Things that use Ed25519

Updated: October 24, 2024

Here's a list of protocols and software that use or support the superfast, super secure Ed25519 public-key signature system from Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.

This page is organized by Protocols, Networks, Operating Systems, Hardware, Software, SSH Software, TLS Libraries, NaCl Crypto Libraries, lib25519, Libraries, Miscellaneous, Timeline notes, and Support coming soon.

You may also be interested in this list of Curve25519 ECDH deployment.

Protocols

• TLS 1.3 — Transport Layer Security
• SSH — thanks to work done by the OpenSSH team, adopted also by TinySSH and others
• Signal Protocol — encrypted messaging protocol derivative of OTR Messaging
• saltpack — a modern crypto messaging format
• ORDO — Ordered Representation for Distinguished Objects: A Certificate Format
• RAET — (Reliable Asynchronous Event Transport) Protocol
• roughtime — secure time synchronisation
• Dat — a new p2p hypermedia protocol
• TCN — Temporary Contact Numbers, a decentralized, privacy-first contact tracing protocol
• Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity
• Chain Key Derivation — a deterministic key derivation scheme
• S/MIME 4.0 — Secure/Multipurpose Internet Mail Extensions
• BLEMeshChat — 100% sneakernet chat via Bluetooth LE Mesh, for iOS and Android
• (n+1)sec — a free, end-to-end secure, synchronous protocol for group chat
• PASETO — a specification and reference implementation for secure stateless tokens

Networks

• Tor — The Onion Router anonymity network
• Zcash — a privacy-protecting, digital currency built on strong science (used in JoinSplit signatures)
• I2P — an anonymous network
• GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
• Nebula — open source global overlay network from Slack
• Serval — Mesh telecommunications
• Peergos — An end-to-end encrypted, peer-to-peer file storage, sharing and communication network
• Yggdrasil — a fully end-to-end encrypted network
• URC — an IRC style, private, security aware, open source project
• Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger
• Sia — Blockchain-based marketplace for file storage
• cjdns — encrypted ipv6 mesh networking

Operating systems

• OpenBSD — used in OpenSSH, signify, and in CVS over SSH
• OpenWrt — used in package signing
• NetBSD — ships with OpenSSL 1.1.1+
• FreeBSD — ships with OpenSSL 1.1.1+
• All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project

Software projects signed with Ed25519

• OpenBSD signs releases, packages, patches, and binary updates with Ed25519 via signify
• Void Linux signs installation images with Ed25519 via signify
• GrapheneOS signs OS images with Ed25519 via signify
• M:Tier signs OpenBSD packages and binary updates with Ed25519 via signify
• WireGuard for Windows updates are signed with Ed25519 via signify
• WireGuard for Android kernel modules are signed with Ed25519 via signify
• dist.schmorp.de signs libev and other packages with Ed25519 via signify
• minisign signs releases with Ed25519 via minisign
• libsodium signs releases with Ed25519 via minisign
• dnscrypt-proxy signs its resolver list with Ed25519 via minisign
• SimpleDnsCrypt signs packages with Ed25519 via minisign
• dnscrypt-osxclient signs packages with Ed25519 via minisign
• Markdeep signs releases with Ed25519 via minisign
• Airship signs automatic updates with Ed25519
• LibreSSL signs releases with Ed25519 via signify
• radare2 signs releases with Ed25519 via signify
• OpenSMTPD signs releases with Ed25519 via signify
• DNSCurve.io signs downloads with Ed25519 via signify

Hardware

• SC4 HSM — a fully-open USB2 HSM (hardware-secure module)
• crypto-in-a-box — Turns an Arduino into a cryptography token
• Yubikey 5 — Multi-protocol security key
• YubiHSM 2 — a cost-effective Hardware Security Module (HSM) for servers and IoT gateways
• Nitrokey Start — encrypts your emails, files, and server access
• Howto: signify(1) signatures with a YubiHSM
• Voting machines in Brazil — administered by Justiça Eleitoral brasileira; printable Ed25519-signed QR code paper trails
• Luna Network HSMs — High Assurance Hardware Security Modules
• CEC1702 — ARM Cortex M4-based microcontroller with a complete hardware cryptography-enabled solution in a single package

Software

• VPN and tunneling software
  • strongSwan — open source IPsec-based VPN
• Riot/Matrix — end-to-end encrypted messaging
• Vuvuzela — a private chat application that hides metadata, including who you chat with and when you are chatting
• GnuPG — GNU Privacy Guard
• arti — an implementation of Tor, in Rust
• reop — reasonable expectation of privacy
• tweetnacl-tools — Tools for using TweetNaCl
• Wire — fully encrypted calls, video and group chats available on all your devices
• Hyperledger Iroha — blockchain platform designed for simple creation and management of assets
• i2pd — Simplified C++ implementation of I2P client
• sear — Signed/Encrypted ARchive: always-encrypted tar-like archive tool with optional signature support
• Cabal — experimental p2p community chat platform
• Rspamd — Rapid spam filtering system
• CrossClave — zero-knowledge messaging and file transfer
• sigtool — Signify like tool in Golang - only easier and simpler
• Sandstorm — Personal Cloud Sandbox
• Airship — Secure Content Management for the Modern Web - "The sky is only the beginning"
• cryptpad — an encrypted collaborative editor
• trust-dns — A Rust based DNS client and server
• Rubinius Language Platform — a modern language platform that supports a number of programming languages
• KadNode — P2P name resolution daemon based on a Distributed Hash Table (DHT)
• wasmsign — A tool to add and verify digital signatures to/from WASM binaries
• pbp — salty privacy (provides basic functionality resembling PGP)
• mute — secure messaging
• MicroMinion platform — a secure messaging layer with end-to-end connectivity using a variety of underlying transport mechanisms
• sodium11 — A command line toolkit for encryption and signing of files based on libsodium
• fwup — Configurable embedded Linux firmware update creator and runner
• libdime — The DIME resolver library and command line utilities
• locker — easy secure locker
• auth — sample ed25519 browser extension backend
• cosi — CoSi command line interface
• pgsodium — Postgres extension wrapper around libsodium
• crypt — ed25519 chrome extension
• TarsierMessenger — Tarsier Messenger is a messaging application using WiFi direct
• zkc — Zero Knowledge Communications
• mkp224o — vanity address generator for ed25519 onion services
• FalconGate — A smart gateway to stop hackers and Malware attacks (includes DNSCrypt support)
• piknik — Copy/paste anything over the network
• atumd — Post-quantum trusted time-stamping server (supports XMSS and Ed25519)
• go-atum — Go client for the post-quantum Atum time-stamping service (supports XMSS and Ed25519)
• detox-crypto — High-level utilities that combine under simple interfaces complexity of the cryptographic layer used in Detox project
• RChain Cooperative — a consesus algorithm using a proof-of-stake protocol
• ED25519-tools — tool for signing/verifying
• RNP — a set of OpenPGP (RFC4880) tools that works on Linux, *BSD and macOS as a replacement for GnuPG
• horse25519 — Ed25519 vanity public key generator
• clmm — An exercise in cryptographic minimlism
• Ed25519Tool — Ed25519 signing and verification online tool
• salty — A practical, compact CLI crypto system based on TweetNaCl, featuring public key sharing and zero-password peer stream encryption
• go-atum — Go client for the post-quantum Atum time-stamping service
• twisted-ego — Vanity Ed25519/Cv25519 GPG Keys
• DoorKeeper — An attempt to enable secure communication, authentication & authorization for my ESP8266 project
• mysql-sodium — Mysql UDF bindings for LibSodium
• stellar-hd-wallet — Key derivation for Stellar (SEP-0005)
• WebSign — used by Cyph
• usermgr — a tool to turn access to production systems from a pain in the butt into ponies and rainbows
• box — Simple file authenticated encryption/decryption
• mulsigo — decentralized multi signature scheme pgp compatible
• session-keys-js — A cryptographic tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys
• dename — NameCoin-style names using consensus instead of proof of work
• nacl-signature — Nodejs module to sign/verify data using NaCl
• challenge-su — `su` implementation using Ed25519 signatures for challenge/response
• SC4 — Strong Crypto for Mere Mortals
• HashiCorp Vault — A Tool for Managing Secrets
• Scorex — The modular blockchain framework
• pcp — Pretty Curved Privacy
• mcrypt — Message Crypto - Encrypt and sign individual messages
• srndv2 — some random news daemon (version 2)
• go-anvil — Forge "no password on the wire" authentication challenges
• gen-ed25-keypair — Haskell CLI tool to generate Ed25519 keys and sign/verify msgs
• CPGB — Curve Privacy Guard B, a secure replacement for GPG using ECC
• Simply Good Privacy — PGP-like system without web of trust
• cubed_old — A proper open-source minecraft clone in C++
• BigchainDB — A scalable blockchain database
• KinomaJS — A JavaScript runtime optimized for the applications that power IoT devices
• verifysignature — Sample of standalone portable C to verify Ed25519 public-key signature
• tiny-ssh-keygen-ed25519 — tiny ssh-keygen for ed25519 keypairs in standard C
• SQRL — Secure Quick Reliable Login
• ed25519 — Erlang port program for ed25519 sign and verify from libsodium
• py_ssh_keygen_ed25519 — ssh-keygen for ed25519 keypairs in Pure Python
• jsign — Tool to sign files and verify signature
• Kraken — C ed25519-donna Key Pair generator
• falconlab
• freepass — The free password manager for power users
• cordova-plugin-minisodium — A minimal cordova plugin that provides a binding to libsodium
• textsecure-go — TextSecure client package for Go
• Dhall — Sign/Verify files
• HAP-NodeJS — Node.js implementation of HomeKit Accessory Server
• Osteria — secure point-to-point messenger
• sick — Sign and check streams cryptographically using the ed25519 algorithm
• curvebench — Benchmark comparing secp256k1 to ed25519
• cryptutils — Various crypto utilties based on a common NaCl/Ed25519 core
• srndv2 — some random news daemon (version 2)
• ed2curve-js — Convert Ed25519 signing keys into Curve25519 Diffie-Hellman keys
• tuf — a secure updater framework for Python
• PoSH-Sodium — Powershell module to wrap libsodium-net methods
• crypto-bench — Benchmarks for crypto libraries (in Rust, or with Rust bindings)
• SUPERCOP — a cryptographic benchmarking suite

SSH Software

• SSH software with full modern crypto support (sntrup761x25519-sha512@openssh.com, X25519, Ed25519 and ChaCha20-Poly1305)
  • OpenSSH — Secure Shell from the OpenBSD project
  • TinySSH — a small SSH server with state-of-the-art cryptography
• SSH software with full classic crypto support, lacking post-quantum security
  • Win32-OpenSSH — Win32 port of OpenSSH
  • PuTTY — a free implementation of SSH and Telnet for Windows and Unix platforms
  • KiTTY — a fork from version 0.70 of PuTTY with extra features
  • SecureCRT — SSH client for Windows, Mac, and Linux
  • Dropbear — an SSH server and client
  • WinSCP — a popular SFTP client for Microsoft Windows
  • asyncssh — an asynchronous SSH2 client and server atop asyncio
  • Termius — an SSH client that works on Desktop and Mobile
  • rlogin — Japanese rlogin, telnet, and ssh client
  • pssht — SSH server written in PHP
• SSH software with partial modern crypto support (at least Ed25519)
  • Golang ssh — for both client and server keys
  • redox-ssh — SSH Client and Server written in Rust
  • ConnectBot — SSH client for Android
  • passphrase-identity — Regenerable ed25519 keys for OpenSSH and OpenPGP
  • teleport — Modern SSH server for teams managing distributed infrastructure
  • Prompt — SSH client for iOS
  • ssh-key-generator — A utility for deterministically generating ssh keypairs
  • SwiftNIO SSH — SSH in Swift
  • determin-ed — Create deterministic ed25519 keys from seedfile and password for openssh-key-v1 format
  • net-ssh — Pure Ruby implementation of an SSH (protocol 2) client
  • SmartFTP — an FTP, SSH, SFTP client
  • Cyberduck — Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows
  • ed25519hetzner — Script to scan OpenSSH host key and known_hosts files for shared keys from server hoster Hetzner
  • 2sshfp — Build SSHFP DNS records - ecdsa & ed25519 support (sh)
  • net-ssh — pure-Ruby implementation of the SSH2 client protocol
  • edkey — write ED25519 private keys in the OpenSSH private key format
  • tinyssh-convert — convert ed25519 hostkeys from openssh format
  • MobaXterm — Windows SSH client
  • Paramiko — A Python implementation of SSHv2
  • Tera Term — SSH client for Windows
  • TinyTERM (proprietary; support according to this comparison page)
    • TinyTERM for Android
    • TinyTERM for iOS
  • pts-dropbear — Dropbear SSH tools with ed25519 and other improvements by pts

DNS Software

• dnscrypt-proxy — securing communications between a client and a DNS resolver
• dnsdist — dnsdist supports DNSCrypt
• Unbound — a validating, recursive, and caching DNS resolver
• PowerDNS Recursor — a high-performance DNS recursor with built-in scripting capabilities
• DNSCryptClient — A simple DNSCrypt client
• dnscrypt — authenticated and encrypted DNS client for nodejs
• dnsmasq — network infrastructure for small networks: DNS, DHCP, router advertisement and network boot
• PowerDNS Authoritative Server — the only solution that enables authoritative DNS service from all major databases
• SimpleDnsCrypt — A simple management tool for dnscrypt-proxy
• Knot DNS — a high-performance authoritative-only DNS server

Signify software

This section is for OpenBSD signify ported to Linux and other operating systems.

• OpenBSD: signify — cryptographically sign and verify files
• Adrian Perez: signify-portable — OpenBSD tool to sign and verify signatures
• mancha: signify-portable — put together by mancha
• Felix von Leitner: signify-fefe — signify that builds on Linux
• Vsevolod Stakhov: asignify — Yet another signify tool
• Jean-Philippe Ouellet: signify-osx — OS X port of OpenBSD's signify(1)
• Michael Gehring: signify-go — Go implementation of OpenBSD's signify(1)
• Yui NARUSE: nurse-signify — portable version of OpenBSD's signify with autoconf
• Christian Neukirchen: leahneukirchen-signify
• Mark Kubacki: signify — signify for Linux that uses instructions of modern CPUs
• Aaron Bieber: signify.el — signify package for emacs
• Tobias Stoeckmann: signify-windows — OpenBSD signify for Windows systems
• Björn Edström: python-signify — OpenBSD Signify for Python
• Robert Escriva: rescrv-signify — signify ported from OpenBSD
• Heinrich Schuchardt: usign — tiny signify replacement
• Frank Braun: gosignify — a Go reimplementation of OpenBSD's signify
• Debian packages: signify-openbsd
• valpackett: freepass — The free password manager for power users + signify support
• Jan-Erik Rediger: signify-rs — Create cryptographic signatures for files and verify them

Minisign software and libraries

Minisign is compatable with signify.

• minisign — A dead simple tool to sign files and verify signatures. (by Frank Denis)
• go-minisign — Minisign library for Golang
• rsign2 — A command-line tool to sign files and verify signatures in pure Rust
• rust-minisign — A pure Rust implementation of the Minisign signature tool
• rust-minisign-verify — A small Rust crate to verify Minisign signatures
• minizign — Minisign reimplemented in Zig
• py-minisign — Missing python minisign library
• minisign-misc — macOS workflows and shell scripts to verify and sign files with minisign
• minisign-py — Pure Python port of minisign: a dead simple tool to sign files and verify digital signatures
• minisign-php — PHP implementation of Minisign powered by Libsodium
• rsign — A simple rust implementation of Minisign tool
• minisign-net — .NET library to handle and create minisign signatures

TLS Libraries

• LibreSSL 3.7.0 or later
• Rustls — a modern TLS library in Rust
• BoringSSL
• mbedtls-esp8266 — Updated and Upgraded mbedTLS library for the ESP8266 (probably ESP32 too)
• OpenSSL 1.1.1+ — "a robust, commercial-grade, and full-featured toolkit for TLS"
• Inside Secure TLS Toolkit (formerly known as MatrixSSL) — TLS in C with minimalistic system dependencies
• wolfSSL — a lightweight SSL/TLS library in ANSI C for embedded, RTOS, and resource-constrained environments

NaCl Crypto Libraries

For cryptographic libraries in the NaCl family, including TweetNaCl, uNaCl, and libsodium, as well as wrappers, bindings, and ports.

• TweetNaCl + wrappers & bindings
  • TweetNaCl — a crypto library in 100 tweets (Daniel J. Bernstein, Bernard van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe, Sjaak Smetsers)
  • Erlang: TweetNaCl-Erlang — Erlang bindings for TweetNaCl
  • Go: tweetnacl-go — a wrapper around TweetNaCl
  • Jim TCL: jim-nacl — NaCl extension for Jim TCL (using TweetNaCl)
  • Julia: TweetNaCl-Julia — Julia wrapper for the TweetNaCl library
  • Objective-C: tweetnacl-objc — Objective-C bindings to the TweetNaCl crypto library
  • Lua: luatweetnacl — Lua wrapper arount the Tweet NaCl cryptographic library
    • lit-tweetnacl — luatweetnacl repackaged as a lit library
  • Node.js: naclb — NaCl module binding for Node.js
  • OCaml: ocaml-tweetnacl — TweetNaCl for OCaml
  • Perl6: perl6-tweetnacl
  • Python: Python-TweetNaCl — a wrapper around the C implementation of TweetNaCl
  • Python: python-tweetnacl — Python bindings to the "TweetNaCl" cryptography library
  • Q/KDB: qsalt — NaCl bindings for Q/KDB
  • Racket: racl — Racket bindings for nacl.cr.yp.to
  • Ruby: tweetnacl-ruby — TweetNaCl Ruby C-extension
  • Rust: rust-tweetnacl — Rust wrapper for TweetNaCl crypto library
  • Rust: knuckle — Rust bindings to TweetNaCl
  • Rust: libredsalt — Simple Rust bindings to the tweetnacl library
  • Swift: tweetnacl-swiftwrap — from Bitmark Inc.
  • TCL: nacl-tcl — tcl package for Networking and Cryptography library (pronounced "salt")
• TweetNaCl ports etc.
  • Ada: SPARKNaCl — SPARK 2014 re-implementation of TweetNaCl
  • Android: tweetnacl-android — TweetNaCl port to Android
  • C: tweetnacl-usable — TweetNaCl + randombytes()
  • C: tweetnacl-rongarret — a fork of TweetNaCl with several modifications
  • C#: tweetnacl-cs — A 100% native C# implementation of TweetNaCl for .NET
  • Common Lisp: naclcl — A direct translation of TweetNaCl into Common Lisp
  • CouchDB: couchnacl — Use TweetNaCl.js from inside CouchDB
  • D: tweetnacl.d — D port of tweetnacl
  • D: tweednacl — Pronounced as TweedSalt. A crypto library for D based on NaCl
  • Dart: tweetnacl-dart — Port of TweetNaCl cryptographic library to Dart
  • Dart: PineNaCl — a Dart implementation of TweetNaCl
  • Go: go-tweetnacl — A Go port of the TweetNacl library
  • Java: tweetnacl-java — rewrite tweetnacl.c in pure Java
  • Java: tweetnacl-java — A Java port of TweetNaCl from the original C
  • Java: salt-aa — A Java API to TweetNaCl implementations
  • JavaScript: TweetNaCl.js — Port of TweetNaCl / NaCl to JavaScript for modern browsers and Node.js
    • Node (wrapper): node-nacl
    • sodium-browserify-tweetnacl — wraps javascript port of tweetnacl with the api of chloride
    • purescript-crypt-nacl — TweetNaCl wrapper for Purescript
    • panda-confidential — Simple, extensible interface for the tweetnacl-js cryptography library
  • JavaScript: tweetnacl-nodewrap — Port of TweetNaCl / NaCl to javascript Node.js
  • Kotlin: tweetnacl-k — kotlin implementation of tweetnacl
  • Python: pure_pynacl — A pure python implementation of TweetNaCl
  • Rust: sodalite — tweetnacl in rust
  • Rust: microsalt — High Level Pure Rust Crypto library for your trusty rusty programs
  • TypeScript: tweetnacl-ts — Port of TweetNaCl cryptographic library to TypeScript (and ES6)
  • WebAssembly: TweetNacl-WebAssembly — This is a testbed for some web assembly experiments
• μNaCl — The Networking and Cryptography library for microcontrollers (Core team: Michael Hutter and Peter Schwabe)
  • ubirch-mbed-nacl-cm0 — Port of μNaCl for ARM Cortex M0
• libsodium + wrappers & bindings
  • libsodium — a portable, cross-compilable, installable, packageable fork of NaCl (Frank Denis)
  • Ada: libsodium-ada
  • Ada: sodiumada
  • C#: NitraLibSodium
  • C#: libsalt
  • C++: sodiumpp
  • C++: sodium-wrapper
  • Chicken: chicken-sodium
  • Clojure: caesium
  • Clojure: naclj
  • Common LISP: cl-sodium
  • Common LISP: foreign-sodium
  • Crystal: salty
  • Crystal: sodium.cr
  • Cuis: Cuis-Smalltalk-Crypto-NaCl
  • D: shaker
  • D: sodium
  • Delphi/FreePascal: libsodium-delphi
  • Dylan: sodium-dylan
  • Elixir: Savory
  • Elixir: libsalty
  • Erlang: Erlang-NaCl
  • Erlang: Salt
  • Erlang: enacl
  • Erlang and Elixir: erlang-libsodium
  • Flutter: flutter_sodium
  • Fortran: Fortium
  • Go: GoSodium
  • Go: libsodium-go
  • Go: sodium
  • Hack: Nuxed Crypto
  • Haskell: Saltine
  • Haskell: lithium
  • Idris: sodium-idris
  • Java: kalium
  • Java: jsodium
  • Java JNI: libsodium-jni
  • Java JNI: sodium-jni
  • Java JNI: libstodium
  • JavaScript: sodium-plus
  • Javascript: js-nacl
  • Javascript: sodium-native
  • JavaScript: dholecrypto-js
  • Julia: Sodium.jl
  • Kotlin: kotlin-multiplatform-crypto
  • Lua: jprjr-luasodium
  • Lua: luasodium
  • Lua: lua-sodium
  • Mruby: mruby-libsodium
  • Nativescript: nativescript-libsodium
  • Nim: Sodium.nim
  • Nim: nim-libsodium
  • Nim: libsodium.nim
  • NodeJS: node-sodium
  • NodeJS: Natrium
  • NodeJS: node-nacl
  • Objective-C: SodiumObjc
  • OCaml: ocaml-sodium
  • Perl: Crypt-Sodium
  • Perl: crypt-nacl-sodium
  • Pharo/Squeak: Crypto-Nacl
  • PHP: libsodium-php
  • PHP: php-sodium
  • PHP: php
  • PHP: halite
  • PHP: dhole-cryptography
  • PHP polyfill: sodium_compat
  • Pony: pony-sodium
  • Python: libnacl
  • Python: PyNaCl
  • Python: pysodium
  • Python: libnacl
  • Python: libsodium-python-examples
  • R: sodium
  • Racket: part of CRESTaceans
  • Realbasic and Xojo: RB-libsodium
  • Ruby: ffi-libsodium
  • Ruby: sodium
  • Ruby: jodid
  • Ruby: RbNaCl::Libsodium
  • Ruby: RbNaCl
  • Rust: Sodium Oxide
  • Rust: libsodium-ffi
  • Rust: rust_sodium
  • Swift: swift-sodium
  • UWP: libsodium-uwp
  • V: libsodium
• libsodium.js — The sodium crypto library compiled to pure JavaScript using Emscripten
  • natrium-browser — libsodium.js wrapped with natrium api
  • sodium-browserify — A polyfil between the apis of node-sodium and libsodium-wrappers

lib25519

lib25519 "is a microlibrary for the X25519 encryption system and the Ed25519 signature system" that can be used directly in C or called by libraries in other languages using FFI. See the website for more information.

• C/ASM: lib25519 (many authors; lib25519 maintained by Daniel J. Bernstein)
• Python: python-lib25519

PASETO libraries

Be sure to consult the PASETO website for the best information.

PASETO v4 libraries

• Go: go-paseto

PASETO v2 libraries

• Elixir: Paseto — An Elixir implementation of Paseto (Platform-Agnostic Security Tokens)
• Go: paseto — Platform-Agnostic Security Tokens implementation in GO (Golang)
  • Go: go-paseto-middleware — Paseto middleware for GoLang
  • Go: pasetosession — Web session/authentication using PASETO
• Java: paseto4j — Paseto implementation for Java
• Java: paseto — Java Implementation of Platform-Agnostic Security Tokens
• Javascript: paseto.js — PASETO: Platform-Agnostic Security Tokens
• Lua: paseto-lua — PASETO (Platform-Agnostic Security Tokens) for Lua
• .NET: Paseto.Net — .NET Implementation of PASETO (v2 local / public encryption)
• .NET: paseto-dotnet — Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET
• Python: pypaseto — PASETO for Python
• Ruby: paseto.rb — Ruby implementation of Paseto using libsodium
• Rust: paseto — A paseto implementation in rust
• Swift: swift-paseto — Platform-Agnostic Security Tokens implementation in Swift

PASETO plugins

• Phoenix authentication plug: paseto_plu — A Phoenix authentication plug that validates Paseto (Platform Agnostic Security Tokens)
• Kong (plugin): kong-plugin-paseto — Kong plugin for PASETO (Platform-Agnostic Security Tokens)

Libraries

• Ed25519 standalone (native implementations)
  • Android: Android.Ed25519 (Dave Akers)
  • ASM/C: iroha-ed25519 (Hyperledger Project)
  • C: ed25519-donna (Andrew Moon)
  • C: ed25519 (Orson Peters)
    • WebAssembly: supercop.wasm (Nazar Mokrynskyi)
  • C: libbrine (Kevin Smith)
  • C: Ed25519 (ArduinoLibs)
  • C++ curve25519-uwp (Jeff R)
  • C#: ed25519 (Hans Wolff)
  • C#: curve25519-pcl (Jeff R)
  • C#: Ed25519 (CryptoManiac)
  • Dart: ed25519 (Tougee)
  • Dart: ed25519_dart (Oleksii Semeshchuk)
  • Dart: riclava_ed25519 (riclava)
  • Clojure: ed25519 (Kevin Downey)
  • Elixir: ed25519_ex (Matt Miller)
  • Go: edwards25519 (Filippo Valsorda)
  • Go: ed25519 (Adam Langley)
  • Go: ed25519 (Nebulous)
  • Go: blakEd25519 (Inkeliz) — uses Blake2 instead of SHA-2
  • Go: ed25519 (Oasis Protocol Foundation)
  • Haskell: hs-scraps (Vincent Hanquez)
  • Java: ed25519-java (str4d)
  • Java: ed25519-java (k3d3)
  • Java: ed25519 (Bjorn Arnelid)
  • Java: ed25519-java (Keith M)
  • Java: Punisher.NaCl (Arpan Jati)
  • Java: ED25519 (Mick Michalski)
  • Javascript: noble-ed25519 (Paul Miller)
  • Node.js: Ed25519 (Boris Povod)
  • Perl: Crypt::Ed25519 (Marc Lehmann)
  • Python: ed25519.py (Ed25519 authors)
  • Python: ed25519 (Python Cryptographic Authority)
  • Python: python-pure25519 (Brian Warner)
  • Python: ietf-eddsa (Simon Josefsson)
  • Python: nmed25519 (naturalmessage)
  • Python: ed25519.py (Shiho Midorikawa)
  • Rust: ed25519-dalek (Isis Agora Lovecruft)
    • Python bindings for ed25519-dalek: py-ed25519-bindings
  • Rust: ed25519-zebra (Zcash)
  • Swift: ed25519swift (pebble8888)
  • VHDL: edxcel_old (Software Defined Buildings)
• Ed25519 standalone (wrappers and bindings)
  • Erlang: brine (Kevin Smith)
  • Haskell: hs-ed25519 (Austin Seipp)
  • Haskell: haskell-ed25519 (Clint Adams)
  • Haskell: hs-ed25519-donna (Thomas M. DuBuisson)
  • Nim: ed25519.nim (niv)
  • Node.js: ed25519 (Dave Akers)
  • PHP: php-ed25519-ext (Krzysztof Rutecki)
  • PHP: curve25519-php (mgp25)
  • Python: python-ed25519 (Brian Warner)
  • Python: ed25519ll (Daniel Holth)
  • Python: py25519 (sundarnagarajan)
  • Ruby: ed25519 (Crypto.rb)
  • Rust: elliptic (Jihyeok Seo)
  • Swift: ed25519 (Zsolt Váradi)

Other Libraries

• PHP 7.2.0+ — a popular general-purpose scripting language that is especially suited to web development
• ring — Crypto library for Rust using BoringSSL's cryptography primitives
• HACL* — a formally verified cryptographic library written in F*
• Rust-Crypto — A (mostly) pure-Rust implementation of various common cryptographic algorithms
• Chaos.NaCl — a cryptography library writen in C#, based on NaCl
• Nettle — a low-level cryptographic library
  • Bindings available in Haskell, Perl, Pike, PostgreSQL, R6RS Scheme, and TCL
• Monocypher — a small, secure, auditable, easy to use crypto library
  • LuaNacha — Lua wrapper for Monocypher
  • monocypher.cr — Crystal bindings for Monocypher
  • monocypher-go — Go language bindings for Monocypher
• libsuola — An ENGINE gluing together OpenSSL and NaCl-derived crypto
• phpseclib — PHP Secure Communications Library
• curve25519-java — Pure Java and JNI backed Curve25519 implementation
  • dnscrypt — A very simple DNSCrypt client library written in Go
  • scrypto — Cryptographic primitives for Scala (includes Curve25519-Java wrapper)
• Noise-C — a plain C implementation of the Noise Protocol
• curve25519-dalek — a Rust implementation of field and group operations on an Edwards curve over GF(2²⁵⁵ - 19)
• curv — Rust language general purpose elliptic curve cryptography
• CIRCL — Cloudflare Interoperable Reusable Cryptographic Library
• libgodium — Pure Go implementation of cryptographic APIs found in libsodium
• wasm-crypto — WebAssembly implementation of Ed25519-based operations and more
• Libgcrypt — a general purpose cryptographic library originally based on code from GnuPG
• hs-nacl — Modern Haskell Cryptography
• Signatory — a pure Rust multi-provider digital signature library
• Elligator-2 — Javascript implementation of the Elligator 2 algorithm for Curve25519
• torgo — A Golang library for Tor
• rPGP — a pure Rust implementation of OpenPGP
• rust-ed25519-compact — Small, wasm-friendly, zero-dependencies Ed25519 and X25519 implementation for Rust
• firedancer: AVX512 accelerated ED25519 and X25519 implementations
• threshold-ed25519 — Threshold Signatures using Ed25519
• nacl4s — Scala implementation of Networking and Cryptography (NaCl) library
• kevinburke-nacl — Pure Go implementation of the NaCl set of APIs
• Megolm — An AES-based cryptographic ratchet intended for group communications
• Sapient — Secure API toolkit
• mipher — Mobile Cipher library written in clean TypeScript
• rust-crypto-decoupled — Experiment on dividing rust-crypto into several small crates
• OpenPGP.js — an Open Source OpenPGP library in JavaScript
• Crypto++ — a free C++ class library of cryptographic schemes
• pycryptopp — Python bindings to the Crypto++ library
• eddsa — EdDSA python prototype
• libelligator — A C++ Elligator2 implementation
• elliptic — Fast Elliptic Curve Cryptography in plain javascript
• luazen — a small library with various compression, encoding and cryptographic functions for Lua
• nsec — A modern and easy-to-use crypto library for .NET Core based on libsodium
• amber — Cryptography library. X25519, Ed25519, ChaCha20, Blake2, Poly1305, Scrypt
• zig-eddsa-key-blinding — A Zig implementation of EdDSA signatures with blind keys
• libssh2 — a client-side C library implementing the SSH2 protocol (requires OpenSSL 1.1.1)
• tendermint-validator — A multi-party-computation signing service for Tendermint nodes using threshold Ed25519 signatures
• recrypt — for building a multi-hop proxy re-encryption scheme, known as Transform Encryption
• go-msgauth — A Go library for DKIM, DMARC and Authentication-Results
• nacl-cert — NaCl Certification System
• Lazysodium — a complete Android implementation of the Libsodium library
• FROST-Ed25519 — FROST threshold signature protocol for the Ed25519 signature scheme
• cryptonite — a haskell repository of cryptographic primitives
• easy-ecc — A usability wrapper for PHP ECC
• edcert — A rust crate for high-performance content-signing and certificate verification
• aiootp — Asynchronous pseudo-one-time-pad based crypto and anonymity library
• dnscrypt-python — DNSCrypt Python Library
• dnscrypt — Very basic DNSCrypt library for Go
• dnscrypt-proxy-gui — Qt/KF5 GUI wrapped over dnscrypt-proxy
• libsignal-protocol-c — Signal Protocol C Library
• sshj — ssh, scp and sftp for java
• salt-channel-c — C implementation of Salt Channel
• librnp — C library approach to OpenPGP
  • ruby-rnp — Bindings for RNP in Ruby
• xeddsa — port of libsignal's xeddsa implementation to the pitchfork
• TweetPepper — Formats, PKI using TweetNaCl as the Crypto
• iroha-ed25519 — RFC8032 compatible Ed25519 implementation with pluggable hash (sha2-512, sha3-512)
• hc — HomeControl is an implementation of the HomeKit Accessory Protocol (HAP) in Go
• GO-JWT-ed25519 — A very basic GO implementation of JWT using ed25519
• jwtk — Rust library for JWT signing (JWS) and verification, with first class JWK and JWK Set (JWKS) support
• c25519 — Wei25519, Curve25519 and Ed25519 for low-memory systems
• ara-crypto — Cryptographic functions used in various Ara modules
• libssh — a library written in C implementing the SSH protocol
• Personal-HomeKit-HAP — build HomeKit support accessories
• ocaml-bip32-ed25519 — OCaml implementation of BIP32-Ed25519 (Khovratovich/Law flavour)
• cryptostack — cryptographic library based on Curve25519, Ed25519, blake2b, Poly1305, XSalsa20 primitives
• go-tuf — Go implementation of The Update Framework (TUF)
• prototok — RbNaCl + json/msgpack/protobuf key generation/parsing gem
• kyber — Advanced crypto library for the Go language
• Ed25519_DS — Ed25519 node.js library
• go-lib — Useful, Reusable Golang libraries
• Neuro:pil — a small messaging library which by default adds two layers of encryption
• The Update Framework — helps developers to secure new or existing software update systems
• spring-boot-wow — spring boot integrity and multi modules with spring-boot include ed25519
• libaxolotl-crypto-web — WebCrypto implementation of cryptography interface for libaxolotl-javascript
• libaxolotl-javascript — A JavaScript implementation of axolotl
• libaxolotl-crypto-node — Node.js implementation of cryptography interface for libaxolotl-javascript
• ed25519-to-x25519.wasm — Library for Ed25519 signing key pair into X25519/Curve25519 key pair suitable for Diffie-Hellman key exchange
• crypto — crypto with ed25519 + base58 or other
• edssh — ed25519 signature support for golang.org/x/crypto/ssh
• salt-channel — A Java implementation of Salt Channel - a simple, light-weight secure channel protocol
• SharedEcc25519 — ANSI-C based cross-platform elliptic curve cryptography provider with objc api
• Virgil Crypto Library — modern cryptography libraries (ECIES and RSA with Cryptographic Agility) and all the necessary infrastructure
• Sequoia-PGP — a modern modular OpenPGP implementation in Rust
• arduinolibs-Crypto — Arduino libraries and examples
• libuecc — Very small Elliptic Curve Cryptography library
• ecc25519 — combine golang ed25519 and curve25519 libray in one
• erlang-libdecaf — ed448goldilocks (libdecaf) NIF with timeslice reductions for Erlang and Elixir (+Ed25519)
• ruby-jose — JSON Object Signing and Encryption (JOSE) for Ruby
• erlang-jose — JSON Object Signing and Encryption (JOSE) for Erlang and Elixir
• redux-signatures — Cryptographic signing of your redux (or flux) actions
• HeavyThing — x86_64 assembler library
• libcryptoconditions — Interledger crypto-conditions implemented in C, including simple JSON api
• eddy — a steady little Ed25519 library for Elixir
• joken — Elixir JWT library
• jwt_nacl — A Ruby JSON Web Token implementation using NaCl Ed25519 digital signatures
• go-libp2p-crypto — Various cryptographic utilities used by ipfs
• libsqrl — a library implementing the SQRL Specification
• nano-signing — A minimalistic public-key signing framework for TS / JS environments based on TweetNaCl and Ed25519
• yii2-api — A Yii2 API Skeleton Framework
• fld-ecc-vec — an optimized library for computing EdDSA and the Diffie-Hellman functions X25519 and X448
• cryptofamily — a heap of primitives, algorithms, etc.
• kcl — NaCl substitute of sorts in Elixir
• c25519 — Curve25519 and Ed25519 for low-memory systems
  • ed25519-streaming — Streaming implementation of c25519
• python-signedjson — Sign JSON objects with ED25519 signatures
• signedjson — Signs JSON objects with ED25519 signatures
• supercop.js — not to be confused with SUPERCOP
• hypercore-crypto — The crypto primitives used in hypercore, extracted into a separate module
• molch — An implementation of the axolotl ratchet based on libsodium
• aws-crypto-lambda — AWS Lambda for Cryptographic functions based on libsodium
• sshlib — ConnectBot's SSH library
• asymmetric-crypto — Encryption and signing using public-key cryptography (via TweetNaCl)
• coniks-go — A CONIKS implementation in Golang
• pspka — password seeded public key authentication
• curve25519-js — Curve25519 Javascript Implementation
• libeddsa — cryptographic library for ed25519 and curve25519
• libec — Small PKI library
• AFEnacl — An AFNetworking subclass providing payload signing via libsodium
• eddsa — Structures for safe handling of Ed25519 keys
• ECC-25519 — helps to use ECC with Curve25519
• Salt — NaCl cryptography library for PHP (not by the NaCl authors)
• libgcrypt — a general purpose cryptographic library based on the code from GnuPG
• crypto — Various cryptographic functions for datkt
• 25519 — Key agreement (X25519) and signing (ed25519)
• js-stellar-base — the lowest-level stellar helper library
• microstar-crypto — Cryptography library for Microstar, wrapping TweetNaCl
• libaxolotl-crypto-curve25519 — emscripten compiled version of curve25519 and ed25519
• shick_crypto — multi recipient NaCl-style encryption via libsodium
• SQRL-Protocol — A helper library to handle SQRL requests and responses
• gryphon — HTTP Request Signing with Ed25519
• python-axolotl-curve25519 — curve25519 with ed25519 signatures, used by libaxolotl
• secret-handshake — Javascript-based authentication
• python-sshpubkeys — OpenSSH public key parser for Python

Cryptocurrencies, blockchains, and ledgers

• Monero — a secure, private, untraceable currency
• Nano — digital currency for the real world
• Decred — Hybridized PoW/PoS cryptocurrency
• Chain Core — enterprise-grade blockchain infrastructure that enables organizations to build better financial services from the ground up
• bog — secure blockchain logging (blogging without the 'l')
• Chronicle — a self-hostable microservice and append-only public ledger

Miscellaneous

• Matthew Green: "Any potential 'up my sleeve' number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using 'up my sleeve' constants). This is why I think we all should embrace DJB's curve25519."
• Ted Unangst: "The one and only supported algorithm is Ed25519. It has a lot of very nice properties, though I really like the deterministic signatures. Anything that makes it harder to screw up is great."
• GnuPG: "For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein's Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won't wait any longer and go ahead using the proposed format for this signing algorithm."
• Cesar Pereida García and Billy Bob Brumley and Yuval Yarom: Make Sure DSA Signing Exponentiations Really are Constant-Time: "OpenSSH supports building without OpenSSL as a dependency. We recommend that OpenSSH package maintainers switch to this option. For OpenSSH administrators and users, we recommend migrating to ssh-ed25519 key types, the implementation of which has many desirable side-channel properties."
• Ted Unangst: "It takes more code for a TLS client to negotiate Hello and do the key exchange than in all of signify."
• Adam Langley: "Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don't believe there's anything needed to get that working save for switching out the algorithms."

Timeline notes

• 2011-07-04: Ed25519 is formally introduced.
• 2012-11-24: First release of dnscrypt-wrapper, by Yecheng Fu.
• 2013-01-22: libsodium 0.1 includes Ed25519 support.
• 2013-06-05: Edward Snowden / NSA disclosures begin.
• 2013-07-19: First release of TweetNaCl.
• 2013-09-15: Bruce Schneier recommends avoiding NSA/NIST curves. Curve25519 is safe.
• 2014-01-29: OpenSSH adds support for Ed25519 keys in version 6.5.
• 2014-02-16: First (experimental) release of TinySSH.
• 2014-05-01: OpenBSD 5.5 is the first release signed with Ed25519.
• 2014-05-01: signify is introduced in OpenBSD 5.5.
• 2014-06-03: Google announces End-To-End.
• 2014-08-25: DJB recommends referring to Curve25519 Montgomery-X-coordinate Diffie-Hellman as X25519.
• 2014-09-20: I2P gets Ed25519 support in version 0.9.15.
• 2014-10-10: Github begins accepting ed25519 SSH keys (cite: Github employee).
• 2014-11-06: GnuPG 2.1 gets Ed25519 support.
• 2015-02-01: OpenSSH will phase out old keys in favor of Ed25519.
• 2015-02-07: draft-josefsson-eddsa-ed25519 is first published.
• 2015-03-31: wolfSSL 3.4.6 adds Ed25519 support at the crypto level; TLS support to follow.
• 2015-04-07: Nettle 3.1 adds Ed25519 support. Nettle is used by GnuTLS.
• 2015-07-01: OpenSMTPD 5.7.1 and onward signed with signify.
• 2015-09-11: OpenWrt adopts Ed25519 in "Chaos Calmer" 15.05.
• 2015-10-03: CFRG selects EdDSA as the next-generation EC signature scheme.
• 2015-11-17: BoringSSL adds Ed25519 support.
• 2016-04-08: draft-ietf-curdle-pkix-00 is published.
• 2016-04-15: Libgcrypt 1.7.0 supports X25519.
• 2016-10-20: "The XEdDSA and VXEdDSA Signature Schemes" is published.
• 2017-01-24: RFC 8032, Edwards-Curve Digital Signature Algorithm (EdDSA), is published.
• 2017-02-21: PuTTY 0.68 gets Ed25519 support.
• 2017-04-24: Unbound 1.6.2 gets DNSCrypt support.
• 2017-04-26: Tor 0.3.0.6 sees a major explansion of Ed25519 usage.
• 2017-06-30: Collective Edwards-Curve Digital Signature Algorithm first draft is published.
• 2017-08-16: Audit of libsodium finds it "is indeed a secure, high-quality library that meets its stated usability and efficiency goals."
• 2017-09-18: Tor 0.3.2.1-alpha debuts next-generation onion services with SHA3/ed25519/curve25519.
• 2017-11-30: PHP 7.2.0 adds libsodium.
• 2018-01-19: Tor 0.3.2.9 officially upgrades to SHA3/ed25519/curve25519.
• 2018-08-11: RFC 8446, TLS 1.3, is published.
• 2018-09-11: OpenSSL 1.1.1 adds Ed25519 support.
• 2018-09-12: RFC 8463 adds Ed25519-SHA256 to DKIM.
• 2019-02-04: Rspamd merges ed25519 support for DKIM.
• 2020-08-07: Cure53 audit of Monocypher finds no serious issues.
• 2020-09-23: YubiKey 5.2 adds Ed25519 support.
• 2021-03-03: OpenSSH 8.5 changes the first-preference signature algorithm from ECDSA to ED25519.
• 2022-04-26: First apparent release of lib25519.
• 2022-12-12: LibreSSL 3.7.0 adds "Ed25519 support both as a primitive and via OpenSSL's EVP interfaces."
• 2023-02-03: NIST FIPS 186-5 adds Ed25519.
• 2023-10-04: OpenSSH 9.5 generates Ed25519 keys by default in ssh-keygen
• TweetNaCl and libsodium have always supported it.

Ed25519 support coming soon!

• LibreSSL 3.8.2: "Ed25519 certificates are now supported in openssl(1) ca and req. Prepared Ed25519 support in libssl."
• Redox OS is working on pkgar, a secure package management tool using sodalite and Ed25519
• AptSign — Ditching OpenPGP, a new approach to signing APT repositories
• Mastodon — "Add end-to-end encryption API"
• NaCl — Networking and Cryptography Library
• Tor — for Hidden Services; already used elsewhere in Tor
• Gossamer — Public Key Infrastructure without Certificate Authorities, for WordPress
• wolfSSL — Roadmap: "ed25519 integration at the crypto and TLS level" — already supported at the crypto level
• BearSSL — Smaller SSL/TLS
• bog — a distributed social networking application using TweetNaCl.js to publish signed append-only logs
• ed25519-xeno — Common Lisp implementation of Ed25519 signature protocol
• OpenSSL — for use in libcrypto and libssl (TLS)
• tink — a small crypto library that provides a safe, simple, agile and fast way to accomplish some common crypto tasks
• DNSSEC — a horrible protocol that shouldn't be used
  • BIND
• Brave Sync — A client/server for Brave sync
• kovri — The Kovri I2P Router Project
• cothority — Scalable collective authority prototype
• ithos — Modern directory services and credential management
• messagesodium — Patches ActiveSupport's MessageEncryptor to use libsodium
• Upspin — "TODO(ehg) add "25519": x/crypto/curve25519, github.com/agl/ed25519"
• Tendermint — Simple, Secure, Scalable Blockchain Platform
• ed25519 — an implementation of ed25519 in lisp
• prifi — Work-in-progress Dissent port/rewrite for low-latency anonymous communication
• WAMP-cryptosign — The WAMP Protocol team is working on WAMP-cryptosign; see also wamp-proto.org
• petmail — secure messaging, file-transfer, and directory synchronization
• antinet-before-yedino — safe decentralized network for data and contracts
• Crossbar.io - WAMP application router — plans to implement WAMP-cryptosign
• libsodium-laravel — Laravel integration for libsodium
• End-To-End — a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP

"Powered by Ed25519"