Ed25519
Ed25519 is the signature scheme being used in Cardano, and supported in Plutus. Ed25519 is an instantiation of the EdDSA over the Edwards25519 elliptic curve.
Implementation and bindings
We currently relly in the implementation available in version 1.0.18 of libsodium. We have analysed, and recommend, bindings in the following languages:
- Haskell: Available in cardano-base
- Rust: Made available by the original author of libsodium
- Javascript: Made available by the original author of libsodium (among others)
There also exist other implementations that offer a compatible signing algorithm which do not require the full usage of libsodium. The list we have analaysed and recommend is the following:
- Rust: ed25519-dalek, using the
verify_strict()function. - Javascript: tweetnacl-js, though the verification criteria of this library is more permissive, meaning that a valid signature for tweetnacl-js might not be valid for Cardano.
Common mistakes
An ed25519 signature consists of two values $ (R,s) $, where $ R $ is an elliptic curve point and $ s\in\mathbb{Z}_{\order} $ is a scalar. A common mistake when deserialising the scalar $ s $ is to compute it modulo $ \order $ in case that $ s $ is larger than $ \order $. This must be avoided, specifically in consensus critical scenarios.
Another common mistake is what criteria to use when deserialising an elliptic curve point. If none of the libraries listed above are used, the engineer should carefully read the sections below to understand the details, and the verification criteria used in Cardano.