The new SQRL authentication scheme relies on Curve Ed25519 encryption developed by Daniel Bernstein. However, in order to start implementing this scheme there needs to be a mature implementation of Curve Ed25519 first.
Does anyone know of any mature, implementations? For Java, .NET or any other popular platform?
Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed (e.g. the output of SHA256 on some random input).
Ed25519 is a deterministic signature scheme using curve25519 by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe and Bo-Yin Yang. The signature scheme uses curve25519, and is about 20x to 30x faster than Certicom's secp256r1 and secp256k1 curves. Also see High-speed high-security signatures (20110926).
asymmetric cryptography works in both directions: encrypt with private key -> decrypt with public key & encrypt with public key -> decrypt with private key. ed25519 private key is just a random 256-bit number. the public key may be unambiguously derived by projecting the private key number over the curve25519.
Ed25519 is intended to provide attack resistance comparable to quality 128-bit symmetric ciphers. Public keys are 256 bits long and signatures are 512 bits long.
First of all, Curve25519 and Ed25519 aren't exactly the same thing. They're based on the same underlying curve, but use different representations. Most implementations are either for Curve25519 or Ed25519, but it's possible to reuse some code between them.
It is possible to convert Ed25519 public keys to Curve25519, but the other way round misses a sign bit. i.e. two Ed25519 public keys correspond to a single Curve25519 public key. Private keys are very similar as well.
Concerning implementations it's important to distinguish between the actual implementation, and libraries that package them in usable form.
djb's implementations in SUPERCOP
Ref
written in c, very slowRef10
written in c, decent performanceamd64-64-24k
and amd64-51-30k
, written in assembly, about twice as fast as Ref10
He also wrote an earlier, incompatible, prototype in NaCl, don't use that one
Floodyberry's donna implementation
Contains several variants, both assembly and c. Some optimized for 64 bit, some optimized for 32 bit.
LibSodium
C library, currently uses Ref10
implementation
Has bindings for many programming languages. It's probably the most popular version and what I recommend to most people.
Contains a bunch of other crypto functions from NaCl, such authenticated encryption (XSalsa20Poly1305), hashes, Curve25519 key-exchange.
Nightcracker's Ed25519
C library, uses Ref10
implementation.
Most interesting feature of this library is that it supports key-exchange using Ed25519 public keys. But it doesn't hash the shared key, so it doesn't produce the same shared secret as Curve25519.
Contains pre-built binaries for Win32 and Win64.
My C# port
Pure managed code and works unchanged on 32 and 64 bit platforms. Based on Ref10. A bit slower than c implementations, but the difference is surprisingly small.
Supports key-exchange compatible with NaCl using both Curve25519 and Ed25519 key and contains a bunch of other crypto functions from NaCl. I'm aiming for a similar feature set as LibSodium.
The Ed25519 signature functions work and have seen a reasonable amount of tests, but other parts of the library are a bit rough.
Directly using an implementation from SUPERCOP or Floodyberry's code.
Probably requires a bit more work for building, but you'll get higher performance (~2x) and don't need to carry around code you don't need.
I recommend going with LibSodium for now. It's relatively popular and well maintained. Performance is decent, should only cause performance issues in really signature heavy applications.
Adding to CodesInChaos' answer:
My Java port
Based on Ref 10, and provides the standard JCA APIs so it can be added to a crypto Provider.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With