Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What implementions of Ed25519 exist?

Tags:

The new SQRL authentication scheme relies on Curve Ed25519 encryption developed by Daniel Bernstein. However, in order to start implementing this scheme there needs to be a mature implementation of Curve Ed25519 first.

Does anyone know of any mature, implementations? For Java, .NET or any other popular platform?

like image 776
Chris Pietschmann Avatar asked Oct 02 '13 22:10

Chris Pietschmann


People also ask

How many bits for Ed25519 key?

Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed (e.g. the output of SHA256 on some random input).

Is Ed25519 deterministic?

Ed25519 is a deterministic signature scheme using curve25519 by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe and Bo-Yin Yang. The signature scheme uses curve25519, and is about 20x to 30x faster than Certicom's secp256r1 and secp256k1 curves. Also see High-speed high-security signatures (20110926).

Is Ed25519 asymmetric?

asymmetric cryptography works in both directions: encrypt with private key -> decrypt with public key & encrypt with public key -> decrypt with private key. ed25519 private key is just a random 256-bit number. the public key may be unambiguously derived by projecting the private key number over the curve25519.

What is Ed25519 encryption?

Ed25519 is intended to provide attack resistance comparable to quality 128-bit symmetric ciphers. Public keys are 256 bits long and signatures are 512 bits long.


2 Answers

Curve25519 vs. Ed25519

First of all, Curve25519 and Ed25519 aren't exactly the same thing. They're based on the same underlying curve, but use different representations. Most implementations are either for Curve25519 or Ed25519, but it's possible to reuse some code between them.

It is possible to convert Ed25519 public keys to Curve25519, but the other way round misses a sign bit. i.e. two Ed25519 public keys correspond to a single Curve25519 public key. Private keys are very similar as well.


Concerning implementations it's important to distinguish between the actual implementation, and libraries that package them in usable form.

Actual implementations

djb's implementations in SUPERCOP

  • Ref written in c, very slow
  • djb's Ref10 written in c, decent performance
  • djb's amd64-64-24k and amd64-51-30k, written in assembly, about twice as fast as Ref10

He also wrote an earlier, incompatible, prototype in NaCl, don't use that one

Floodyberry's donna implementation

Contains several variants, both assembly and c. Some optimized for 64 bit, some optimized for 32 bit.

Libraries

  • LibSodium

    C library, currently uses Ref10 implementation

    Has bindings for many programming languages. It's probably the most popular version and what I recommend to most people.

    Contains a bunch of other crypto functions from NaCl, such authenticated encryption (XSalsa20Poly1305), hashes, Curve25519 key-exchange.

  • Nightcracker's Ed25519

    C library, uses Ref10 implementation.

    Most interesting feature of this library is that it supports key-exchange using Ed25519 public keys. But it doesn't hash the shared key, so it doesn't produce the same shared secret as Curve25519.

    Contains pre-built binaries for Win32 and Win64.

  • My C# port

    Pure managed code and works unchanged on 32 and 64 bit platforms. Based on Ref10. A bit slower than c implementations, but the difference is surprisingly small.

    Supports key-exchange compatible with NaCl using both Curve25519 and Ed25519 key and contains a bunch of other crypto functions from NaCl. I'm aiming for a similar feature set as LibSodium.

    The Ed25519 signature functions work and have seen a reasonable amount of tests, but other parts of the library are a bit rough.

  • Directly using an implementation from SUPERCOP or Floodyberry's code.

    Probably requires a bit more work for building, but you'll get higher performance (~2x) and don't need to carry around code you don't need.


I recommend going with LibSodium for now. It's relatively popular and well maintained. Performance is decent, should only cause performance issues in really signature heavy applications.

like image 96
CodesInChaos Avatar answered Sep 20 '22 14:09

CodesInChaos


Adding to CodesInChaos' answer:

Libraries

  • My Java port

    Based on Ref 10, and provides the standard JCA APIs so it can be added to a crypto Provider.

like image 34
str4d Avatar answered Sep 18 '22 14:09

str4d