Introducing python-ed25519

Ed25519 is an implementation of Schnorr Signatures in a particular elliptic curve (Curve25519) that enables very high speed operations. It also has a few nice features to make the algorithm safer and easier to use.

I’ve published some MIT-licensed Python bindings to djb++’s portable C implementation of this signature scheme. They’re available here:

Some highlights:

  • signing keys and verifing keys are both just 32 bytes
  • signatures are 64 bytes
  • key generation and signing each take about 2ms on my 2010 MacBookPro
  • signature verification takes about 6ms
  • 128-bit security level, comparable to AES-128, SHA256, and 3072-bit RSA
  • No entropy needed during signing (signatures are deterministic)

There are amd64-specific assembly versions that run even faster, in just a few hundred microseconds, and for bulk operations you can do batch verification faster than one-at-a-time verification. So you can perform thousands of operations per second with this algorithm (and hundreds with this particular implementation).

It’s very exciting to finally have short+fast signatures (and also, through Curve25519, key-agreement and encryption): it opens up a lot of new possibilities. When public-key encryption was first invented, keys took so long to generate that folks assumed that each human would have just one: all sorts of mental baggage was built up around this restriction (ideas like never sharing signing keys, keys representing people, and the need to distribute keys separately from fingerprints). When you can easily generate a new key for each message or object or operation, we can let go of some of those psychological fetters and build something new.

(Note that “Curve25519” uses the same basic curve equation, but only provides Diffie-Hellman key agreement [and, by extension, public-key encryption]. It can’t be used to create signatures that can be verified by third parties: for that you need Ed25519. A portable Curve25519 implementation can be found in curve25519-donna, and includes a Python binding that I wrote too)

Take a look and let me know what you think!

1 comment

  1. The feature I’m missing most is the ability to use a single key-pair for both signing and key-exchange. Having a simple 32 byte public key that can be used for both would be very convenient IMO.

    From my limited understanding of ECC, I see no reason why that shouldn’t be possible. But it’s very well possible that I overlook something.

Leave a Reply

Your email address will not be published. Required fields are marked *