Things that use Ed25519

Updated: April 18, 2024

Here's a list of protocols and software that use or support the superfast, super secure Ed25519 public-key signature system from Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.

This page is organized by Protocols, Networks, Operating Systems, Hardware, Software, SSH Software, TLS Libraries, NaCl Crypto Libraries, lib25519, Libraries, Miscellaneous, Timeline notes, and Support coming soon.

You may also be interested in this list of Curve25519 ECDH deployment.

Protocols

TLS 1.3 — Transport Layer Security
SSH — thanks to work done by the OpenSSH team, adopted also by TinySSH and others
Signal Protocol — encrypted messaging protocol derivative of OTR Messaging
saltpack — a modern crypto messaging format
ORDO — Ordered Representation for Distinguished Objects: A Certificate Format
RAET — (Reliable Asynchronous Event Transport) Protocol
roughtime — secure time synchronisation
Dat — a new p2p hypermedia protocol
TCN — Temporary Contact Numbers, a decentralized, privacy-first contact tracing protocol
Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity
Chain Key Derivation — a deterministic key derivation scheme
S/MIME 4.0 — Secure/Multipurpose Internet Mail Extensions
BLEMeshChat — 100% sneakernet chat via Bluetooth LE Mesh, for iOS and Android
(n+1)sec — a free, end-to-end secure, synchronous protocol for group chat
PASETO — a specification and reference implementation for secure stateless tokens

Networks

Tor — The Onion Router anonymity network
Zcash — a privacy-protecting, digital currency built on strong science (used in JoinSplit signatures)
I2P — an anonymous network
GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
Nebula — open source global overlay network from Slack
Serval — Mesh telecommunications
Peergos — An end-to-end encrypted, peer-to-peer file storage, sharing and communication network
Yggdrasil — a fully end-to-end encrypted network
URC — an IRC style, private, security aware, open source project
Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger
Sia — Blockchain-based marketplace for file storage
cjdns — encrypted ipv6 mesh networking

Operating systems

OpenBSD — used in OpenSSH, signify, and in CVS over SSH
OpenWrt — used in package signing
NetBSD — ships with OpenSSL 1.1.1+
FreeBSD — ships with OpenSSL 1.1.1+
All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project

Software projects signed with Ed25519

OpenBSD signs releases, packages, patches, and binary updates with Ed25519 via signify
Void Linux signs installation images with Ed25519 via signify
GrapheneOS signs OS images with Ed25519 via signify
M:Tier signs OpenBSD packages and binary updates with Ed25519 via signify
WireGuard for Windows updates are signed with Ed25519 via signify
WireGuard for Android kernel modules are signed with Ed25519 via signify
dist.schmorp.de signs libev and other packages with Ed25519 via signify
minisign signs releases with Ed25519 via minisign
libsodium signs releases with Ed25519 via minisign
dnscrypt-proxy signs its resolver list with Ed25519 via minisign
SimpleDnsCrypt signs packages with Ed25519 via minisign
dnscrypt-osxclient signs packages with Ed25519 via minisign
Markdeep signs releases with Ed25519 via minisign
Airship signs automatic updates with Ed25519
LibreSSL signs releases with Ed25519 via signify
radare2 signs releases with Ed25519 via signify
OpenSMTPD signs releases with Ed25519 via signify
DNSCurve.io signs downloads with Ed25519 via signify

Hardware

SC4 HSM — a fully-open USB2 HSM (hardware-secure module)
crypto-in-a-box — Turns an Arduino into a cryptography token
YubiHSM 2 — a cost-effective Hardware Security Module (HSM) for servers and IoT gateways
Nitrokey Start — encrypts your emails, files, and server access
Howto: signify(1) signatures with a YubiHSM
Voting machines in Brazil — administered by Justiça Eleitoral brasileira; printable Ed25519-signed QR code paper trails
Luna Network HSMs — High Assurance Hardware Security Modules
CEC1702 — ARM Cortex M4-based microcontroller with a complete hardware cryptography-enabled solution in a single package

Software

VPN and tunneling software
- GoVPN — DPI/censorship-resistant, written on Go
- strongSwan — open source IPsec-based VPN
Riot/Matrix — end-to-end encrypted messaging
Vuvuzela — a private chat application that hides metadata, including who you chat with and when you are chatting
GnuPG — GNU Privacy Guard
arti — an implementation of Tor, in Rust
reop — reasonable expectation of privacy
tweetnacl-tools — Tools for using TweetNaCl
Wire — fully encrypted calls, video and group chats available on all your devices
Hyperledger Iroha — blockchain platform designed for simple creation and management of assets
i2pd — Simplified C++ implementation of I2P client
sear — Signed/Encrypted ARchive: always-encrypted tar-like archive tool with optional signature support
Cabal — experimental p2p community chat platform
Rspamd — Rapid spam filtering system
CrossClave — zero-knowledge messaging and file transfer
sigtool — Signify like tool in Golang - only easier and simpler
Sandstorm — Personal Cloud Sandbox
Airship — Secure Content Management for the Modern Web - "The sky is only the beginning"
cryptpad — an encrypted collaborative editor
trust-dns — A Rust based DNS client and server
Rubinius Language Platform — a modern language platform that supports a number of programming languages
KadNode — P2P name resolution daemon based on a Distributed Hash Table (DHT)
wasmsign — A tool to add and verify digital signatures to/from WASM binaries
pbp — salty privacy (provides basic functionality resembling PGP)
mute — secure messaging
MicroMinion platform — a secure messaging layer with end-to-end connectivity using a variety of underlying transport mechanisms
sodium11 — A command line toolkit for encryption and signing of files based on libsodium
fwup — Configurable embedded Linux firmware update creator and runner
libdime — The DIME resolver library and command line utilities
locker — easy secure locker
auth — sample ed25519 browser extension backend
cosi — CoSi command line interface
pgsodium — Postgres extension wrapper around libsodium
crypt — ed25519 chrome extension
TarsierMessenger — Tarsier Messenger is a messaging application using WiFi direct
zkc — Zero Knowledge Communications
mkp224o — vanity address generator for ed25519 onion services
FalconGate — A smart gateway to stop hackers and Malware attacks (includes DNSCrypt support)
piknik — Copy/paste anything over the network
atumd — Post-quantum trusted time-stamping server (supports XMSS and Ed25519)
go-atum — Go client for the post-quantum Atum time-stamping service (supports XMSS and Ed25519)
detox-crypto — High-level utilities that combine under simple interfaces complexity of the cryptographic layer used in Detox project
RChain Cooperative — a consesus algorithm using a proof-of-stake protocol
ED25519-tools — tool for signing/verifying
RNP — a set of OpenPGP (RFC4880) tools that works on Linux, *BSD and macOS as a replacement for GnuPG
horse25519 — Ed25519 vanity public key generator
clmm — An exercise in cryptographic minimlism
Ed25519Tool — Ed25519 signing and verification online tool
salty — A practical, compact CLI crypto system based on TweetNaCl, featuring public key sharing and zero-password peer stream encryption
go-atum — Go client for the post-quantum Atum time-stamping service
twisted-ego — Vanity Ed25519/Cv25519 GPG Keys
DoorKeeper — An attempt to enable secure communication, authentication & authorization for my ESP8266 project
mysql-sodium — Mysql UDF bindings for LibSodium
stellar-hd-wallet — Key derivation for Stellar (SEP-0005)
WebSign — used by Cyph
usermgr — a tool to turn access to production systems from a pain in the butt into ponies and rainbows
box — Simple file authenticated encryption/decryption
mulsigo — decentralized multi signature scheme pgp compatible
session-keys-js — A cryptographic tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys
dename — NameCoin-style names using consensus instead of proof of work
nacl-signature — Nodejs module to sign/verify data using NaCl
challenge-su — `su` implementation using Ed25519 signatures for challenge/response
SC4 — Strong Crypto for Mere Mortals
HashiCorp Vault — A Tool for Managing Secrets
Scorex — The modular blockchain framework
pcp — Pretty Curved Privacy
mcrypt — Message Crypto - Encrypt and sign individual messages
srndv2 — some random news daemon (version 2)
go-anvil — Forge "no password on the wire" authentication challenges
gen-ed25-keypair — Haskell CLI tool to generate Ed25519 keys and sign/verify msgs
CPGB — Curve Privacy Guard B, a secure replacement for GPG using ECC
Simply Good Privacy — PGP-like system without web of trust
cubed_old — A proper open-source minecraft clone in C++
BigchainDB — A scalable blockchain database
KinomaJS — A JavaScript runtime optimized for the applications that power IoT devices
verifysignature — Sample of standalone portable C to verify Ed25519 public-key signature
tiny-ssh-keygen-ed25519 — tiny ssh-keygen for ed25519 keypairs in standard C
SQRL — Secure Quick Reliable Login
ed25519 — Erlang port program for ed25519 sign and verify from libsodium
py_ssh_keygen_ed25519 — ssh-keygen for ed25519 keypairs in Pure Python
jsign — Tool to sign files and verify signature
Kraken — C ed25519-donna Key Pair generator
falconlab
freepass — The free password manager for power users
cordova-plugin-minisodium — A minimal cordova plugin that provides a binding to libsodium
textsecure-go — TextSecure client package for Go
Dhall — Sign/Verify files
HAP-NodeJS — Node.js implementation of HomeKit Accessory Server
Osteria — secure point-to-point messenger
sick — Sign and check streams cryptographically using the ed25519 algorithm
curvebench — Benchmark comparing secp256k1 to ed25519
cryptutils — Various crypto utilties based on a common NaCl/Ed25519 core
srndv2 — some random news daemon (version 2)
ed2curve-js — Convert Ed25519 signing keys into Curve25519 Diffie-Hellman keys
tuf — a secure updater framework for Python
PoSH-Sodium — Powershell module to wrap libsodium-net methods
crypto-bench — Benchmarks for crypto libraries (in Rust, or with Rust bindings)
SUPERCOP — a cryptographic benchmarking suite

SSH Software

SSH software with full modern crypto support (sntrup761x25519-sha512@openssh.com, X25519, Ed25519 and ChaCha20-Poly1305)
- OpenSSH — Secure Shell from the OpenBSD project
- TinySSH — a small SSH server with state-of-the-art cryptography
SSH software with full classic crypto support, lacking post-quantum security
- Win32-OpenSSH — Win32 port of OpenSSH
- PuTTY — a free implementation of SSH and Telnet for Windows and Unix platforms
- KiTTY — a fork from version 0.70 of PuTTY with extra features
- SecureCRT — SSH client for Windows, Mac, and Linux
- Dropbear — an SSH server and client
- WinSCP — a popular SFTP client for Microsoft Windows
- asyncssh — an asynchronous SSH2 client and server atop asyncio
- Termius — an SSH client that works on Desktop and Mobile
- rlogin — Japanese rlogin, telnet, and ssh client
- pssht — SSH server written in PHP
SSH software with partial modern crypto support (at least Ed25519)
- Golang ssh — for both client and server keys
- redox-ssh — SSH Client and Server written in Rust
- ConnectBot — SSH client for Android
- passphrase-identity — Regenerable ed25519 keys for OpenSSH and OpenPGP
- teleport — Modern SSH server for teams managing distributed infrastructure
- Prompt — SSH client for iOS
- ssh-key-generator — A utility for deterministically generating ssh keypairs
- SwiftNIO SSH — SSH in Swift
- determin-ed — Create deterministic ed25519 keys from seedfile and password for openssh-key-v1 format
- net-ssh — Pure Ruby implementation of an SSH (protocol 2) client
- SmartFTP — an FTP, SSH, SFTP client
- Cyberduck — Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows
- ed25519hetzner — Script to scan OpenSSH host key and known_hosts files for shared keys from server hoster Hetzner
- 2sshfp — Build SSHFP DNS records - ecdsa & ed25519 support (sh)
- net-ssh — pure-Ruby implementation of the SSH2 client protocol
- edkey — write ED25519 private keys in the OpenSSH private key format
- tinyssh-convert — convert ed25519 hostkeys from openssh format
- MobaXterm — Windows SSH client
- Paramiko — A Python implementation of SSHv2
- Tera Term — SSH client for Windows
- TinyTERM (proprietary; support according to this comparison page)
  - TinyTERM for Android
  - TinyTERM for iOS
- pts-dropbear — Dropbear SSH tools with ed25519 and other improvements by pts

DNS Software

dnscrypt-proxy — securing communications between a client and a DNS resolver
dnsdist — dnsdist supports DNSCrypt
Unbound — a validating, recursive, and caching DNS resolver
PowerDNS Recursor — a high-performance DNS recursor with built-in scripting capabilities
DNSCryptClient — A simple DNSCrypt client
dnscrypt — authenticated and encrypted DNS client for nodejs
dnsmasq — network infrastructure for small networks: DNS, DHCP, router advertisement and network boot
PowerDNS Authoritative Server — the only solution that enables authoritative DNS service from all major databases
SimpleDnsCrypt — A simple management tool for dnscrypt-proxy
Knot DNS — a high-performance authoritative-only DNS server

Signify software

This section is for OpenBSD signify ported to Linux and other operating systems.

OpenBSD: signify — cryptographically sign and verify files
Adrian Perez: signify-portable — OpenBSD tool to sign and verify signatures
mancha: signify-portable — put together by mancha
Felix von Leitner: signify-fefe — signify that builds on Linux
Vsevolod Stakhov: asignify — Yet another signify tool
Jean-Philippe Ouellet: signify-osx — OS X port of OpenBSD's signify(1)
Michael Gehring: signify-go — Go implementation of OpenBSD's signify(1)
Yui NARUSE: nurse-signify — portable version of OpenBSD's signify with autoconf
Christian Neukirchen: leahneukirchen-signify
Mark Kubacki: signify — signify for Linux that uses instructions of modern CPUs
Aaron Bieber: signify.el — signify package for emacs
Tobias Stoeckmann: signify-windows — OpenBSD signify for Windows systems
Björn Edström: python-signify — OpenBSD Signify for Python
Robert Escriva: rescrv-signify — signify ported from OpenBSD
Heinrich Schuchardt: usign — tiny signify replacement
Frank Braun: gosignify — a Go reimplementation of OpenBSD's signify
Debian packages: signify-openbsd
valpackett: freepass — The free password manager for power users + signify support
Jan-Erik Rediger: signify-rs — Create cryptographic signatures for files and verify them

Minisign software and libraries

Minisign is compatable with signify.

minisign — A dead simple tool to sign files and verify signatures. (by Frank Denis)
go-minisign — Minisign library for Golang
rsign2 — A command-line tool to sign files and verify signatures in pure Rust
rust-minisign — A pure Rust implementation of the Minisign signature tool
rust-minisign-verify — A small Rust crate to verify Minisign signatures
minizign — Minisign reimplemented in Zig
py-minisign — Missing python minisign library
minisign-misc — macOS workflows and shell scripts to verify and sign files with minisign
minisign-py — Pure Python port of minisign: a dead simple tool to sign files and verify digital signatures
minisign-php — PHP implementation of Minisign powered by Libsodium
rsign — A simple rust implementation of Minisign tool
minisign-net — .NET library to handle and create minisign signatures

TLS Libraries

LibreSSL 3.7.0 or later
Rustls — a modern TLS library in Rust
BoringSSL
mbedtls-esp8266 — Updated and Upgraded mbedTLS library for the ESP8266 (probably ESP32 too)
OpenSSL 1.1.1+ — "a robust, commercial-grade, and full-featured toolkit for TLS"
Inside Secure TLS Toolkit (formerly known as MatrixSSL) — TLS in C with minimalistic system dependencies
wolfSSL — a lightweight SSL/TLS library in ANSI C for embedded, RTOS, and resource-constrained environments

NaCl Crypto Libraries

For cryptographic libraries in the NaCl family, including TweetNaCl, uNaCl, and libsodium, as well as wrappers, bindings, and ports.

TweetNaCl + wrappers & bindings
- TweetNaCl — a crypto library in 100 tweets (Daniel J. Bernstein, Bernard van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe, Sjaak Smetsers)
- Erlang: TweetNaCl-Erlang — Erlang bindings for TweetNaCl
- Go: tweetnacl-go — a wrapper around TweetNaCl
- Jim TCL: jim-nacl — NaCl extension for Jim TCL (using TweetNaCl)
- Julia: TweetNaCl-Julia — Julia wrapper for the TweetNaCl library
- Objective-C: tweetnacl-objc — Objective-C bindings to the TweetNaCl crypto library
- Lua: luatweetnacl — Lua wrapper arount the Tweet NaCl cryptographic library
  - lit-tweetnacl — luatweetnacl repackaged as a lit library
- Node.js: naclb — NaCl module binding for Node.js
- OCaml: ocaml-tweetnacl — TweetNaCl for OCaml
- Perl6: perl6-tweetnacl
- Python: Python-TweetNaCl — a wrapper around the C implementation of TweetNaCl
- Python: python-tweetnacl — Python bindings to the "TweetNaCl" cryptography library
- Q/KDB: qsalt — NaCl bindings for Q/KDB
- Racket: racl — Racket bindings for nacl.cr.yp.to
- Ruby: tweetnacl-ruby — TweetNaCl Ruby C-extension
- Rust: rust-tweetnacl — Rust wrapper for TweetNaCl crypto library
- Rust: knuckle — Rust bindings to TweetNaCl
- Rust: libredsalt — Simple Rust bindings to the tweetnacl library
- Swift: tweetnacl-swiftwrap — from Bitmark Inc.
- TCL: nacl-tcl — tcl package for Networking and Cryptography library (pronounced "salt")
TweetNaCl ports etc.
- Ada: SPARKNaCl — SPARK 2014 re-implementation of TweetNaCl
- Android: tweetnacl-android — TweetNaCl port to Android
- C: tweetnacl-usable — TweetNaCl + randombytes()
- C: tweetnacl-rongarret — a fork of TweetNaCl with several modifications
- C#: tweetnacl-cs — A 100% native C# implementation of TweetNaCl for .NET
- Common Lisp: naclcl — A direct translation of TweetNaCl into Common Lisp
- CouchDB: couchnacl — Use TweetNaCl.js from inside CouchDB
- D: tweetnacl.d — D port of tweetnacl
- D: tweednacl — Pronounced as TweedSalt. A crypto library for D based on NaCl
- Dart: tweetnacl-dart — Port of TweetNaCl cryptographic library to Dart
- Dart: PineNaCl — a Dart implementation of TweetNaCl
- Go: go-tweetnacl — A Go port of the TweetNacl library
- Java: tweetnacl-java — rewrite tweetnacl.c in pure Java
- Java: tweetnacl-java — A Java port of TweetNaCl from the original C
- Java: salt-aa — A Java API to TweetNaCl implementations
- JavaScript: TweetNaCl.js — Port of TweetNaCl / NaCl to JavaScript for modern browsers and Node.js
  - Node (wrapper): node-nacl
  - sodium-browserify-tweetnacl — wraps javascript port of tweetnacl with the api of chloride
  - purescript-crypt-nacl — TweetNaCl wrapper for Purescript
  - panda-confidential — Simple, extensible interface for the tweetnacl-js cryptography library
- JavaScript: tweetnacl-nodewrap — Port of TweetNaCl / NaCl to javascript Node.js
- Kotlin: tweetnacl-k — kotlin implementation of tweetnacl
- Python: pure_pynacl — A pure python implementation of TweetNaCl
- Rust: sodalite — tweetnacl in rust
- Rust: microsalt — High Level Pure Rust Crypto library for your trusty rusty programs
- TypeScript: tweetnacl-ts — Port of TweetNaCl cryptographic library to TypeScript (and ES6)
- WebAssembly: TweetNacl-WebAssembly — This is a testbed for some web assembly experiments
μNaCl — The Networking and Cryptography library for microcontrollers (Core team: Michael Hutter and Peter Schwabe)
- ubirch-mbed-nacl-cm0 — Port of μNaCl for ARM Cortex M0
libsodium + wrappers & bindings
- libsodium — a portable, cross-compilable, installable, packageable fork of NaCl (Frank Denis)
- Ada: libsodium-ada
- Ada: sodiumada
- C#: NitraLibSodium
- C#: libsalt
- C++: sodiumpp
- C++: sodium-wrapper
- Chicken: chicken-sodium
- Clojure: caesium
- Clojure: naclj
- Common LISP: cl-sodium
- Common LISP: foreign-sodium
- Crystal: salty
- Crystal: sodium.cr
- Cuis: Cuis-Smalltalk-Crypto-NaCl
- D: shaker
- D: sodium
- Delphi/FreePascal: libsodium-delphi
- Dylan: sodium-dylan
- Elixir: Savory
- Elixir: libsalty
- Erlang: Erlang-NaCl
- Erlang: Salt
- Erlang: enacl
- Erlang and Elixir: erlang-libsodium
- Flutter: flutter_sodium
- Fortran: Fortium
- Go: GoSodium
- Go: libsodium-go
- Go: sodium
- Hack: Nuxed Crypto
- Haskell: Saltine
- Haskell: lithium
- Idris: sodium-idris
- Java: kalium
- Java: jsodium
- Java JNI: libsodium-jni
- Java JNI: sodium-jni
- Java JNI: libstodium
- JavaScript: sodium-plus
- Javascript: js-nacl
- Javascript: sodium-native
- JavaScript: dholecrypto-js
- Julia: Sodium.jl
- Kotlin: kotlin-multiplatform-crypto
- Lua: jprjr-luasodium
- Lua: luasodium
- Lua: lua-sodium
- Mruby: mruby-libsodium
- Nativescript: nativescript-libsodium
- Nim: Sodium.nim
- Nim: nim-libsodium
- Nim: libsodium.nim
- NodeJS: node-sodium
- NodeJS: Natrium
- NodeJS: node-nacl
- Objective-C: SodiumObjc
- OCaml: ocaml-sodium
- Perl: Crypt-Sodium
- Perl: crypt-nacl-sodium
- Pharo/Squeak: Crypto-Nacl
- PHP: libsodium-php
- PHP: php-sodium
- PHP: php
- PHP: halite
- PHP: dhole-cryptography
- PHP polyfill: sodium_compat
- Pony: pony-sodium
- Python: libnacl
- Python: PyNaCl
- Python: pysodium
- Python: libnacl
- Python: libsodium-python-examples
- R: sodium
- Racket: part of CRESTaceans
- Realbasic and Xojo: RB-libsodium
- Ruby: ffi-libsodium
- Ruby: sodium
- Ruby: jodid
- Ruby: RbNaCl::Libsodium
- Ruby: RbNaCl
- Rust: Sodium Oxide
- Rust: libsodium-ffi
- Rust: rust_sodium
  - libsodium-neon — Node.js bindings to rust_sodium
- Swift: swift-sodium
- UWP: libsodium-uwp
- V: libsodium
libsodium.js — The sodium crypto library compiled to pure JavaScript using Emscripten
- natrium-browser — libsodium.js wrapped with natrium api
- sodium-browserify — A polyfil between the apis of node-sodium and libsodium-wrappers

lib25519

lib25519 "is a microlibrary for the X25519 encryption system and the Ed25519 signature system" that can be used directly in C or called by libraries in other languages using FFI. See the website for more information.

C/ASM: lib25519 (many authors; lib25519 maintained by Daniel J. Bernstein)
Python: python-lib25519

PASETO libraries

Be sure to consult the PASETO website for the best information.

PASETO v4 libraries

Go: go-paseto

PASETO v2 libraries

Elixir: Paseto — An Elixir implementation of Paseto (Platform-Agnostic Security Tokens)
Go: paseto — Platform-Agnostic Security Tokens implementation in GO (Golang)
- Go: go-paseto-middleware — Paseto middleware for GoLang
- Go: pasetosession — Web session/authentication using PASETO
Java: paseto4j — Paseto implementation for Java
Java: paseto — Java Implementation of Platform-Agnostic Security Tokens
Javascript: paseto.js — PASETO: Platform-Agnostic Security Tokens
Lua: paseto-lua — PASETO (Platform-Agnostic Security Tokens) for Lua
.NET: Paseto.Net — .NET Implementation of PASETO (v2 local / public encryption)
.NET: paseto-dotnet — Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET
Python: pypaseto — PASETO for Python
Ruby: paseto.rb — Ruby implementation of Paseto using libsodium
Rust: paseto — A paseto implementation in rust
Swift: swift-paseto — Platform-Agnostic Security Tokens implementation in Swift

PASETO plugins

Phoenix authentication plug: paseto_plu — A Phoenix authentication plug that validates Paseto (Platform Agnostic Security Tokens)
Kong (plugin): kong-plugin-paseto — Kong plugin for PASETO (Platform-Agnostic Security Tokens)

Libraries

Ed25519 standalone (native implementations)
- Android: Android.Ed25519 (Dave Akers)
- ASM/C: iroha-ed25519 (Hyperledger Project)
- C: ed25519-donna (Andrew Moon)
- C: ed25519 (Orson Peters)
  - WebAssembly: supercop.wasm (Nazar Mokrynskyi)
- C: libbrine (Kevin Smith)
- C: Ed25519 (ArduinoLibs)
- C++ curve25519-uwp (Jeff R)
- C#: ed25519 (Hans Wolff)
- C#: curve25519-pcl (Jeff R)
- C#: Ed25519 (CryptoManiac)
- Dart: ed25519 (Tougee)
- Dart: ed25519_dart (Oleksii Semeshchuk)
- Dart: riclava_ed25519 (riclava)
- Clojure: ed25519 (Kevin Downey)
- Elixir: ed25519_ex (Matt Miller)
- Go: edwards25519 (Filippo Valsorda)
- Go: ed25519 (Adam Langley)
- Go: ed25519 (Nebulous)
- Go: blakEd25519 (Inkeliz) — uses Blake2 instead of SHA-2
- Go: ed25519 (Oasis Protocol Foundation)
- Haskell: hs-scraps (Vincent Hanquez)
- Java: ed25519-java (str4d)
- Java: ed25519-java (k3d3)
- Java: ed25519 (Bjorn Arnelid)
- Java: ed25519-java (Keith M)
- Java: Punisher.NaCl (Arpan Jati)
- Java: ED25519 (Mick Michalski)
- Javascript: noble-ed25519 (Paul Miller)
- Node.js: Ed25519 (Boris Povod)
- Perl: Crypt::Ed25519 (Marc Lehmann)
- Python: ed25519.py (Ed25519 authors)
- Python: ed25519 (Python Cryptographic Authority)
- Python: python-pure25519 (Brian Warner)
- Python: ietf-eddsa (Simon Josefsson)
- Python: nmed25519 (naturalmessage)
- Python: ed25519.py (Shiho Midorikawa)
- Rust: ed25519-dalek (Isis Agora Lovecruft)
  - Python bindings for ed25519-dalek: py-ed25519-bindings
- Rust: ed25519-zebra (Zcash)
- Swift: ed25519swift (pebble8888)
- V: ed25519 (blackshirt)
- VHDL: edxcel_old (Software Defined Buildings)
Ed25519 standalone (wrappers and bindings)
- Erlang: brine (Kevin Smith)
- Haskell: hs-ed25519 (Austin Seipp)
- Haskell: haskell-ed25519 (Clint Adams)
- Haskell: hs-ed25519-donna (Thomas M. DuBuisson)
- Nim: ed25519.nim (niv)
- Node.js: ed25519 (Dave Akers)
- PHP: php-ed25519-ext (Krzysztof Rutecki)
- PHP: curve25519-php (mgp25)
- Python: python-ed25519 (Brian Warner)
- Python: ed25519ll (Daniel Holth)
- Python: py25519 (sundarnagarajan)
- Ruby: ed25519 (Crypto.rb)
- Rust: elliptic (Jihyeok Seo)
- Swift: ed25519 (Zsolt Váradi)

Other Libraries

PHP 7.2.0+ — a popular general-purpose scripting language that is especially suited to web development
ring — Crypto library for Rust using BoringSSL's cryptography primitives
HACL* — a formally verified cryptographic library written in F*
Rust-Crypto — A (mostly) pure-Rust implementation of various common cryptographic algorithms
Chaos.NaCl — a cryptography library writen in C#, based on NaCl
Nettle — a low-level cryptographic library
- Bindings available in Haskell, Perl, Pike, PostgreSQL, R6RS Scheme, and TCL
Monocypher — a small, secure, auditable, easy to use crypto library
- LuaNacha — Lua wrapper for Monocypher
- monocypher.cr — Crystal bindings for Monocypher
- monocypher-go — Go language bindings for Monocypher
libsuola — An ENGINE gluing together OpenSSL and NaCl-derived crypto
phpseclib — PHP Secure Communications Library
curve25519-java — Pure Java and JNI backed Curve25519 implementation
- dnscrypt — A very simple DNSCrypt client library written in Go
- scrypto — Cryptographic primitives for Scala (includes Curve25519-Java wrapper)
Noise-C — a plain C implementation of the Noise Protocol
curve25519-dalek — a Rust implementation of field and group operations on an Edwards curve over GF(2²⁵⁵ - 19)
curv — Rust language general purpose elliptic curve cryptography
CIRCL — Cloudflare Interoperable Reusable Cryptographic Library
libgodium — Pure Go implementation of cryptographic APIs found in libsodium
wasm-crypto — WebAssembly implementation of Ed25519-based operations and more
Libgcrypt — a general purpose cryptographic library originally based on code from GnuPG
hs-nacl — Modern Haskell Cryptography
Signatory — a pure Rust multi-provider digital signature library
Elligator-2 — Javascript implementation of the Elligator 2 algorithm for Curve25519
torgo — A Golang library for Tor
rust-ed25519-compact — Small, wasm-friendly, zero-dependencies Ed25519 and X25519 implementation for Rust
threshold-ed25519 — Threshold Signatures using Ed25519
nacl4s — Scala implementation of Networking and Cryptography (NaCl) library
kevinburke-nacl — Pure Go implementation of the NaCl set of APIs
Megolm — An AES-based cryptographic ratchet intended for group communications
Sapient — Secure API toolkit
mipher — Mobile Cipher library written in clean TypeScript
rust-crypto-decoupled — Experiment on dividing rust-crypto into several small crates
OpenPGP.js — an Open Source OpenPGP library in JavaScript
Crypto++ — a free C++ class library of cryptographic schemes
pycryptopp — Python bindings to the Crypto++ library
eddsa — EdDSA python prototype
libelligator — A C++ Elligator2 implementation
elliptic — Fast Elliptic Curve Cryptography in plain javascript
luazen — a small library with various compression, encoding and cryptographic functions for Lua
nsec — A modern and easy-to-use crypto library for .NET Core based on libsodium
amber — Cryptography library. X25519, Ed25519, ChaCha20, Blake2, Poly1305, Scrypt
zig-eddsa-key-blinding — A Zig implementation of EdDSA signatures with blind keys
libssh2 — a client-side C library implementing the SSH2 protocol (requires OpenSSL 1.1.1)
tendermint-validator — A multi-party-computation signing service for Tendermint nodes using threshold Ed25519 signatures
recrypt — for building a multi-hop proxy re-encryption scheme, known as Transform Encryption
go-msgauth — A Go library for DKIM, DMARC and Authentication-Results
nacl-cert — NaCl Certification System
Lazysodium — a complete Android implementation of the Libsodium library
FROST-Ed25519 — FROST threshold signature protocol for the Ed25519 signature scheme
cryptonite — a haskell repository of cryptographic primitives
easy-ecc — A usability wrapper for PHP ECC
edcert — A rust crate for high-performance content-signing and certificate verification
aiootp — Asynchronous pseudo-one-time-pad based crypto and anonymity library
dnscrypt-python — DNSCrypt Python Library
dnscrypt — Very basic DNSCrypt library for Go
dnscrypt-proxy-gui — Qt/KF5 GUI wrapped over dnscrypt-proxy
libsignal-protocol-c — Signal Protocol C Library
sshj — ssh, scp and sftp for java
salt-channel-c — C implementation of Salt Channel
librnp — C library approach to OpenPGP
- ruby-rnp — Bindings for RNP in Ruby
xeddsa — port of libsignal's xeddsa implementation to the pitchfork
TweetPepper — Formats, PKI using TweetNaCl as the Crypto
iroha-ed25519 — RFC8032 compatible Ed25519 implementation with pluggable hash (sha2-512, sha3-512)
hc — HomeControl is an implementation of the HomeKit Accessory Protocol (HAP) in Go
GO-JWT-ed25519 — A very basic GO implementation of JWT using ed25519
jwtk — Rust library for JWT signing (JWS) and verification, with first class JWK and JWK Set (JWKS) support
c25519 — Wei25519, Curve25519 and Ed25519 for low-memory systems
ara-crypto — Cryptographic functions used in various Ara modules
libssh — a library written in C implementing the SSH protocol
Personal-HomeKit-HAP — build HomeKit support accessories
ocaml-bip32-ed25519 — OCaml implementation of BIP32-Ed25519 (Khovratovich/Law flavour)
cryptostack — cryptographic library based on Curve25519, Ed25519, blake2b, Poly1305, XSalsa20 primitives
go-tuf — Go implementation of The Update Framework (TUF)
prototok — RbNaCl + json/msgpack/protobuf key generation/parsing gem
kyber — Advanced crypto library for the Go language
Ed25519_DS — Ed25519 node.js library
go-lib — Useful, Reusable Golang libraries
Neuro:pil — a small messaging library which by default adds two layers of encryption
The Update Framework — helps developers to secure new or existing software update systems
spring-boot-wow — spring boot integrity and multi modules with spring-boot include ed25519
libaxolotl-crypto-web — WebCrypto implementation of cryptography interface for libaxolotl-javascript
libaxolotl-javascript — A JavaScript implementation of axolotl
libaxolotl-crypto-node — Node.js implementation of cryptography interface for libaxolotl-javascript
ed25519-to-x25519.wasm — Library for Ed25519 signing key pair into X25519/Curve25519 key pair suitable for Diffie-Hellman key exchange
crypto — crypto with ed25519 + base58 or other
edssh — ed25519 signature support for golang.org/x/crypto/ssh
salt-channel — A Java implementation of Salt Channel - a simple, light-weight secure channel protocol
SharedEcc25519 — ANSI-C based cross-platform elliptic curve cryptography provider with objc api
Virgil Crypto Library — modern cryptography libraries (ECIES and RSA with Cryptographic Agility) and all the necessary infrastructure
Sequoia-PGP — a modern modular OpenPGP implementation in Rust
arduinolibs-Crypto — Arduino libraries and examples
libuecc — Very small Elliptic Curve Cryptography library
ecc25519 — combine golang ed25519 and curve25519 libray in one
erlang-libdecaf — ed448goldilocks (libdecaf) NIF with timeslice reductions for Erlang and Elixir (+Ed25519)
ruby-jose — JSON Object Signing and Encryption (JOSE) for Ruby
erlang-jose — JSON Object Signing and Encryption (JOSE) for Erlang and Elixir
redux-signatures — Cryptographic signing of your redux (or flux) actions
HeavyThing — x86_64 assembler library
libcryptoconditions — Interledger crypto-conditions implemented in C, including simple JSON api
eddy — a steady little Ed25519 library for Elixir
joken — Elixir JWT library
jwt_nacl — A Ruby JSON Web Token implementation using NaCl Ed25519 digital signatures
go-libp2p-crypto — Various cryptographic utilities used by ipfs
libsqrl — a library implementing the SQRL Specification
nano-signing — A minimalistic public-key signing framework for TS / JS environments based on TweetNaCl and Ed25519
yii2-api — A Yii2 API Skeleton Framework
fld-ecc-vec — an optimized library for computing EdDSA and the Diffie-Hellman functions X25519 and X448
cryptofamily — a heap of primitives, algorithms, etc.
kcl — NaCl substitute of sorts in Elixir
c25519 — Curve25519 and Ed25519 for low-memory systems
- ed25519-streaming — Streaming implementation of c25519
python-signedjson — Sign JSON objects with ED25519 signatures
signedjson — Signs JSON objects with ED25519 signatures
supercop.js — not to be confused with SUPERCOP
hypercore-crypto — The crypto primitives used in hypercore, extracted into a separate module
molch — An implementation of the axolotl ratchet based on libsodium
aws-crypto-lambda — AWS Lambda for Cryptographic functions based on libsodium
sshlib — ConnectBot's SSH library
asymmetric-crypto — Encryption and signing using public-key cryptography (via TweetNaCl)
coniks-go — A CONIKS implementation in Golang
pspka — password seeded public key authentication
curve25519-js — Curve25519 Javascript Implementation
libeddsa — cryptographic library for ed25519 and curve25519
libec — Small PKI library
AFEnacl — An AFNetworking subclass providing payload signing via libsodium
eddsa — Structures for safe handling of Ed25519 keys
ECC-25519 — helps to use ECC with Curve25519
Salt — NaCl cryptography library for PHP (not by the NaCl authors)
libgcrypt — a general purpose cryptographic library based on the code from GnuPG
crypto — Various cryptographic functions for datkt
25519 — Key agreement (X25519) and signing (ed25519)
js-stellar-base — the lowest-level stellar helper library
microstar-crypto — Cryptography library for Microstar, wrapping TweetNaCl
libaxolotl-crypto-curve25519 — emscripten compiled version of curve25519 and ed25519
shick_crypto — multi recipient NaCl-style encryption via libsodium
SQRL-Protocol — A helper library to handle SQRL requests and responses
gryphon — HTTP Request Signing with Ed25519
python-axolotl-curve25519 — curve25519 with ed25519 signatures, used by libaxolotl
secret-handshake — Javascript-based authentication
python-sshpubkeys — OpenSSH public key parser for Python

Cryptocurrencies, blockchains, and ledgers

Monero — a secure, private, untraceable currency
Nano — digital currency for the real world
Decred — Hybridized PoW/PoS cryptocurrency
Chain Core — enterprise-grade blockchain infrastructure that enables organizations to build better financial services from the ground up
bog — secure blockchain logging (blogging without the 'l')
Chronicle — a self-hostable microservice and append-only public ledger

Miscellaneous

Matthew Green: "Any potential 'up my sleeve' number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using 'up my sleeve' constants). This is why I think we all should embrace DJB's curve25519."
Ted Unangst: "The one and only supported algorithm is Ed25519. It has a lot of very nice properties, though I really like the deterministic signatures. Anything that makes it harder to screw up is great."
GnuPG: "For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein's Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won't wait any longer and go ahead using the proposed format for this signing algorithm."
Cesar Pereida García and Billy Bob Brumley and Yuval Yarom: Make Sure DSA Signing Exponentiations Really are Constant-Time: "OpenSSH supports building without OpenSSL as a dependency. We recommend that OpenSSH package maintainers switch to this option. For OpenSSH administrators and users, we recommend migrating to ssh-ed25519 key types, the implementation of which has many desirable side-channel properties."
Ted Unangst: "It takes more code for a TLS client to negotiate Hello and do the key exchange than in all of signify."
Adam Langley: "Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don't believe there's anything needed to get that working save for switching out the algorithms."

Timeline notes

2011-07-04: Ed25519 is formally introduced.
2012-11-24: First release of dnscrypt-wrapper, by Yecheng Fu.
2013-01-22: libsodium 0.1 includes Ed25519 support.
2013-06-05: Edward Snowden / NSA disclosures begin.
2013-07-19: First release of TweetNaCl.
2013-09-15: Bruce Schneier recommends avoiding NSA/NIST curves. Curve25519 is safe.
2014-01-29: OpenSSH adds support for Ed25519 keys in version 6.5.
2014-02-16: First (experimental) release of TinySSH.
2014-05-01: OpenBSD 5.5 is the first release signed with Ed25519.
2014-05-01: signify is introduced in OpenBSD 5.5.
2014-06-03: Google announces End-To-End.
2014-08-25: DJB recommends referring to Curve25519 Montgomery-X-coordinate Diffie-Hellman as X25519.
2014-09-20: I2P gets Ed25519 support in version 0.9.15.
2014-10-10: Github begins accepting ed25519 SSH keys (cite: Github employee).
2014-11-06: GnuPG 2.1 gets Ed25519 support.
2015-02-01: OpenSSH will phase out old keys in favor of Ed25519.
2015-02-07: draft-josefsson-eddsa-ed25519 is first published.
2015-03-31: wolfSSL 3.4.6 adds Ed25519 support at the crypto level; TLS support to follow.
2015-04-07: Nettle 3.1 adds Ed25519 support. Nettle is used by GnuTLS.
2015-07-01: OpenSMTPD 5.7.1 and onward signed with signify.
2015-09-11: OpenWrt adopts Ed25519 in "Chaos Calmer" 15.05.
2015-10-03: CFRG selects EdDSA as the next-generation EC signature scheme.
2015-11-17: BoringSSL adds Ed25519 support.
2016-04-08: draft-ietf-curdle-pkix-00 is published.
2016-04-15: Libgcrypt 1.7.0 supports X25519.
2016-10-20: "The XEdDSA and VXEdDSA Signature Schemes" is published.
2017-01-24: RFC 8032, Edwards-Curve Digital Signature Algorithm (EdDSA), is published.
2017-02-21: PuTTY 0.68 gets Ed25519 support.
2017-04-24: Unbound 1.6.2 gets DNSCrypt support.
2017-04-26: Tor 0.3.0.6 sees a major explansion of Ed25519 usage.
2017-06-30: Collective Edwards-Curve Digital Signature Algorithm first draft is published.
2017-08-16: Audit of libsodium finds it "is indeed a secure, high-quality library that meets its stated usability and efficiency goals."
2017-09-18: Tor 0.3.2.1-alpha debuts next-generation onion services with SHA3/ed25519/curve25519.
2017-11-30: PHP 7.2.0 adds libsodium.
2018-01-19: Tor 0.3.2.9 officially upgrades to SHA3/ed25519/curve25519.
2018-08-11: RFC 8446, TLS 1.3, is published.
2018-09-11: OpenSSL 1.1.1 adds Ed25519 support.
2018-09-12: RFC 8463 adds Ed25519-SHA256 to DKIM.
2019-02-04: Rspamd merges ed25519 support for DKIM.
2020-08-07: Cure53 audit of Monocypher finds no serious issues.
2021-03-03: OpenSSH 8.5 changes the first-preference signature algorithm from ECDSA to ED25519.
2022-04-26: First apparent release of lib25519.
2022-12-12: LibreSSL 3.7.0 adds "Ed25519 support both as a primitive and via OpenSSL's EVP interfaces."
2023-02-03: NIST FIPS 186-5 adds Ed25519.
2023-10-04: OpenSSH 9.5 generates Ed25519 keys by default in ssh-keygen
TweetNaCl and libsodium have always supported it.

Ed25519 support coming soon!

LibreSSL 3.8.2: "Ed25519 certificates are now supported in openssl(1) ca and req. Prepared Ed25519 support in libssl."
Redox OS is working on pkgar, a secure package management tool using sodalite and Ed25519
AptSign — Ditching OpenPGP, a new approach to signing APT repositories
Mastodon — "Add end-to-end encryption API"
NaCl — Networking and Cryptography Library
Tor — for Hidden Services; already used elsewhere in Tor
Gossamer — Public Key Infrastructure without Certificate Authorities, for WordPress
wolfSSL — Roadmap: "ed25519 integration at the crypto and TLS level" — already supported at the crypto level
BearSSL — Smaller SSL/TLS
bog — a distributed social networking application using TweetNaCl.js to publish signed append-only logs
ed25519-xeno — Common Lisp implementation of Ed25519 signature protocol
OpenSSL — for use in libcrypto and libssl (TLS)
tink — a small crypto library that provides a safe, simple, agile and fast way to accomplish some common crypto tasks
DNSSEC — a horrible protocol that shouldn't be used
- BIND
Brave Sync — A client/server for Brave sync
kovri — The Kovri I2P Router Project
cothority — Scalable collective authority prototype
ithos — Modern directory services and credential management
messagesodium — Patches ActiveSupport's MessageEncryptor to use libsodium
Upspin — "TODO(ehg) add "25519": x/crypto/curve25519, github.com/agl/ed25519"
Tendermint — Simple, Secure, Scalable Blockchain Platform
ed25519 — an implementation of ed25519 in lisp
prifi — Work-in-progress Dissent port/rewrite for low-latency anonymous communication
WAMP-cryptosign — The WAMP Protocol team is working on WAMP-cryptosign; see also wamp-proto.org
petmail — secure messaging, file-transfer, and directory synchronization
antinet-before-yedino — safe decentralized network for data and contracts
Crossbar.io - WAMP application router — plans to implement WAMP-cryptosign
libsodium-laravel — Laravel integration for libsodium
End-To-End — a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP