implementing-digital-signatures-with-ed25519
Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit security with 64-byte signatures and 32-byte keys, offering significant advantages ove
What this skill does
# Implementing Digital Signatures with Ed25519 ## Overview Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit security with 64-byte signatures and 32-byte keys, offering significant advantages over RSA and ECDSA including deterministic signatures (no random nonce needed), resistance to side-channel attacks, and fast verification. This skill covers implementing Ed25519 for document signing, code signing, and API authentication. ## When to Use - When deploying or configuring implementing digital signatures with ed25519 capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with cryptography concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Objectives - Generate Ed25519 key pairs for signing - Sign messages and files with Ed25519 - Verify signatures against public keys - Implement multi-signature verification - Build a simple code signing system - Compare Ed25519 performance with RSA and ECDSA ## Key Concepts ### Ed25519 vs RSA vs ECDSA | Property | Ed25519 | RSA-3072 | ECDSA P-256 | |----------|---------|----------|-------------| | Security | 128-bit | 128-bit | 128-bit | | Public key size | 32 bytes | 384 bytes | 64 bytes | | Signature size | 64 bytes | 384 bytes | 64 bytes | | Key generation | ~50 us | ~100 ms | ~1 ms | | Sign | ~70 us | ~5 ms | ~200 us | | Verify | ~200 us | ~200 us | ~500 us | | Deterministic | Yes | No (PSS) | No (unless RFC 6979) | ### Key Properties - **Deterministic**: Same message + key always produces same signature - **Collision-resistant**: No separate hash function needed - **Side-channel resistant**: Constant-time implementation - **Small keys**: 32 bytes each (public and private) ## Security Considerations - Ed25519 does not support key recovery from signatures - Verify the full message, not a hash (Ed25519 hashes internally) - Public keys must be validated before use (check for low-order points) - Private keys should be stored encrypted at rest - Ed25519 is not yet approved for all NIST use cases (Ed448 is preferred for federal) ## Validation Criteria - [ ] Key pair generation produces valid Ed25519 keys - [ ] Signature verification succeeds for valid message - [ ] Signature verification fails for tampered message - [ ] Signature verification fails for wrong public key - [ ] Deterministic: same input produces same signature - [ ] File signing and verification works correctly - [ ] Performance meets or exceeds RSA-3072
Related in Security
mac-ops
IncludedComprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.
a11y-audit
IncludedRun accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).
erpclaw
IncludedAI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.
assess
IncludedAssesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.
spring-boot-security-jwt
IncludedProvides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.
code-hardcode-audit
IncludedDetect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.