Ed25519 keys are significantly more efficient than RSA keys for SSH and signing operations, offering better security per bit and faster performance.
Let’s see this in action. Imagine you’re setting up SSH access to a new server. With RSA, you might generate a 4096-bit key:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_4096
This command spins up, and after a bit of CPU churning, you get two files: id_rsa_4096 (your private key) and id_rsa_4096.pub (your public key). The private key file is about 1.6KB.
Now, let’s do the same with Ed25519:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
This is almost instantaneous. The resulting id_ed25519 private key file is a mere 32 bytes. That’s a massive difference in size for keys that are, in practice, more secure.
The core problem these algorithms solve is establishing trust and verifying identity in a digital, untrusted network. When you SSH into a server, your client uses your private key to prove it’s you. The server uses your public key (which you’ve authorized) to verify that proof. For signing data, a private key signs, and a public key verifies. The security relies on the mathematical difficulty of deriving the private key from the public key.
RSA (Rivest–Shamir–Adleman) is a venerable public-key cryptosystem. It relies on the difficulty of factoring large integers. To achieve a reasonable level of security against modern computing power, RSA keys need to be quite large (2048 bits is a common minimum, 4096 bits is better). Larger keys mean more computation for key generation, encryption/decryption, signing/verification, and larger storage/transmission.
Ed25519, on the other hand, is a modern elliptic curve digital signature algorithm (ECDSA). It uses a specific, highly optimized elliptic curve, Curve25519. Elliptic curve cryptography (ECC) offers much higher security per bit than RSA. This means you can achieve equivalent or better security with a much smaller key size. For Ed25519, the private key is a 256-bit value, and the public key is derived from it, resulting in those tiny key files. The specific curve and algorithm design for Ed25519 were chosen for speed and resistance to side-channel attacks.
The mental model for how they work is different. RSA is like a very complex lock that’s hard to pick. The complexity comes from the size of the number you’re trying to factor. Ed25519 is like a very intricate mathematical puzzle on a specific curve; solving it without knowing the starting point is incredibly hard, even with powerful computers. The math behind ECC is more abstract but leads to much denser security.
When you connect via SSH, your client presents a signature generated by your private key. The server uses the corresponding public key to check if the signature is valid. With RSA, this involves large number arithmetic. With Ed25519, it involves point additions and scalar multiplications on an elliptic curve. The latter operations are computationally cheaper, making connections faster and less CPU-intensive, especially on resource-constrained devices.
The performance difference isn’t just theoretical. For SSH authentication, Ed25519 handshakes are noticeably quicker. For signing data (e.g., Git commits), Ed25519 is dramatically faster than RSA.
Here’s a practical comparison of signing times for a small piece of data (your private key is implicitly used for signing). The exact times will vary, but the ratio is consistent:
# First, generate a key pair if you don't have one
ssh-keygen -t rsa -b 4096 -f /tmp/rsa_test
ssh-keygen -t ed25519 -f /tmp/ed25519_test
# Sign some data (e.g., a short string)
echo "test data to sign" > data.txt
echo "RSA signing:"
time ssh-keygen -f /tmp/rsa_test -s data.txt -a 100000 -N "" # -s signs, -a is rounds for passphrase derivation
echo "Ed25519 signing:"
time ssh-keygen -f /tmp/ed25519_test -s data.txt -a 100000 -N ""
You’ll observe that the Ed25519 signing operation completes in a fraction of the time of the RSA signing operation. This efficiency translates directly to better user experience and lower server load.
The security level is also a key differentiator. NIST recommends RSA 2048-bit keys as equivalent to 112-bit symmetric security. RSA 3072-bit keys offer 128-bit symmetric security. To reach 256-bit symmetric security (the gold standard for many modern applications), you’d need RSA keys around 15360 bits long. Ed25519, with its 256-bit keys, provides 128-bit symmetric security, and even longer keys (like Curve448) are available for higher security needs. For most common use cases, Ed25519’s 128-bit security is more than sufficient and much more efficient than RSA.
One thing that’s often overlooked is the resistance to specific types of attacks. Ed25519 was designed with modern security concerns in mind, including resistance to advanced side-channel attacks that can potentially leak information about the private key during computation. The mathematical operations on the specific curve are structured to make such leakage much harder compared to some RSA implementations.
For SSH, you’d add your public key to ~/.ssh/authorized_keys on the server. For signing, you’d use the private key with a tool like ssh-keygen itself or dedicated signing libraries. Most modern SSH clients and servers have excellent support for Ed25519.
The next logical step is to explore how these keys are managed in more complex systems, such as distributed environments or certificate authorities.