Paper 2021/471

Size, Speed, and Security: An Ed25519 Case Study

Cesar Pereida García and Sampo Sovio


Ed25519 has significant performance benefits compared to ECDSA using Weierstrass curves such as NIST P-256, therefore it is considered a good digital signature algorithm, specially for low performance IoT devices. However, such devices often have very limited resources and thus, implementations for these devices need to be as small and as performant as possible while being secure. In this paper we describe a scenario in which an obvious strategy to aggressively optimize an Ed25519 implementation for code size leads to a small memory footprint that is functionally correct but vulnerable to side-channel attacks. This strategy serves as an example of aggressive optimizations that might be considered by cryptography engineers, developers, and practitioners unfamiliar with the power of Side-Channel Analysis (SCA). As a solution to the flawed implementation example, we use a computer-aided cryptography tool generating formally verified finite field arithmetic to generate two secure Ed25519 implementations fulfilling different size requirements. After benchmarking and comparing these implementations to other widely used implementations our results show that computer-aided cryptography is capable of generating competitive code in terms of security, speed, and size.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
applied cryptographyEdDSAEd25519side-channel analysiscomputer-aided cryptography
Contact author(s)
cesar pereidagarcia @ tuni fi
sampo sovio @ huawei com
2021-04-12: received
Short URL
Creative Commons Attribution


      author = {Cesar Pereida García and Sampo Sovio},
      title = {Size, Speed, and Security: An Ed25519 Case Study},
      howpublished = {Cryptology ePrint Archive, Paper 2021/471},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.