While looking up the existing implementations of the ed25519 signature scheme I found out that the donna implementation (found here) produces signatures that are not verifiable by supercop implementation (found here), but supercop signatures are verifiable by donna implementation. Can somebody explain why two implementations of supposedly the same signature scheme produce only partially compatible signatures? What am I missing? Here is an example to demonstrate what I mean:
secret key = 50f26a6d0e454337554274d703033c21a06fecfcb0457b15214e41ea3228ac51e2b9f0ca0f6510cfdd24325ac6676cdd98a9484336ba36c876fd93aa439d8b72
public key = eddaef2fab3d1412ea1f2517b5a50439c28c27d6aefafce38f9290c17e1e7d56
donna signature = f4b79662b1973be8774c5d23044fe4b25858e7c362923e1fc99cc98e89e099c3f574dca3e47d7a131b43860fabc34b6764ccabb4f9f21b6cae54be5fc8193103
//not verifiable by supercop
supercop signature = 2f0ae6396d4d72fb47c12df6560747f20dc675e0b2d7e711caf68a03ced9309b9abd736cb204e789b95c2f08e0be4254ce69974a4064e40ce7094e288b7cbf03
//verifiable by donna
To obtain the results above, I used ed25519_sign() from ed25119-donna and supercop library (they are called the same in both libraries).
To verify the signatures i used ed25519_sign_open() from ed25519-donna and ed25519_verify() from supercop.
