On Wed, Apr 22, 2020 at 11:46:16AM +0800, yang berlin wrote: > Wow, thanks for the detailed reply! > Actually I am a master student and my teacher wants me to figure out the > use of ed25519. So I went to see openssl. > I thought ed25519 can sign messages so I tried the dgst command. Now I know > that I was wrong. Well, actually it *does* sign messages, but not via "openssl dgst", because typically ed25519 is used to sign short messages without first running them through a digest function. This makes it resistant to hash function collion attacks. There is actually more than one flavour of the ed25519 signature algorithm, see RFC8032: https://tools.ietf.org/html/rfc8032#section-4 https://tools.ietf.org/html/rfc8032#section-5 You can use "pkeyutl" to directly sign (short messages) with (pure) ed25519, or, for longer messages, you can use the "prehash" variant which signs a SHA2-512 hash. -- Viktor.