{"id":1950,"date":"2025-08-25T23:31:38","date_gmt":"2025-08-25T21:31:38","guid":{"rendered":"https:\/\/blogs.igalia.com\/jfernandez\/?p=1950"},"modified":"2025-11-28T13:29:37","modified_gmt":"2025-11-28T12:29:37","slug":"ed25519-support-lands-in-chrome-what-it-means-for-developers-and-the-web","status":"publish","type":"post","link":"https:\/\/blogs.igalia.com\/jfernandez\/2025\/08\/25\/ed25519-support-lands-in-chrome-what-it-means-for-developers-and-the-web\/","title":{"rendered":"Ed25519 Support Lands in Chrome: What It Means for Developers and the Web.\u00a0"},"content":{"rendered":"\n

Introduction<\/h2>\n\n\n\n

Chrome M137 is the first stable version shipping the Ed25519<\/a> feature enabled by default, joining Safari and Firefox in their support. This is the last milestone of a three-year collaboration<\/a> between Protocol Labs (who initiated the project), the IPFS<\/a> Foundation<\/a>, Open Impact Foundation<\/a>, and WebTransitions.org<\/a>.<\/p>\n\n\n\n

In this post I’m going to analyze the impact this feature will have on the IPFS ecosystem and how a specific need in a niche area has become a mechanism to fund the web. Let’s start with a brief introduction of the feature and why it is important for the web platform.<\/p>\n\n\n\n

Ed25519 key pairs have become a standard in many web applications, and the IPFS protocol adopted them as the default some time ago. From the outset, Ed25519 public keys have also served as primary identifiers in systems like dat\/hypercore and SSB. Projects within this technology ecosystem tend to favor Ed25519 keys due to their smaller size and the potential for faster cryptographic operations compared to RSA keys.<\/p>\n\n\n\n

In the context of Web Applications, the browser is responsible for dealing with the establishment of a secure connection to a remote server, which necessarily entails signature verification. There are two possible approaches for application developers:<\/p>\n\n\n\n

    \n
  1. using the browser\u2019s native cryptographic primitives, via the Web Cryptography API<\/li>\n\n\n\n
  2. bundling crypto libraries into the application itself (eg as JS source files or WebAssembly binaries).<\/li>\n<\/ol>\n\n\n\n

    Developers have often faced a difficult choice between using RSA keys, which are natively supported in browsers, and the Ed25519 keys they generally prefer, since using the latter required relying on external libraries until M137. These external software components introduce potential security risks if compromised, for which the developer and the application could be held responsible. In most cases, it’s desirable for private keys to be non-extractable in order to prevent attacks from malicious scripts or browser extensions, something that cannot be guaranteed with JS\/WASM-based implementations that \u201cbundle in\u201d cryptography capabilities. Additionally, \u201cuser-space\u201d implementations like these are necessarily vulnerable to supply chain attacks out of the developer\u2019s control, further increasing the risk and liability surface.<\/p>\n\n\n\n

    The work Igalia<\/a> has been doing in recent years to contribute to the implementation of the Curve25519-based algorithms in the 3 main browsers (Chrome, Firefox and Safari) made it possible to promote Ed25519 and X25519 from the Web Incubation Group to the official W3C Web Cryptography API specification. This is a key milestone for the IPFS development community, since it guarantees a stable API to native cryptography primitives in the browser, allowing simpler, more secure, and more robust applications. Additionally, not having to bundle in cryptography means less code to maintain and fewer surfaces to secure over time.<\/p>\n\n\n\n

    Impact the entire Web Platform – and that\u2019s a huge win<\/h2>\n\n\n\n

    As already mentioned, Secure Curves like Ed25519 and X25519 play an important role in the cryptographic related logic of dApps. However, what makes this project particularly interesting is that it targets the commons \u2013 the Web Platform itself. The effort to fund and implement a key advantage for a niche area has the potential to positively impact  the entire Web Platform \u2013 and that\u2019s a huge win.<\/p>\n\n\n\n

    There are several projects that will benefit from a native implementation of the Curve25519 algorithms in the browser\u2019s Web Cryptography API.<\/p>\n\n\n\n

    Proton services<\/h3>\n\n\n\n

    Proton offers services like Proton Mail, Proton Drive, Proton Calendar and Proton Wallet which use Elliptic Curve Cryptography (ECC)<\/a> based on Curve25519 by default. Their web applications make use of the browser\u2019s Web Cryptography API<\/a> when available. The work we have done to implement and ship the Ed25519 and X25519 algorithms in the 3 main browser engines allows users of these services to rely on the browser\u2019s native implementation of their choice, leading to improved performance and security. It\u2019s worth mentioning that Proton is also contributing to the Web Cryptography API via the work Daniel Huigens is doing as spec editor<\/p>\n\n\n\n

    Matrix\/Riot<\/h3>\n\n\n\n

    The Matrix instant messaging web application uses Ed25519 <\/a>for its device identity and cryptographic signing operations. These are implemented by the matrix-sdk-crypto<\/a> Rust component, which is shared by both the web and native clients. This unified crypto engine is compiled to WebAssembly and integrated into the web client via the JavaScript SDK. Although theoretically, the web client could eventually use the browser\u2019s Web Crypto API to implement the Ed25519-related operations, it might not be the right approach<\/strong> for now. The messaging app also requires other low-level cryptographic primitives that are not yet available in the Web API. Continued evolution of  the Web Crypto API, with more algorithms and low level operations, is a key factor in increasing adoption of the API.<\/p>\n\n\n\n

    Signal<\/h3>\n\n\n\n

    The Signal Protocol is well known for its robust end-to-end encrypted messaging capabilities, and the use of Ed25519 and X25519 is an important piece of its security model. The Signal web client, which is implemented as an Electron application<\/strong>, is based on the Signal Protocol, which relies on these algorithms. The cryptographic layer is implemented in the libsignal<\/strong> internal component, and it is used by all Signal clients. The point is that, as an Electron app, the web client may be able to take advantage of Chrome\u2019s Web Crypto API; however, as with the Matrix web client, the specific requirement of these messaging applications, along with some limitations of the Web API, might be reasons to rule out this approach<\/strong> for the time being.<\/p>\n\n\n\n

    Use of Ed25519 and X25519 in the IPFS ecosystem<\/h2>\n\n\n\n

    Developing web features implies a considerable effort in terms of time and money. Contributing to a better and more complete Web Platform is an admirable goal, but it does not justify the investment if it does not address a specific need. In this section I\u2019m going to analyze the impact of this feature in some projects in the IPFS ecosystem.<\/p>\n\n\n\n

    Libp2p<\/h3>\n\n\n\n

    According to the spec<\/a>, implementations MUST support Ed25519. The js-libp2p implementation for the JS APIs exposed by the browser provides a libp2p-crypto library that depends on the WebCrypto API<\/a>, so it doesn\u2019t require building third-party crypto components. The upstream work to replace the Ed25519 operations with Web Crypto alternatives has also shown benefits in terms of performance; see the PR 3100<\/a> for details. Backward compatibility<\/a> with the JavaScript based implementation, provided via @noble\/curves<\/a>, is guaranteed though. <\/p>\n\n\n\n

    There are several projects that depend on libp2p<\/strong> that would benefit from the use of the Web Cryptography API to implement their Ed25519 operations: <\/p>\n\n\n\n