This is an implementation of EdDSA in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see http://ed25519.cr.yp.to/software.html).

There are two internal implementations:

• A port of the radix-2^51 operations in ref10 - fast and constant-time, but only useful for Ed25519.
• A generic version using BigIntegers for calculation - a bit slower and not constant-time, but compatible with any EdDSA parameter specification.

There are no guarantees that this is secure for use. All unit tests are passing, including tests against the data from the Python implementation, and the code has been reviewed by an independent developer, but it has not yet been audited by a professional cryptographer. In particular, the constant-time properties of ref10 may not have been completely retained (although this is the eventual goal for the Ed25519-specific implementation).

The code requires Java 6 (for e.g. the Arrays.copyOfRange() calls in EdDSAEngine.engineVerify()).

The JUnit4 tests require the Hamcrest library hamcrest-all.jar.

This code is released to the public domain and can be used for any purpose. See LICENSE.txt for details.

For ease of following, here are the main methods in ref10 and their equivalents in this codebase:

• The Ed25519 class was originally ported by k3d3 from the Python Ed25519 reference implementation.
• Useful comments and tweaks were found in the GNUnet implementation of Ed25519 (based on k3d3's class).
• BloodyRookie reviewed the code, adding many useful comments, unit tests and literature.