EdDSA (Ed25519) Encrypt & Decrypt

Free online EdDSA (Ed25519) Encrypt & Decrypt tool. 100% local processing — your data never leaves your device.

National Standards
Other
Output

Result will be displayed here...

Input Encrypt

Usage Guide

About EdDSA (Ed25519)

EdDSA (Edwards-curve Digital Signature Algorithm) using Curve25519 is a modern, high-performance digital signature scheme standardized in RFC 8032. It is now the default signature algorithm for SSH (OpenSSH), widely used in TLS 1.3 client certificates, GPG subkeys, cryptocurrency wallets (Solana, Cardano), and JWT signing. Ed25519 provides 128-bit security with remarkably small keys (32 bytes each) and blazing-fast performance (~100,000 sign/verify operations per second).

Signing Algorithm — Not Encryption: Ed25519 is a digital signature algorithm. It proves that a message was signed by the holder of a specific private key — it does not encrypt data. To keep data confidential, combine Ed25519 signatures with a symmetric cipher like ChaCha20-Poly1305 or AES-256-GCM.

Usage Steps

This tool supports Ed25519 key pair generation, message signing, and signature verification:

1. Generate Key PairClick 'Generate Key Pair' to create a linked private/public key pair. Private key: 64 hex characters (32-byte seed). Public key: 64 hex characters (32-byte compressed curve point).
2. Sign a MessageSelect 'Sign' mode. Enter the message text in the input field and paste the private key (64 hex chars) in the key parameter. Click 'Encrypt' — the output is a Base64-encoded 64-byte signature.
3. Verify a SignatureSelect 'Verify' mode. Enter the input as 'message|signature_base64' (pipe-separated). Paste the public key (64 hex chars) in the key parameter. Click 'Decrypt' — the output will be '✓ Signature verified' or an error.
4. Secure Key StorageSave the private key in a secure location (password manager, encrypted vault). The public key can be freely shared. Losing the private key means losing the ability to sign — there is no recovery.
Browser-Only: All key generation and signing operations run entirely in your browser using the WebCrypto API. No keys or messages are ever transmitted to a server.

Key Format

Ed25519 keys in this tool use a compact hexadecimal format:

Private Key64 hex characters = 32 bytes. This is the seed from which the full signing key is deterministically derived. Keep it secret. Example: a3f1e2d4c5b6...
Public Key64 hex characters = 32 bytes. This is the compressed point on Curve25519 corresponding to the private key. Safe to share publicly. Example: 5b8c9d0e1f2a...
SignatureBase64-encoded 64-byte value (512 bits). Ed25519 signatures are deterministic — signing the same message with the same private key always produces the same signature.
Verify Input FormatWhen verifying, the input field must contain the message and signature joined by a pipe character: message|signature_base64

Ed25519 vs RSA

Ed25519 and RSA are both used for digital signatures, but they have very different characteristics:

Key SizeEd25519: 32 bytes (256 bits). RSA-3072 achieves equivalent security with a 384-byte key — 12× larger. Smaller keys mean faster transmission and lower storage overhead.
PerformanceEd25519 signs and verifies approximately 100× faster than RSA-2048 on the same hardware. This matters for high-throughput systems like authentication servers.
Security ModelEd25519 uses deterministic signing — no random nonce is needed. RSA-PSS requires secure randomness; poor randomness can weaken RSA signatures. Ed25519 eliminates this risk class entirely.
RecommendationPrefer Ed25519 for all new systems. Use RSA only when legacy compatibility is required (e.g., older TLS clients or hardware tokens that do not support ECC).
Quantum Resistance: Like RSA and ECDSA, Ed25519 is vulnerable to a sufficiently powerful quantum computer running Shor's algorithm. For post-quantum security, look into NIST-standardized algorithms like ML-DSA (CRYSTALS-Dilithium). However, Ed25519 remains the best practical choice for classical (non-quantum) threat models today.

FAQ

Q: What is the difference between EdDSA and ECDSA?

A: Both EdDSA and ECDSA are elliptic-curve signature algorithms, but they differ in important ways. ECDSA (used with NIST curves P-256, P-384) requires a random nonce (k) per signature — if the nonce is reused or weak, the private key can be completely recovered. This is exactly how the Sony PlayStation 3 private key was extracted in 2010. EdDSA uses a deterministic nonce derived from the private key and message hash, making nonce reuse mathematically impossible. EdDSA also uses safer Twisted Edwards curves (Curve25519 for Ed25519) designed to resist certain side-channel attacks. For new implementations, EdDSA is strongly preferred over ECDSA.

Q: Why is deterministic signing safer?

A: In ECDSA, the security of each signature depends on a fresh, cryptographically random nonce. If an attacker obtains two signatures that used the same nonce (nonce reuse), or if the nonce has insufficient entropy (weak randomness), the private key can be algebraically recovered using simple equations. This is not theoretical — it has broken real-world systems (PS3, Bitcoin wallets). Ed25519's deterministic signing derives the nonce from a hash of the private key seed and the message, so it is always unique and cannot be influenced by external randomness sources. There is no random number generator in the signing path — eliminating an entire class of vulnerabilities.

Q: Can I use EdDSA to encrypt data?

A: No. EdDSA (Ed25519) is a digital signature algorithm only — it cannot encrypt or decrypt data. Signing proves authenticity (who created the message) but provides no confidentiality (anyone can read the message). To encrypt data, use a symmetric cipher like ChaCha20-Poly1305 or AES-256-GCM. Note: X25519 (a related but distinct algorithm based on Curve25519) can be used for key exchange (Diffie-Hellman), but it is not the same as Ed25519 and the keys are not interchangeable.

Q: How do I generate an Ed25519 SSH key?

A: Use OpenSSH's built-in key generation tool:
ssh-keygen -t ed25519 -C "your_email@example.com"
This generates ~/.ssh/id_ed25519 (private key) and ~/.ssh/id_ed25519.pub (public key). Ed25519 has been the recommended SSH key type since OpenSSH 6.5 (2014) and is now the default in most distributions. The keys generated by OpenSSH use a different encoding (PEM/OpenSSH format) than this tool's hex format, but they are based on the same cryptographic algorithm.

Q: What is inside the 64-byte Ed25519 signature?

A: An Ed25519 signature consists of two 32-byte values: R (a compressed elliptic curve point, derived from the deterministic nonce) and S (a scalar value computed from the nonce, private key, and message hash). Together, R and S form the 64-byte signature. Verification reconstructs R using the public key, message, and S, and checks that it matches the R in the signature. The entire verification involves only fast field arithmetic on Curve25519 — no modular exponentiation like RSA.

Q: Is Ed25519 resistant to quantum computers?

A: No — not against a sufficiently large quantum computer. A quantum computer running Shor's algorithm could break Ed25519 by solving the discrete logarithm problem on elliptic curves. The same threat applies to RSA and ECDSA. However, a quantum computer capable of breaking 128-bit elliptic curve security would need thousands of logical qubits with very low error rates — well beyond current technology. For post-quantum signatures, NIST has standardized ML-DSA (formerly CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+). Ed25519 remains the best practical choice for classical threat models and is widely deployed in production systems today.

Use Cases

Recommended: SSH Authentication Keys

Ed25519 is the recommended SSH key type since OpenSSH 6.5 and is now the default in most Linux distributions and macOS. Compared to RSA-2048, Ed25519 SSH keys are much shorter (68 characters vs 400+), faster to generate, faster to authenticate, and not vulnerable to weak-randomness attacks. Use ssh-keygen -t ed25519 for all new SSH keys. Add the public key to ~/.ssh/authorized_keys on servers.

Recommended Configuration:
  • ✅ Use ssh-keygen -t ed25519 for new SSH keys
  • ✅ Protect the private key with a strong passphrase
  • ✅ Distribute the public key freely to servers
  • ❌ Don't use RSA-1024; prefer Ed25519 over RSA-2048
Recommended: Code Signing and Software Distribution

Ed25519 is ideal for signing software releases, container images, and firmware updates. The deterministic signature property ensures that the same version always produces the same signature — making reproducible build verification reliable. Tools like Sigstore, minisign, and signify use Ed25519. GPG supports Ed25519 signing subkeys. The compact 64-byte signature is easy to embed in metadata or manifest files.

Recommended Configuration:
  • ✅ Sign release artifacts and checksums with Ed25519
  • ✅ Use minisign or signify for simple file signing
  • ✅ Include signature files alongside release artifacts
  • ❌ Don't distribute software without a cryptographic signature
Recommended: JWT Signing (EdDSA algorithm)

JSON Web Tokens (JWT) support Ed25519 via the EdDSA algorithm identifier (RFC 8037). Using EdDSA for JWT is more secure than HMAC-SHA256 (which requires sharing the secret key) and more efficient than RS256 (RSA). The server signs tokens with the Ed25519 private key; clients and resource servers verify with the public key. This enables stateless, scalable authentication — no shared secret needed between the auth server and resource servers.

Recommended Configuration:
  • ✅ Use EdDSA (Ed25519) for JWT in new projects
  • ✅ Publish the public key at a /.well-known/jwks.json endpoint
  • ✅ Rotate signing keys periodically
  • ❌ Don't use HS256 (symmetric) when multiple services need to verify
Recommended: API Request Authentication

Ed25519 can authenticate API requests by signing a request payload (method + path + timestamp + body hash) with a private key. The API server verifies the signature using the client's registered public key. This is more secure than API keys (which are secrets that can leak) because the private key never leaves the client. Compare this with HMAC-SHA256, which requires the server to store the secret — if the server is compromised, all clients are affected.

Recommended Configuration:
  • ✅ Sign request payloads including timestamps to prevent replay attacks
  • ✅ Register client public keys server-side (no secret sharing needed)
  • ✅ Use Ed25519 over HMAC when the server should not know client secrets
  • 💡 Include a nonce or timestamp in the signed payload
Acceptable: Cryptocurrency Wallet Signatures

Ed25519 is the native signature algorithm for several cryptocurrencies including Solana, Cardano, Stellar, and Near Protocol. Wallet addresses are derived from Ed25519 public keys. Transactions are signed with the corresponding private key. This is a legitimate and important use case, but note that cryptocurrency private keys require extra-careful storage (hardware wallets, secure enclaves) — a lost or stolen private key means permanent loss of funds.

Recommended Configuration:
  • ✅ Use hardware wallets (Ledger, Trezor) for high-value keys
  • ✅ Back up seed phrases in secure offline storage
  • ❌ Don't store cryptocurrency private keys in plaintext files
  • ❌ Don't use this browser tool for production wallet keys
Not Recommended: Data Encryption

Ed25519 cannot encrypt data — attempting to use it for encryption is a fundamental misuse of the algorithm. Ed25519 is a signature algorithm: it takes a message and produces a signature that proves authenticity. It does not transform the message into ciphertext. For confidential communication, use ChaCha20-Poly1305 or AES-256-GCM. If you need asymmetric encryption, use RSA.

Recommended Configuration:
  • ❌ Don't use Ed25519 for data encryption
  • ✅ Use AES-256-GCM or ChaCha20-Poly1305 for symmetric encryption
  • ✅ Use RSA-OAEP for asymmetric encryption
  • 💡 Signing ≠ Encrypting — they serve different security goals

Best Practice Summary

  • Ed25519 is a signing algorithm — it proves authenticity but does not encrypt. Use AES-256-GCM or ChaCha20-Poly1305 for confidentiality.
  • Prefer Ed25519 over RSA and ECDSA for all new signature use cases: smaller keys, faster operations, deterministic signing.
  • The private key (64 hex chars) must be kept secret. The public key (64 hex chars) can be freely distributed.
  • Verify signatures using the 'message|signature_base64' input format. The pipe separator is required.
  • For SSH, use ssh-keygen -t ed25519. Ed25519 is the modern standard recommended by OpenSSH, NIST, and major security guidelines.

Discussion & Feedback

0 comments
Me