Updated: July 10, 2018
Here's a list of protocols and software that use or support the superfast, super secure Ed25519 public-key signature system from Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.
You may also be interested in this list of Curve25519 ECDH deployment .
- TLS 1.3 — Transport Layer Security
- SSH — thanks to work done by the OpenSSH team, adopted also by TinySSH and others
- Signal Protocol — encrypted messaging protocol derivative of OTR Messaging
- cryptosphere — Encrypted peer-to-peer web application platform for decentralized, privacy-preserving applications
- saltpack — a modern crypto messaging format
- ORDO — Ordered Representation for Distinguished Objects: A Certificate Format
- RAET — (Reliable Asynchronous Event Transport) Protocol
- Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity
- Chain Key Derivation — a deterministic key derivation scheme
- dfi — a distributed file sharing and indexing network
- BLEMeshChat — 100% sneakernet chat via Bluetooth LE Mesh, for iOS and Android
- (n+1)sec — a free, end-to-end secure, synchronous protocol for group chat
- PASETO — a specification and reference implementation for secure stateless tokens
- Tor — The Onion Router anonymity network
- I2P — an anonymous network
- GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
- Serval — Mesh telecommunications
- Yggdrasil — a fully end-to-end encrypted network
- URC — an IRC style, private, security aware, open source project
- Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger
- Sia — Blockchain-based marketplace for file storage
- cjdns — encrypted ipv6 mesh networking
Software projects signed with Ed25519
- OpenBSD signs releases, packages, and patches with Ed25519 via signify
- M:Tier signs OpenBSD packages and binary updates with Ed25519 via signify
- minisign signs releases with Ed25519 via minisign
- libsodium signs releases with Ed25519 via minisign
- dnscrypt-proxy signs its resolver list with Ed25519 via minisign
- SimpleDnsCrypt signs packages with Ed25519 via minisign
- dnscrypt-osxclient signs packages with Ed25519 via minisign
- Markdeep signs releases with Ed25519 via minisign
- Airship signs automatic updates with Ed25519
- LibreSSL signs releases with Ed25519 via signify
- radare2 signs releases with Ed25519 via signify
- OpenSMTPD signs releases with Ed25519 via signify
- DNSCurve.io signs downloads with Ed25519 via signify
- SC4 HSM — a fully-open USB2 HSM (hardware-secure module)
- crypto-in-a-box — Turns an Arduino into a cryptography token
- YubiHSM 2 — a cost-effective Hardware Security Module (HSM) for servers and IoT gateways
- Voting machines in Brazil — administered by Justiça Eleitoral brasileira; printable Ed25519-signed QR code paper trails
- SafeNet Luna Network HSMs — High Assurance Hardware Security Modules
- CEC1702 — ARM Cortex M4-based microcontroller with a complete hardware cryptography-enabled solution in a single package
- dnscrypt-proxy — securing communications between a client and a DNS resolver
- GnuPG — GNU Privacy Guard
- reop — reasonable expectation of privacy
- dnsdist — dnsdist supports DNSCrypt
- Unbound — a validating, recursive, and caching DNS resolver
- PowerDNS Recursor — a high-performance DNS recursor with built-in scripting capabilities
- PowerDNS Authoritative Server — the only solution that enables authoritative DNS service from all major databases
- SimpleDnsCrypt — A simple management tool for dnscrypt-proxy
- tweetnacl-tools — Tools for using TweetNaCl
- Wire — fully encrypted calls, video and group chats available on all your devices
- Hyperledger Iroha — blockchain platform designed for simple creation and management of assets
- i2pd — Simplified C++ implementation of I2P client
- Semaphor — zero-knowledge messaging and file transfer
- sigtool — Signify like tool in Golang - only easier and simpler
- Sandstorm — Personal Cloud Sandbox
SSH software with full modern crypto support
(X25519, Ed25519 and ChaCha20-Poly1305)
- OpenSSH — Secure Shell from the OpenBSD project
- TinySSH — a small SSH server with state-of-the-art cryptography
- Win32-OpenSSH — Win32 port of OpenSSH
- PuTTY — a free implementation of SSH and Telnet for Windows and Unix platforms
- WinSCP — a popular SFTP client for Microsoft Windows
- asyncssh — an asynchronous SSH2 client and server atop asyncio
- Termius — iOS SSH client
- rlogin — Japanese rlogin, telnet, and ssh client
- pssht — SSH server written in PHP
- Golang ssh — for both client and server keys
- ConnectBot — SSH client for Android
- passphrase-identity — Regenerable ed25519 keys for OpenSSH and OpenPGP
- teleport — Modern SSH server for teams managing distributed infrastructure
- Prompt — SSH client for iOS
- ssh-key-generator — A utility for deterministically generating ssh keypairs
- determin-ed — Create deterministic ed25519 keys from seedfile and password for openssh-key-v1 format
- net-ssh — Pure Ruby implementation of an SSH (protocol 2) client
- SmartFTP — an FTP, SSH, SFTP client
- Cyberduck — Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows
- ed25519hetzner — Script to scan OpenSSH host key and known_hosts files for shared keys from server hoster Hetzner
- 2sshfp — Build SSHFP DNS records - ecdsa & ed25519 support (sh)
- edkey — write ED25519 private keys in the OpenSSH private key format
- tinyssh-convert — convert ed25519 hostkeys from openssh format
- MobaXterm — Windows SSH client
- Paramiko — A Python implementation of SSHv2
- Tera Term — SSH client for Windows
- TinyTERM (proprietary; support according to this )
This section is for OpenBSD signify ported to Linux and other operating systems.
- OpenBSD: signify — cryptographically sign and verify files
- Adrian Perez: signify-portable — OpenBSD tool to sign and verify signatures
- mancha: signify-portable — put together by mancha
- Felix von Leitner: signify-fefe — signify that builds on Linux
- Vsevolod Stakhov: asignify — Yet another signify tool
- Jean-Philippe Ouellet: signify-osx — OS X port of OpenBSD's signify(1)
- Michael Gehring: signify-go — Go implementation of OpenBSD's signify(1)
- Yui NARUSE: nurse-signify — portable version of OpenBSD's signify with autoconf
- Christian Neukirchen: chneukirchen-signify
- Blitznote: bliznote-signify — signify that builds on Linux
- Aaron Bieber: signify.el — signify package for emacs
- Tobias Stoeckmann: signify-windows — OpenBSD signify for Windows systems
- Björn Edström: python-signify — OpenBSD Signify for Python
- Robert Escriva: rescrv-signify — signify ported from OpenBSD
- Heinrich Schuchardt: usign — tiny signify replacement
- Frank Braun: gosignify — a Go reimplementation of OpenBSD's signify
- Debian packages: signify-openbsd
- Greg (myfreeweb): freepass — The free password manager for power users + signify support
- Jan-Erik Rediger: signify-rs — Create cryptographic signatures for files and verify them
Minisign software and libraries
Minisign is compatable with signify.
Frank Denis: minisign
— A dead simple tool to sign files and verify signatures. Compatable with OpenBSD signify!
- Package availability: Homebrew for OS X; Scoop and chocolatey in Windows; Void Linux; Alpine Linux; Nix package manager
NaCl Crypto Libraries
For cryptographic libraries in the NaCl family, including TweetNaCl, uNaCl, and libsodium, as well as wrappers, bindings, and ports.
TweetNaCl + wrappers & bindings
- TweetNaCl — a crypto library in 100 tweets (Daniel J. Bernstein, Bernard van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe, Sjaak Smetsers)
- Erlang: TweetNaCl-Erlang — Erlang bindings for TweetNaCl
- Go: tweetnacl-go — a wrapper around TweetNaCl
- Jim TCL: jim-nacl — NaCl extension for Jim TCL (using TweetNaCl)
- Julia: TweetNaCl-Julia — Julia wrapper for the TweetNaCl library
- Objective-C: tweetnacl-objc — Objective-C bindings to the TweetNaCl crypto library
— Lua wrapper arount the Tweet NaCl cryptographic library
- lit-tweetnacl — luatweetnacl repackaged as a lit library
- Android: tweetnacl-android — TweetNaCl port to Android
- C: tweetnacl-usable — TweetNaCl + randombytes()
- C: tweetnacl-rongarret — a fork of TweetNaCl with several modifications
- C#: tweetnacl-cs — A 100% native C# implementation of TweetNaCl for .NET
- Common Lisp: naclcl — A direct translation of TweetNaCl into Common Lisp
- CouchDB: couchnacl — Use TweetNaCl.js from inside CouchDB
- D: tweetnacl.d — D port of tweetnacl
- D: tweednacl — Pronounced as TweedSalt. A crypto library for D based on NaCl
- Go: go-tweetnacl — A Go port of the TweetNacl library
- Java: tweetnacl-java — rewrite tweetnacl.c in pure Java
- Java: tweetnacl-java — A Java port of TweetNaCl from the original C
- Java: salt-aa — A Java API to TweetNaCl implementations
- ubirch-mbed-nacl-cm0 — Port of μNaCl for ARM Cortex M0
- libsodium — a portable, cross-compilable, installable, packageable fork of NaCl (Frank Denis)
- Ada: libsodium-ada
- C#: NitraLibSodium
- C++: sodiumpp
- C++: Tears
- C++: sodium-wrapper
- Chicken: chicken-sodium
- Clojure: caesium
- Clojure: naclj
- Common LISP: cl-sodium
- Common LISP: foreign-sodium
- Crystal: salty
- Cuis: Cuis-Smalltalk-Crypto-NaCl
- D: shaker
- D: sodium
- Delphi/FreePascal: libsodium-delphi
- Dylan: sodium-dylan
- Elixir: Savory
- Elixir: libsalty
- Erlang: Erlang-NaCl
- Erlang: Salt
- Erlang: enacl
- Erlang and Elixir: erlang-libsodium
- Fortran: Fortium
- Go: GoSodium
- Go: libsodium-go
- Go: sodium
- Haskell: Saltine
- Idris: sodium-idris
- Java: kalium
- Java: jsodium
- Java JNI: libsodium-jni
- Java JNI: sodium-jni
- Java JNI: libstodium
- Julia: Sodium.jl
- Lua: luasodium
- Lua: lua-sodium
- Mruby: mruby-libsodium
- Nativescript: nativescript-libsodium
- .NET: libsodium-net
- Nim: Sodium.nim
- Nim: nim-libsodium
- Nim: libsodium.nim
- NodeJS: node-sodium
- NodeJS: Natrium
- NodeJS: node-nacl
- Objective-C: SodiumObjc
- OCaml: ocaml-sodium
- Perl: Crypt-Sodium
- Perl: crypt-nacl-sodium
- Pharo/Squeak: Crypto-Nacl
- PHP: libsodium-php
- PHP: php-sodium
- PHP: php
- PHP: halite
- PHP polyfill: sodium_compat
- Pony: pony-sodium
- Python: libnacl
- Python: PyNaCl
- Python: pysodium
- Python: libnacl
- Python: libsodium-python-examples
- R: sodium
- Racket: part of CRESTaceans
- Realbasic and Xojo: RB-libsodium
- Ruby: ffi-libsodium
- Ruby: sodium
- Ruby: jodid
- Ruby: RbNaCl::Libsodium
- Ruby: RbNaCl
- Rust: Sodium Oxide
- Rust: libsodium-ffi
- libsodium-neon — Node.js bindings to rust_sodium
- Erlang: brine (Kevin Smith)
- Haskell: hs-ed25519 (Austin Seipp)
- Haskell: haskell-ed25519 (Clint Adams)
- Haskell: hs-ed25519-donna (Thomas M. DuBuisson)
- Nim: ed25519.nim (niv)
- Node.js: ed25519 (Dave Akers)
- PHP: php-ed25519-ext (Krzysztof Rutecki)
- PHP: curve25519-php (mgp25)
- Python: python-ed25519 (Brian Warner)
- Python: ed25519ll (Daniel Holth)
- Python: py25519 (sundarnagarajan)
- Ruby: ed25519 (Crypto.rb)
- Rust: elliptic (Jihyeok Seo)
- Swift: ed25519 (Zsolt Váradi)
- PHP 7.2.0+ — a popular general-purpose scripting language that is especially suited to web development
- ring — Crypto library for Rust using BoringSSL's cryptography primitives
- HACL* — a formally verified cryptographic library written in F*
- Chaos.NaCl — a cryptography library writen in C#, based on NaCl
— a low-level cryptographic library
- Bindings available in Haskell, Perl, Pike, PostgreSQL, R6RS Scheme, and TCL
- scrypto — Cryptographic primitives for Scala (includes Curve25519-Java wrapper)
- ed25519-streaming — Streaming implementation of c25519
Cryptocurrencies, blockchains, and ledgers
- Monero — a secure, private, untraceable currency
- Decred — Hybridized PoW/PoS cryptocurrency
- Chain Core — enterprise-grade blockchain infrastructure that enables organizations to build better financial services from the ground up
- tezos — A self-amending cryptographic ledger
- Chronicle — a self-hostable microservice and append-only public ledger
- Matthew Green : "Any potential 'up my sleeve' number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using 'up my sleeve' constants). This is why I think we all should embrace DJB's curve25519."
- Ted Unangst : "The one and only supported algorithm is Ed25519. It has a lot of very nice properties, though I really like the deterministic signatures. Anything that makes it harder to screw up is great."
- GnuPG : "For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein's Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won't wait any longer and go ahead using the proposed format for this signing algorithm."
- Cesar Pereida García and Billy Bob Brumley and Yuval Yarom: Make Sure DSA Signing Exponentiations Really are Constant-Time : "OpenSSH supports building without OpenSSL as a dependency. We recommend that OpenSSH package maintainers switch to this option. For OpenSSH administrators and users, we recommend migrating to ssh-ed25519 key types, the implementation of which has many desirable side-channel properties."
- Adam Caudill : "FYI - Went through 12.5M executions with afl against the minisign verification function, no hits. Good job!"
- Ted Unangst : "It takes more code for a TLS client to negotiate Hello and do the key exchange than in all of signify."
- Adam Langley : "Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don't believe there's anything needed to get that working save for switching out the algorithms."
- 2011-07-04: Ed25519 is formally introduced .
- 2012-11-24: First release of dnscrypt-wrapper , by Yecheng Fu.
- 2013-01-22: libsodium 0.1 includes Ed25519 support.
- 2013-06-05: Edward Snowden / NSA disclosures begin .
- 2013-07-19: First release of TweetNaCl.
- 2013-09-15: Bruce Schneier recommends avoiding NSA/NIST curves . Curve25519 is safe .
- 2014-01-29: OpenSSH adds support for Ed25519 keys in version 6.5.
- 2014-02-16: First (experimental) release of TinySSH .
- 2014-05-01: OpenBSD 5.5 is the first release signed with Ed25519.
- 2014-05-01: signify is introduced in OpenBSD 5.5.
- 2014-06-03: Google announces End-To-End .
- 2014-08-25: DJB recommends referring to Curve25519 Montgomery-X-coordinate Diffie-Hellman as X25519 .
- 2014-09-20: I2P gets Ed25519 support in version 0.9.15.
- 2014-10-10: Github begins accepting ed25519 SSH keys (cite: Github employee).
- 2014-11-06: GnuPG 2.1 gets Ed25519 support.
- 2015-02-01: OpenSSH will phase out old keys in favor of Ed25519 .
- 2015-02-07: draft-josefsson-eddsa-ed25519 is first published .
- 2015-03-31: wolfSSL 3.4.6 adds Ed25519 support at the crypto level; TLS support to follow.
- 2015-04-07: Nettle 3.1 adds Ed25519 support. Nettle is used by GnuTLS.
- 2015-07-01: OpenSMTPD 5.7.1 and onward signed with signify.
- 2015-09-11: OpenWrt adopts Ed25519 in "Chaos Calmer" 15.05.
- 2015-10-03: CFRG selects EdDSA as the next-generation EC signature scheme .
- 2015-11-17: BoringSSL adds Ed25519 support .
- 2016-04-08: draft-ietf-curdle-pkix-00 is published.
- 2016-04-15: Libgcrypt 1.7.0 supports X25519 .
- 2016-10-20: "The XEdDSA and VXEdDSA Signature Schemes" is published.
- 2017-01-24: RFC 8032 , Edwards-Curve Digital Signature Algorithm (EdDSA), is published.
- 2017-02-21: PuTTY 0.68 gets Ed25519 support.
- 2017-04-24: Unbound 1.6.2 gets DNSCrypt support.
- 2017-04-26: Tor 0.3.0.6 sees a major explansion of Ed25519 usage.
- 2017-06-30: Collective Edwards-Curve Digital Signature Algorithm first draft is published.
- 2017-08-16: Audit of libsodium finds it "is indeed a secure, high-quality library that meets its stated usability and efficiency goals."
- 2017-09-18: Tor 0.3.2.1-alpha debuts next-generation onion services with SHA3/ed25519/curve25519.
- 2017-11-30: PHP 7.2.0 adds libsodium.
- 2018-01-19: Tor 0.3.2.9 officially upgrades to SHA3/ed25519/curve25519.
- TweetNaCl and libsodium have always supported it.
Ed25519 support coming soon!
- TLS 1.3 — Transport Layer Security
- LibreSSL — "Add objects for X25519, X448, Ed25519 and Ed448"
- NaCl — Networking and Cryptography Library
- Tor — for Hidden Services; already used elsewhere in Tor
- wolfSSL — Roadmap: "ed25519 integration at the crypto and TLS level" — already supported at the crypto level
- BearSSL — Smaller SSL/TLS
- OpenSSL — for use in libcrypto and libssl (TLS)
- tink — a small crypto library that provides a safe, simple, agile and fast way to accomplish some common crypto tasks
- pgsodium — Postgres extension wrapper around libsodium
- DNSSEC — a horrible protocol that shouldn't be used
"Powered by Ed25519"