---
eip: 7980
title: Ed25519 transaction support
description: Adds an EIP-7932 algorithm type for Ed25519 support of type `0x0`
author: James Kempton (@SirSpudlington)
discussions-to: https://ethereum-magicians.org/t/eip-7980-adding-ed25519-as-a-signature-scheme-to-test-eip-7932/24663
status: Withdrawn
withdrawal-reason: Decision to use P256 as the test algorithm to reduce implementation burden
type: Standards Track
category: Core
created: 2025-06-25
requires: 7932
---

## Abstract

This EIP adds a new [EIP-7932](./eip-7932.md) algorithm of type `0x0` for supporting Ed25519 signatures.

## Motivation

Ed25519 is one of the most widely used forms of Elliptic Curve Cryptography and is one of the defaults for SSH keys,
this makes it a good contender to be able to sign transactions with. It also provides an algorithm to write test
cases against during the implementation phase of [EIP-7932](./eip-7932.md).

## Specification

This EIP defines a new [EIP-7932](./eip-7932.md) algorithmic type with the following parameters:
| Constant | Value |
| - | - |
| `ALG_TYPE` | `Bytes1(0x0)` |
| `GAS_PENALTY`| `1000` |
| `MAX_SIZE` | `96` |

```python
def verify(signature_info: bytes, payload_hash: Hash32) -> ExecutionAddress:
  assert(len(signature_info) == 96)

  signature = signature_info[:64]
  public_key = signature_info[64:]
  
  # This is the `Verify` function described in [RFC 8032 Section 5.1.7](https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7),
  # This MUST be processed as raw `Ed25519` and not `Ed25519ctx` or `Ed25519ph`
  assert(ed25519_verify(signature, public_key, payload_hash))

  return keccak256(public_key)[-20:]
```

## Rationale

### Additional 1000 gas penalty

The gas penalty discourages people from attempting to migrate off current secp256k1 accounts, and also covers the additional overhead (in regards to hashing) that the ed25519 curve applies.

### Why Ed25519?

Ed25519 has significant tooling backing it, this makes it a good candidate for using as a "dummy" algorithm.
This allows it to be an algorithm for client teams to easily test [EIP-7932](./eip-7932.md).

It may also be useful for signing in Hardware security modules in server environments designed for serving
as [ERC-4337](./eip-4337.md) bundlers. It may also improve interoperability with other components such as TPM chips.

### Appending the public key to the signature

Currently, without changing the algorithm itself, it is impossible to efficiently recover the public key
from a signature and message.

## Backwards Compatibility

No backward compatibility issues found.

## Security Considerations

Needs discussion.
<!-- TODO -->

## Copyright

Copyright and related rights waived via [CC0](../LICENSE.md).