paulmillr / noble-ed25519

noble-ed25519 Fastest 5KB JS implementation of ed25519 signatures. • ✍️ EDDSA signatures compliant with RFC8032, FIPS 186-5 • 🪢 Consensus-friendly, compliant with ZIP215 • 🔖 SUF-CMA (strong unforgeability under chosen message attacks) and SBS (non-repudiation / exclusive ownership) • 🪶 3.7KB (gzipped) The module is a sister project of noble-curves. Use noble-ed25519 if you need smaller attack surface & better auditability. Switch to noble-curves (drop-in) if you need features like ristretto255, x25519 / curve25519, ed25519ph, hash-to-curve, oprf. This library belongs to _noble_ cryptography > **noble-cryptography** — high-security, easily auditable set of contained cryptographic libraries and tools. • Zero or minimal dependencies • Highly readable TypeScript / JS code • PGP-signed releases and transparent NPM builds • All libraries: ciphers, curves, hashes, post-quantum, 5kb secp256k1 / ed25519 • Check out the homepage for reading resources, documentation, and apps built with noble Usage > > We support all major platforms and runtimes. For React Native, additional polyfills are needed: see below. Enabling synchronous methods Only async methods are available by default, to keep the library dependency-free. To enable sync methods: React Native: polyfill getRandomValues and sha512 React Native does not provide secure getRandomValues by default. This can't be securely polyfilled from our end, so one will need a RN-specific compile-time dep. API There are 4 main methods, which accept Uint8Array-s: • and • and • and • and keygen getPublicKey Generates 32-byte public key from 32-byte private key. • Some libraries have 64-byte private keys - those are just priv+pub concatenated • Use if you want to convert hex / bytes into Point. It will use decompression algorithm 5.1.3 of RFC 8032. • Use if you need full SHA512 hash of seed sign Generates deterministic EdDSA signature. would be hashed by ed25519 internally. For prehashed ed25519ph, switch to noble-curves. verify Verifies EdDSA signature. Has SUF-CMA (strong unforgeability under chosen message attacks). By default, follows ZIP215 [^1] and can be used in consensus-critical apps [^2]. option switches verification criteria to strict RFC8032 / FIPS 186-5 and provides non-repudiation with SBS (Strongly Binding Signatures) [^3]. > [!NOTE] > Most other libraries don't have SUF-CMA & SBS - less optimal choice for their security. > [!NOTE] > Any message with pubkey from would be valid in sigs under ZIP215. utils A bunch of useful **utilities** are also exposed: Security The module is production-ready. We cross-test against sister project noble-curves, which was audited and provides improved security. • The current version has not been independently audited. It is a rewrite of v1, which has been audited by cure53 in Feb 2022: PDF. • It's being fuzzed in a separate repository If you see anything unusual: investigate and report. Constant-timeness We're targetting algorithmic constant time. _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to achieve timing attack resistance in a scripting language. Which means _any other JS library can't have constant-timeness_. Even statically typed Rust, a language without GC, makes it harder to achieve constant-time for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Supply chain security • **Commits** are signed with PGP keys to prevent forgery. Be sure to verify the commit signatures • **Releases** are made transparently through token-less GitHub CI and Trusted Publishing. Be sure to verify the provenance logs for authenticity. • **Rare releasing** is practiced to minimize the need for re-audits by end-users. • **Dependencies** are minimized and strictly pinned to reduce supply-chain risk. • We use as few dependencies as possible. • Version ranges are locked, and changes are checked with npm-diff. • **Dev dependencies** are excluded from end-user installs; they’re only used for development and build steps. For this package, there are 0 dependencies; and a few dev dependencies: • noble-hashes provides cryptographic hashing functionality • jsbt is used for benchmarking / testing / build tooling and developed by the same author • prettier, fast-check and typescript are used for code quality / test generation / ts compilation Randomness We rely on the built-in , which is considered a cryptographically secure PRNG. Browsers have had weaknesses in the past - and could again - but implementing a userspace CSPRNG is even worse, as there’s no reliable userspace source of high-quality entropy. Quantum computers Cryptographically relevant quantum computer, if built, will allow to break elliptic curve cryptography (both ECDSA / EdDSA & ECDH) using Shor's algorithm. Consider switching to newer / hybrid algorithms, such as SPHINCS+. They are available in noble-post-quantum. NIST prohibits classical cryptography (RSA, DSA, ECDSA, ECDH) after 2035. Australian ASD prohibits it after 2030. Speed npm run bench Benchmarks measured with Apple M4. init 11ms keygen x 11,253 ops/sec @ 88μs/op sign x 5,891 ops/sec @ 169μs/op verify x 1,281 ops/sec @ 780μs/op keygenAsync x 10,205 ops/sec @ 97μs/op signAsync x 4,985 ops/sec @ 200μs/op verifyAsync x 1,286 ops/sec @ 777μs/op Point.fromBytes x 22,811 ops/sec @ 43μs/op Compare to alternative implementations: tweetnacl@1.0.3 getPublicKey x 1,808 ops/sec @ 552μs/op ± 1.64% tweetnacl@1.0.3 sign x 651 ops/sec @ 1ms/op ristretto255@0.1.2 getPublicKey x 640 ops/sec @ 1ms/op ± 1.59% sodium-native#sign x 83,654 ops/sec @ 11μs/op Upgrading v2 to v3 v3 brings the package closer to noble-curves v2. • Most methods now expect Uint8Array, string hex inputs are prohibited • Add , method • Node v20.19 is now the minimum required version • Various small changes for types and Point class • etc: hashes are now set in obje…