Ed25519

Ed25519 is the signature scheme being used in Cardano, and supported in Plutus. Ed25519 is an instantiation of the EdDSA over the Edwards25519 elliptic curve.

Implementation and bindings

We currently relly in the implementation available in version 1.0.18 of libsodium. We have analysed, and recommend, bindings in the following languages:

  • Haskell: Available in cardano-base
  • Rust: Made available by the original author of libsodium
  • Javascript: Made available by the original author of libsodium (among others)

There also exist other implementations that offer a compatible signing algorithm which do not require the full usage of libsodium. The list we have analaysed and recommend is the following:

  • Rust: ed25519-dalek, using the verify_strict() function.
  • Javascript: tweetnacl-js, though the verification criteria of this library is more permissive, meaning that a valid signature for tweetnacl-js might not be valid for Cardano.

Common mistakes

An ed25519 signature consists of two values , where is an elliptic curve point and is a scalar. A common mistake when deserialising the scalar is to compute it modulo in case that is larger than . This must be avoided, specifically in consensus critical scenarios.

Another common mistake is what criteria to use when deserialising an elliptic curve point. If none of the libraries listed above are used, the engineer should carefully read the sections below to understand the details, and the verification criteria used in Cardano.