You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Ruby binding to the Ed25519 elliptic curve public-key signature system
described in RFC 8032.
Two implementations are provided: a MRI C extension which uses the "ref10"
implementation from the SUPERCOP benchmark suite, and a pure Java version
based on str4d/ed25519-java.
Ed25519 is one of two notable algorithms implemented atop the Curve25519
elliptic curve. The x25519 gem is a related project of this one,
and implements the X25519 Diffie-Hellman key exchange algorithm on the
Montgomery form of Curve25519.
What is Ed25519?
Ed25519 is a modern implementation of a Schnorr signature system using
elliptic curve groups.
Ed25519 provides a 128-bit security level, that is to say, all known attacks
take at least 2^128 operations, providing the same security level as AES-128,
NIST P-256, and RSA-3072.
Ed25519 has a number of unique properties that make it one of the best-in-class
digital signature algorithms:
Small keys: Ed25519 keys are only 256-bits (32 bytes), making them
small enough to easily copy around. Ed25519 also allows the public key
to be derived from the private key, meaning that it doesn't need to be
included in a serialized private key in cases you want both.
Small signatures: Ed25519 signatures are only 512-bits (64 bytes),
one of the smallest signature sizes available.
Deterministic: Unlike (EC)DSA, Ed25519 does not rely on an entropy
source when signing messages. This can be a potential attack vector if
the entropy source is not generating good random numbers. Ed25519 avoids
this problem entirely and will always generate the same signature for the
same data.
Collision Resistant: Hash-function collisions do not break this
system. This adds a layer of defense against the possibility of weakness
in the selected hash function.
The Ed25519 "ref10" implementation from SUPERCOP was lovingly crafted by expert
security boffins with great care taken to prevent timing attacks. The same
cannot be said for the C code used in the ed25519.rb C extension or in the
entirety of the provided Java implementation.
Care should be taken to avoid leaking to the attacker how long it takes to
generate keys or sign messages (at least until ed25519.rb itself can be audited
by experts who can fix any potential timing vulnerabilities)
ed25519.rb relies on a strong SecureRandom for key generation.
Weaknesses in the random number source can potentially result in insecure keys.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/RubyCrypto/ed25519.
This project is intended to be a safe, welcoming space for collaboration,
and contributors areexpected to adhere to the Contributor Covenant
code of conduct.
License
Copyright (c) 2012-2025 Tony Arcieri. Distributed under the MIT License. See
LICENSE for further details.
Code of Conduct
Everyone interacting in the ed25519.rb project’s codebases, issue trackers, chat
rooms and mailing lists is expected to follow the code of conduct.
About
Ed25519 high-performance public-key signature system as a RubyGem (MRI C extension and JRuby Java extension)
