When I looked for existing ed25519 signature scheme implementations, I found out that the donna implementation (found here ) creates signatures that are not verifiable by the supercop implementation (found here ), but the supercop signatures are verifiable with the donna implementation. Can someone explain why two implementations of supposedly the same signature scheme produce only partially compatible signatures? What am I missing? Here is an example demonstrating what I mean:
secret key = 50f26a6d0e454337554274d703033c21a06fecfcb0457b15214e41ea3228ac51e2b9f0ca0f6510cfdd24325ac6676cdd98a9484336ba36c876fd93aa439d8b72
public key = eddaef2fab3d1412ea1f2517b5a50439c28c27d6aefafce38f9290c17e1e7d56
donna signature = f4b79662b1973be8774c5d23044fe4b25858e7c362923e1fc99cc98e89e099c3f574dca3e47d7a131b43860fabc34b6764ccabb4f9f21b6cae54be5fc8193103
//not verifiable by supercop
supercop signature = 2f0ae6396d4d72fb47c12df6560747f20dc675e0b2d7e711caf68a03ced9309b9abd736cb204e789b95c2f08e0be4254ce69974a4064e40ce7094e288b7cbf03
//verifiable by donna
To get the results above, I used ed25519_sign () from ed25119-donna and supercope (they are called the same in both libraries).
For verification of signatures I used ed25519_sign_open () from ed25519-donna and ed25519_verify () from supercope .
source
share