This is a portable implementation of Ed25519 based on the SUPERCOP "ref10" implementation. All code is licensed under the permissive zlib license.
The code is pure ANSI C without any dependencies. The code has been compiled to WebAssembly with an asm.js fallback and wrapped into a Javascript API.
WebAssembly in browser performance:
Private Key generation: 1.2us (827472 per second)
Public Key derivation: 86.4us (11568 per second)
Public Key derivation (with private key trace removal): 104.6us (9556 per second)
Message signing (short message): 87.7us (11401 per second)
Message signing (short message, with private key trace removal): 105.4us (9481 per second)
Message verifying (short message): 180.0us (5553 per second)
asm.js fallback in browser performance:
Private Key generation: 1.2us (827472 per second)
Public key derivation: 3107.9us (321 per second)
Message signing (short message): 3252.7us (307 per second)
Message verifying (short message): 11778.9us (84 per second)
WebAssembly in node.js performance:
Private Key generation: 4.8us (207429 per second)
Public key derivation: 81.9us (12202 per second)
Message signing (short message): 84.0us (11898 per second)
Message verifying (short message): 171.4us (5831 per second)
Comparison to native binary compiled from C:
Private Key generation: 23.7us (42039 per second)
Public key derivation: 43.0us (23227 per second)
Message signing (short message): 44.0us (22696 per second)
Message verifying (short message): 118.2us (8455 per second)
Comparison to the WebCrypto API (window.crypto.subtle):
Private Key generation: 119.7us (8349 per second)
Message signing (short message): 115.0us (8690 per second)
Message verification (short message): 213.6us (4681 per second)
There are no defined types for private keys, public keys or signatures. Instead simple Uint8Arrays are used with the following sizes:
signature: 64, public key: 32, private key: 32
Private keys are symply cryptographically secure random data, generated for example by window.crypto.getRandomValues() in the browser or require('crypto').randomFillSync in node.
See test.js for usage examples.
You can adapt the default path where the dist files are located by ED25519.setPath.
This module has enabled private key trace removal by default which overwrites the private key data in the asm memory which would otherwise remain in memory and be easily accessible for an attacker that manages an xss attack. This has a small performance impact on public key derivation and signing and can be deactivated by ED25519.disablePrivateKeyTraceRemoval.
All code is released under the zlib license. See license.txt for details.