdeep signs releases with Ed25519 via minisign

Airship signs automatic updates with Ed25519

LibreSSL signs releases with Ed25519 via signify

radare2 signs releases with Ed25519 via signify

OpenSMTPD signs releases with Ed25519 via signify

DNSCurve.io signs downloads with Ed25519 via signify

Hardware

Software

SSH Software

DNS Software

dnscrypt-proxy — securing communications between a client and a DNS resolver

dnsdist — dnsdist supports DNSCrypt

Unbound — a validating, recursive, and caching DNS resolver

PowerDNS Recursor — a high-performance DNS recursor with built-in scripting capabilities

DNSCryptClient — A simple DNSCrypt client

dnscrypt — authenticated and encrypted DNS client fo r nodejs

dnsmasq — network infrastructure for small networks: DNS, DHCP, router advertisement and network boot

PowerDNS Authoritative Server — the only solution that enables authoritative DNS service from all major databases

SimpleDnsCrypt — A simple management tool for dnscrypt-proxy

Knot DNS — a high-performance authoritative-only DNS server

Signify software

This section is for OpenBSD signify ported to Linux and other operating systems.

OpenBSD: signify — cryptographically sign and verify files

— cryptographically sign and verify files Adrian Perez: signify-portable — OpenBSD tool to sign and verify signatures

mancha: signify-portable — put together by mancha

Felix von Leitner: signify-fefe — signify that builds on Linux

Vsevolod Stakhov: asignify — Yet another signify tool

Jean-Philippe Ouellet: signify-osx — OS X port of OpenBSD's signify(1)

Michael Gehring: signify-go — Go implementation of OpenBSD's signify(1)

Yui NARUSE: nurse-signify — portable version of OpenBSD's signify with autoconf

Christian Neukirchen: leahneukirchen-signify

Mark Kubacki: signify — signify for Linux that uses instructions of modern CPUs

Aaron Bieber: signify.el — signify package for emacs

Tobias Stoeckmann: signify-windows — OpenBSD signify for Windows systems

Björn Edström: python-signify — OpenBSD Signify for Python

Robert Escriva: rescrv-signify — signify ported from OpenBSD

Heinrich Schuchardt: usign — tiny signify replacement

Frank Braun: gosignify — a Go reimplementation of OpenBSD's signify

Debian packages: signify-openbsd

Greg (myfreeweb): freepass — The free password manager for power users + signify support

Jan-Erik Rediger: signify-rs — Create cryptographic signatures for files and verify them

Minisign software and libraries

Minisign is compatable with signify.

minisign — A dead simple tool to sign files and verify signatures. (by Frank Denis)

— A dead simple tool to sign files and verify signatures. (by Frank Denis) go-minisign — Minisign library for Golang

rust-minisign — A pure Rust implementation of the Minisign signature system

rust-minisign-verify — A small Rust crate to verify Minisign signatures

rsign2 — A command-line tool to sign files and verify signatures in pure Rust

minisign-misc — macOS workflows and shell scripts to verify and sign files with minisign

rsign — A simple rust implementation of Minisign tool

minisign-net — .NET library to handle and create minisign signatures

TLS Libraries

NaCl Crypto Libraries

For cryptographic libraries in the NaCl family, including TweetNaCl, uNaCl, and libsodium, as well as wrappers, bindings, and ports.

PASETO libraries

Note: V2 of PASETO supports Ed25519, so choose this over the lower security V1. The implementations below support V2.

Elixir: Paseto — An Elixir implementation of Paseto (Platform-Agnostic Security Tokens)

Go: paseto — Platform-Agnostic Security Tokens implementation in GO (Golang) Go: go-paseto-middleware — Paseto middleware for GoLang Go: pasetosession — Web session/authentication using PASETO

Java: paseto4j — Paseto implementation for Java

Java: paseto — Java Implementation of Platform-Agnostic Security Tokens

Javascript: paseto.js — PASETO: Platform-Agnostic Security Tokens

Lua: paseto-lua — PASETO (Platform-Agnostic Security Tokens) for Lua

.NET: Paseto.Net — .NET Implementation of PASETO (v2 local / public encryption)

.NET: paseto-dotnet — Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET

Python: pypaseto — PASETO for Python

Ruby: paseto.rb — Ruby implementation of Paseto using libsodium

Rust: paseto — A paseto implementation in rust

Swift: swift-paseto — Platform-Agnostic Security Tokens implementation in Swift

PASETO plugins

Phoenix authentication plug: paseto_plu — A Phoenix authentication plug that validates Paseto (Platform Agnostic Security Tokens)

Kong (plugin): kong-plugin-paseto — Kong plugin for PASETO (Platform-Agnostic Security Tokens)

Libraries

Other Libraries

PHP 7.2.0+ — a popular general-purpose scripting language that is especially suited to web development

ring — Crypto library for Rust using BoringSSL's cryptography primitives

HACL* — a formally verified cryptographic library written in F*

Rust-Crypto — A (mostly) pure-Rust implementation of various common cryptographic algorithms

Chaos.NaCl — a cryptography library writen in C#, based on NaCl

Nettle — a low-level cryptographic library Bindings available in Haskell, Perl, Pike, PostgreSQL, R6RS Scheme, and TCL

Monocypher — a small, secure, auditable, easy to use crypto library LuaNacha — Lua wrapper for Monocypher monocypher.cr — Crystal bindings for Monocypher monocypher-go — Go language bindings for Monocypher

libsuola — An ENGINE gluing together OpenSSL and NaCl-derived crypto

curve25519-java — Pure Java and JNI backed Curve25519 implementation dnscrypt — A very simple DNSCrypt client library written in Go scrypto — Cryptographic primitives for Scala (includes Curve25519-Java wrapper)

Noise-C — a plain C implementation of the Noise Protocol

curve25519-dalek — a Rust implementation of field and group operations on an Edwards curve over GF(2 255 - 19)

- 19) curv — Rust language general purpose elliptic curve cryptography

libgodium — Pure Go implementation of cryptographic APIs found in libsodium

wasm-crypto — WebAssembly implementation of Ed25519-based operations and more

Libgcrypt — a general purpose cryptographic library originally based on code from GnuPG

hs-nacl — Modern Haskell Cryptography

Signatory — a pure Rust multi-provider digital signature library

Elligator-2 — Javascript implementation of the Elligator 2 algorithm for Curve25519

torgo — A Golang library for Tor

nacl4s — Scala implementation of Networking and Cryptography (NaCl) library

kevinburke-nacl — Pure Go implementation of the NaCl set of APIs

Megolm — An AES-based cryptographic ratchet intended for group communications

Sapient — Secure API toolkit

mipher — Mobile Cipher library written in clean TypeScript

rust-crypto-decoupled — Experiment on dividing rust-crypto into several small crates

OpenPGP.js — an Open Source OpenPGP library in JavaScript

Crypto++ — a free C++ class library of cryptographic schemes

pycryptopp — Python bindings to the Crypto++ library

eddsa — EdDSA python prototype

libelligator — A C++ Elligator2 implementation

elliptic — Fast Elliptic Curve Cryptography in plain javascript

nsec — A modern and easy-to-use crypto library for .NET Core based on libsodium

amber — Cryptography library. X25519, Ed25519, ChaCha20, Blake2, Poly1305, Scrypt

libssh2 — a client-side C library implementing the SSH2 protocol (requires OpenSSL 1.1.1)

recrypt — for building a multi-hop proxy re-encryption scheme, known as Transform Encryption

go-msgauth — A Go library for DKIM, DMARC and Authentication-Results

nacl-cert — NaCl Certification System

Lazysodium — a complete Android implementation of the Libsodium library

cryptonite — a haskell repository of cryptographic primitives

easy-ecc — A usability wrapper for PHP ECC

edcert — A rust crate for high-performance content-signing and certificate verification

dnscrypt-python — DNSCrypt Python Library

dnscrypt — Very basic DNSCrypt library for Go

dnscrypt-proxy-gui — Qt/KF5 GUI wrapped over dnscrypt-proxy

libsignal-protocol-c — Signal Protocol C Library

sshj — ssh, scp and sftp for java

salt-channel-c — C implementation of Salt Channel

librnp — C library approach to OpenPGP ruby-rnp — Bindings for RNP in Ruby

xeddsa — port of libsignal's xeddsa implementation to the pitchfork

TweetPepper — Formats, PKI using TweetNaCl as the Crypto

iroha-ed25519 — RFC8032 compatible Ed25519 implementation with pluggable hash (sha2-512, sha3-512)

hc — HomeControl is an implementation of the HomeKit Accessory Protocol (HAP) in Go

GO-JWT-ed25519 — A very basic GO implementation of JWT using ed25519

c25519 — Wei25519, Curve25519 and Ed25519 for low-memory systems

ara-crypto — Cryptographic functions used in various Ara modules

libssh — a library written in C implementing the SSH protocol

Personal-HomeKit-HAP — build HomeKit support accessories

ocaml-bip32-ed25519 — OCaml implementation of BIP32-Ed25519 (Khovratovich/Law flavour)

cryptostack — cryptographic library based on Curve25519, Ed25519, blake2b, Poly1305, XSalsa20 primitives

go-tuf — Go implementation of The Update Framework (TUF)

prototok — RbNaCl + json/msgpack/protobuf key generation/parsing gem

kyber — Advanced crypto library for the Go language

Ed25519_DS — Ed25519 node.js library

go-lib — Useful, Reusable Golang libraries

Neuro:pil — a small messaging library which by default adds two layers of encryption

The Update Framework — helps developers to secure new or existing software update systems

spring-boot-wow — spring boot integrity and multi modules with spring-boot include ed25519

libaxolotl-crypto-web — WebCrypto implementation of cryptography interface for libaxolotl-javascript

libaxolotl-javascript — A JavaScript implementation of axolotl

libaxolotl-crypto-node — Node.js implementation of cryptography interface for libaxolotl-javascript

ed25519-to-x25519.wasm — Library for Ed25519 signing key pair into X25519/Curve25519 key pair suitable for Diffie-Hellman key exchange

crypto — crypto with ed25519 + base58 or other

edssh — ed25519 signature support for golang.org/x/crypto/ssh

salt-channel — A Java implementation of Salt Channel - a simple, light-weight secure channel protocol

SharedEcc25519 — ANSI-C based cross-platform elliptic curve cryptography provider with objc api

Virgil Crypto Library — modern cryptography libraries (ECIES and RSA with Cryptographic Agility) and all the necessary infrastructure

Sequoia-PGP — a modern modular OpenPGP implementation in Rust

arduinolibs-Crypto — Arduino libraries and examples

libuecc — Very small Elliptic Curve Cryptography library

ecc25519 — combine golang ed25519 and curve25519 libray in one

erlang-libdecaf — ed448goldilocks (libdecaf) NIF with timeslice reductions for Erlang and Elixir (+Ed25519)

ruby-jose — JSON Object Signing and Encryption (JOSE) for Ruby

erlang-jose — JSON Object Signing and Encryption (JOSE) for Erlang and Elixir

redux-signatures — Cryptographic signing of your redux (or flux) actions

HeavyThing — x86_64 assembler library

libcryptoconditions — Interledger crypto-conditions implemented in C, including simple JSON api

joken — Elixir JWT library

jwt_nacl — A Ruby JSON Web Token implementation using NaCl Ed25519 digital signatures

go-libp2p-crypto — Various cryptographic utilities used by ipfs

libsqrl — a library implementing the SQRL Specification

nano-signing — A minimalistic public-key signing framework for TS / JS environments based on TweetNaCl and Ed25519

yii2-api — A Yii2 API Skeleton Framework

fld-ecc-vec — an optimized library for computing EdDSA and the Diffie-Hellman functions X25519 and X448

cryptofamily — a heap of primitives, algorithms, etc.

kcl — NaCl substitute of sorts in Elixir

c25519 — Curve25519 and Ed25519 for low-memory systems ed25519-streaming — Streaming implementation of c25519

python-signedjson — Sign JSON objects with ED25519 signatures

signedjson — Signs JSON objects with ED25519 signatures

supercop.js — not to be confused with SUPERCOP

hypercore-crypto — The crypto primitives used in hypercore, extracted into a separate module

molch — An implementation of the axolotl ratchet based on libsodium

aws-crypto-lambda — AWS Lambda for Cryptographic functions based on libsodium

sshlib — ConnectBot's SSH library

asymmetric-crypto — Encryption and signing using public-key cryptography (via TweetNaCl)

coniks-go — A CONIKS implementation in Golang

pspka — password seeded public key authentication

curve25519-js — Curve25519 Javascript Implementation

ed25519-supercop — ed25519 curve operations using a supercop/ref10 implementation

libeddsa — cryptographic library for ed25519 and curve25519

libec — Small PKI library

AFEnacl — An AFNetworking subclass providing payload signing via libsodium

eddsa — Structures for safe handling of Ed25519 keys

ECC-25519 — helps to use ECC with Curve25519

Salt — NaCl cryptography library for PHP (not by the NaCl authors)

libgcrypt — a general purpose cryptographic library based on the code from GnuPG

crypto — Various cryptographic functions for datkt

25519 — Key agreement (X25519) and signing (ed25519)

js-stellar-base — the lowest-level stellar helper library

microstar-crypto — Cryptography library for Microstar, wrapping TweetNaCl

libaxolotl-crypto-curve25519 — emscripten compiled version of curve25519 and ed25519

shick_crypto — multi recipient NaCl-style encryption via libsodium

SQRL-Protocol — A helper library to handle SQRL requests and responses

gryphon — HTTP Request Signing with Ed25519

python-axolotl-curve25519 — curve25519 with ed25519 signatures, used by libaxolotl

secret-handshake — Javascript-based authentication

python-sshpubkeys — OpenSSH public key parser for Python

Cryptocurrencies, blockchains, and ledgers

Monero — a secure, private, untraceable currency

Nano — digital currency for the real world

Decred — Hybridized PoW/PoS cryptocurrency

Chain Core — enterprise-grade blockchain infrastructure that enables organizations to build better financial services from the ground up

tezos — A self-amending cryptographic ledger

bog — secure blockchain logging (blogging without the 'l')

Chronicle — a self-hostable microservice and append-only public ledger

Miscellaneous

Matthew Green: "Any potential 'up my sleeve' number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using 'up my sleeve' constants). This is why I think we all should embrace DJB's curve25519."

Ted Unangst: "The one and only supported algorithm is Ed25519. It has a lot of very nice properties, though I really like the deterministic signatures. Anything that makes it harder to screw up is great."

GnuPG: "For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein's Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won't wait any longer and go ahead using the proposed format for this signing algorithm."

Cesar Pereida García and Billy Bob Brumley and Yuval Yarom: Make Sure DSA Signing Exponentiations Really are Constant-Time: "OpenSSH supports building without OpenSSL as a dependency. We recommend that OpenSSH package maintainers switch to this option. For OpenSSH administrators and users, we recommend migrating to ssh-ed25519 key types, the implementation of which has many desirable side-channel properties."

Adam Caudill: "FYI - Went through 12.5M executions with afl against the minisign verification function, no hits. Good job!"

Ted Unangst: "It takes more code for a TLS client to negotiate Hello and do the key exchange than in all of signify."

Adam Langley: "Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don't believe there's anything needed to get that working save for switching out the algorithms."

Timeline notes

Ed25519 support coming soon!

Redox OS is working on pkgar, a secure package management tool using sodalite and Ed25519

LibreSSL — "Add objects for X25519, X448, Ed25519 and Ed448"

NaCl — Networking and Cryptography Library

Tor — for Hidden Services; already used elsewhere in Tor

Gossamer — Public Key Infrastructure without Certificate Authorities, for WordPress

wolfSSL — Roadmap: "ed25519 integration at the crypto and TLS level" — already supported at the crypto level

BearSSL — Smaller SSL/TLS

bog — a distributed social networking application using TweetNaCl.js to publish signed append-only logs

ed25519-xeno — Common Lisp implementation of Ed25519 signature protocol

OpenSSL — for use in libcrypto and libssl (TLS)

tink — a small crypto library that provides a safe, simple, agile and fast way to accomplish some common crypto tasks

DNSSEC — a horrible protocol that shouldn't be used BIND

Brave Sync — A client/server for Brave sync

kovri — The Kovri I2P Router Project

cothority — Scalable collective authority prototype

ithos — Modern directory services and credential management

messagesodium — Patches ActiveSupport's MessageEncryptor to use libsodium

Upspin — "TODO(ehg) add "25519": x/crypto/curve25519, github.com/agl/ed25519"

Tendermint — Simple, Secure, Scalable Blockchain Platform

freepass — The free password manager for power users. (Already supports ssh-ed25519 and signify, plans to support SQRL!)

ed25519 — an implementation of ed25519 in lisp

prifi — Work-in-progress Dissent port/rewrite for low-latency anonymous communication

WAMP-cryptosign — The WAMP Protocol team is working on WAMP-cryptosign; see also wamp-proto.org

petmail — secure messaging, file-transfer, and directory synchronization

antinet-before-yedino — safe decentralized network for data and contracts

Crossbar.io - WAMP application router — plans to implement WAMP-cryptosign

libsodium-laravel — Laravel integration for libsodium

End-To-End — a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP

"Powered by Ed25519"