← Back to release summary

Ed25519 in Web Cryptography

Category

Miscellaneous

Type

New or changed feature

Status

In developer trial (Behind a flag) (Chrome 137)

Intent stage

Start prototyping

Summary

This feature adds support for Curve25519 algorithms in the Web Cryptography API, namely the signature algorithm Ed25519

Motivation

Today web developers are getting around the unavailability of Curve25519 [1] in browser by either including an implementation of its operations in JavaScript or compiling a native one into WebAssembly. Aside from wasting bandwidth shipping algorithms that are already included in browsers that support TLS 1.3, this practice also has security implications, e.g. side-channel attacks as studied by Daniel Genkin et al [2]. [1] RFC 7748, Elliptic Curves for Security [2] Daniel Genkin et al, Drive-By Key-Extraction Cache Attacks from Portable Code.

Standards & signals

• Specification: https://w3c.github.io/webcrypto/#ed25519
• Firefox: Shipped/Shipping — https://www.mozilla.org/en-US/firefox/130.0/releasenotes/
• Safari: Shipped/Shipping — https://developer.apple.com/documentation/safari-technology-preview-release-notes/stp-release-178
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1370697

Docs: https://github.com/WICG/webcrypto-secure-curves/blob/main/explainer.md https://docs.google.com/document/d/1fDTUY3HVAXehi-eSfbi7nxh8ZPw4MpSKM8U1fMdqJlU/edit?usp=sharing

Explainers: https://github.com/tQsW/webcrypto-curve25519/blob/master/explainer.md

View on chromestatus.com