Skip to main content

Try it Live

Run Ed25519 examples in the interactive playground
This page is a placeholder. All examples on this page are currently AI-generated and are not correct. This documentation will be completed in the future with accurate, tested examples.

Overview

Ed25519 is a modern elliptic curve signature scheme using the Edwards curve form of Curve25519. It provides high security (128-bit security level) with excellent performance and simple implementation. Curve: Edwards curve y² + x² = 1 + dx²y² over prime field 2²⁵⁵ - 19 Key features:
  • Deterministic: No random nonce needed (unlike ECDSA)
  • Fast: Faster than secp256k1 for both signing and verification
  • Simple: No malleability, no special cases, straightforward implementation
  • Secure: Designed to resist timing attacks and side-channel analysis
Modern usage: SSH (RFC 8709), TLS 1.3, Signal Protocol, WireGuard, Tor, Zcash, Monero, Stellar, and many cryptocurrency wallets.

Quick Start

API Reference

Key Generation

keypairFromSeed(seed)

Generate deterministic Ed25519 keypair from a 32-byte seed. Parameters:
  • seed (Uint8Array) - 32-byte seed for deterministic generation
Returns: { secretKey: Uint8Array, publicKey: Uint8Array }
  • secretKey - 32-byte secret key (same as seed in Ed25519)
  • publicKey - 32-byte public key
Throws:
  • InvalidSeedError - Seed wrong length

derivePublicKey(secretKey)

Derive public key from secret key. Parameters:
  • secretKey (Uint8Array) - 32-byte secret key
Returns: Uint8Array - 32-byte public key Throws:
  • InvalidSecretKeyError - Secret key wrong length

Signing

sign(message, secretKey)

Sign a message with Ed25519 secret key. Message can be any length. Parameters:
  • message (Uint8Array) - Message to sign (any length)
  • secretKey (Uint8Array) - 32-byte secret key
Returns: Uint8Array - 64-byte signature Throws:
  • InvalidSecretKeyError - Secret key invalid
  • Ed25519Error - Signing failed

Verification

verify(signature, message, publicKey)

Verify an Ed25519 signature. Parameters:
  • signature (Uint8Array) - 64-byte signature to verify
  • message (Uint8Array) - Original message that was signed
  • publicKey (Uint8Array) - 32-byte public key
Returns: boolean - true if signature is valid, false otherwise Throws:
  • InvalidPublicKeyError - Public key format invalid
  • InvalidSignatureError - Signature format invalid

Validation

validateSecretKey(secretKey)

Check if a byte array is a valid Ed25519 secret key. Parameters:
  • secretKey (Uint8Array) - Candidate secret key
Returns: boolean - true if valid (32 bytes)

validatePublicKey(publicKey)

Check if a byte array is a valid Ed25519 public key. Parameters:
  • publicKey (Uint8Array) - Candidate public key
Returns: boolean - true if valid (32 bytes, point on curve)

validateSeed(seed)

Check if a byte array is a valid seed. Parameters:
  • seed (Uint8Array) - Candidate seed
Returns: boolean - true if valid (32 bytes)

Constants

Security Considerations

Advantages over ECDSA (secp256k1)

No nonce generation: Ed25519 is deterministic. The same message and key always produce the same signature, eliminating the catastrophic nonce reuse vulnerability in ECDSA. No malleability: Signatures cannot be modified to create alternative valid signatures (unlike ECDSA which requires low-s normalization). Simpler implementation: Fewer edge cases and special conditions reduce attack surface. Better performance: Typically 2-3x faster than secp256k1 for signing and verification. Built-in security: Designed from the ground up to resist timing attacks and side-channel analysis.

Critical Warnings

⚠️ Protect secret keys: Ed25519 secret keys are 32-byte seeds. If compromised, all signatures can be forged. ⚠️ Validate public keys: Always validate public keys before use to ensure they are valid curve points. ⚠️ Use cryptographically secure random: Never use Math.random() for seed generation. Use crypto.getRandomValues(). ⚠️ Message length: Unlike ECDSA which signs 32-byte hashes, Ed25519 signs the actual message. For very large messages, consider hashing first (but this is not required).

TypeScript Implementation

The TypeScript implementation uses @noble/curves/ed25519 by Paul Miller:
  • Constant-time operations
  • Compliant with RFC 8032
  • Multiple security audits
  • Widely used in production (SSH, Signal, cryptocurrency)
  • ~15KB minified

Test Vectors

RFC 8032 Test Vectors

Deterministic Signatures

Message Length Flexibility

Implementation Details

TypeScript

Library: @noble/curves/ed25519 by Paul Miller
  • Audit status: Security audited, production-ready
  • Standard: RFC 8032 compliant
  • Features: Constant-time, batch verification, cofactor handling
  • Size: ~15KB minified (tree-shakeable)
  • Performance: 2-3x faster than secp256k1
Key design choices:
  • Uses twisted Edwards curve internally
  • Point compression for compact public keys (32 bytes)
  • Deterministic signature generation (no randomness needed)
  • Built-in validation and security checks

Zig

Implementation: Will use std.crypto.sign.Ed25519 from Zig standard library
  • Status: Future FFI support planned
  • Features: Constant-time, RFC 8032 compliant
  • Audit: Part of Zig standard library
Currently only available through TypeScript/WASM interface.

WASM

Ed25519 operations available in WASM builds:
  • ReleaseSmall: Size-optimized (~15KB)
  • ReleaseFast: Performance-optimized

Ethereum Context

Ed25519 is not used in Ethereum’s core protocol (which uses secp256k1), but it appears in:

Layer 2 and Rollups

  • StarkNet: Uses Ed25519 for account signatures
  • zkSync: Optional Ed25519 support for certain operations
  • Optimistic Rollups: Some use Ed25519 for off-chain aggregation

Modern Web3 Applications

  • Solana integration: Solana uses Ed25519, so cross-chain apps benefit
  • Decentralized identity: DIDs often use Ed25519 for key management
  • Encrypted communication: Signal Protocol with Ethereum accounts

Future EVM Integration

  • EIP-665: Proposed Ed25519 signature verification precompile (draft)
  • Account abstraction: ED25519 keys for smart contract wallets
  • Hardware wallets: Secure Enclave and TEE support

Ed25519 vs Secp256k1

FeatureEd25519Secp256k1
Security Level128-bit128-bit
Key Size32 bytes32 bytes (private)
Public Key32 bytes (compressed)64 bytes (uncompressed)
Signature Size64 bytes64 bytes (r,s) + 1 byte (v)
DeterministicYes (built-in)Yes (RFC 6979)
MalleabilityNoYes (requires low-s)
PerformanceFaster (2-3x)Slower
Nonce IssuesNoneCritical (ECDSA)
Ethereum SupportNo (L2 only)Yes (core)
Modern AdoptionHighMedium
When to use Ed25519:
  • New protocols and applications
  • High-performance requirements
  • Simplified security model
  • Cross-chain with Solana, Stellar, etc.
  • SSH, TLS, or other modern protocols
When to use Secp256k1:
  • Ethereum transaction signing (required)
  • Bitcoin compatibility
  • EVM precompile support (ecRecover)
  • Address derivation from signatures