diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index df159c44b..3c0ee777c 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -571,7 +571,9 @@
 
 /** The twisted Edwards curves Ed25519 and Ed448.
  *
- * These curves are suitable for EdDSA.
+ * These curves are suitable for EdDSA (#PSA_ALG_PURE_EDDSA for both curves,
+ * #PSA_ALG_ED25519PH for the 256-bit curve,
+ * #PSA_ALG_ED448PH for the 448-bit curve).
  *
  * This family comprises the following twisted Edwards curves:
  * - 256-bit: Edwards25519, the twisted Edwards curve birationally equivalent
@@ -801,6 +803,13 @@
 #define PSA_ALG_SHA3_384                        ((psa_algorithm_t)0x02000012)
 /** SHA3-512 */
 #define PSA_ALG_SHA3_512                        ((psa_algorithm_t)0x02000013)
+/** The first 64 bytes of the SHAKE256 output.
+ *
+ * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other
+ * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512
+ * has the same output size and a (theoretically) higher security strength.
+ */
+#define PSA_ALG_SHAKE256_64                     ((psa_algorithm_t)0x02000014)
 
 /** In a hash-and-sign algorithm policy, allow any hash algorithm.
  *
@@ -1358,6 +1367,74 @@
 #define PSA_ALG_IS_RANDOMIZED_ECDSA(alg)                                \
     (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
 
+/** Edwards-curve digital signature algorithm without prehashing (PureEdDSA),
+ * using standard parameters.
+ *
+ * Contexts are not supported in the current version of this specification
+ * because there is no suitable signature interface that can take the
+ * context as a parameter. A future version of this specification may add
+ * suitable functions and extend this algorithm to support contexts.
+ *
+ * PureEdDSA requires an elliptic curve key on a twisted Edwards curve.
+ * In this specification, the following curves are supported:
+ * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 255-bit: Ed25519 as specified
+ *   in RFC 8032.
+ *   The curve is Edwards25519.
+ *   The hash function used internally is SHA-512.
+ * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 448-bit: Ed448 as specified
+ *   in RFC 8032.
+ *   The curve is Edwards448.
+ *   The hash function used internally is the first 114 bytes of the
+ *   SHAKE256 output, with
+ *   `dom4(1, "") = ASCII("SigEd448") || 0x01 0x00`
+ *   prepended to the input.
+ *
+ * This algorithm can be used with psa_sign_message() and
+ * psa_verify_message(). Since there is no prehashing, it cannot be used
+ * with psa_sign_hash() or psa_verify_hash().
+ *
+ * The signature format is the concatenation of R and S as defined by
+ * RFC 8032 §5.1.6 and §5.2.6 (a 64-byte string for Ed25519, a 114-byte
+ * string for Ed448).
+ */
+#define PSA_ALG_PURE_EDDSA                      ((psa_algorithm_t)0x06000800)
+
+#define PSA_ALG_HASH_EDDSA_BASE                 ((psa_algorithm_t)0x06000900)
+#define PSA_ALG_IS_HASH_EDDSA(alg)              \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HASH_EDDSA_BASE)
+
+/** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
+ * using SHAKE256 and the Edwards448 curve.
+ *
+ * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
+ *
+ * This algorithm is Ed25519 as specified in RFC 8032.
+ * The curve is Edwards25519.
+ * The input is first hashed with SHA-512.
+ * The hash function used internally is SHA-512, with
+ * `dom2(0, "") = ASCII("SigEd25519 no Ed25519 collisions") || 0x00 0x00`
+ * prepended to the input.
+ */
+#define PSA_ALG_ED25519PH                               \
+    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHA_512 & PSA_ALG_HASH_MASK))
+
+/** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
+ * using SHAKE256 and the Edwards448 curve.
+ *
+ * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
+ *
+ * This algorithm is Ed448 as specified in RFC 8032.
+ * The curve is Edwards448.
+ * The input is first hashed by taking the first 64 bytes of the SHAKE256
+ * output.
+ * The hash function used internally is the first 114 bytes of the
+ * SHAKE256 output, with
+ * `dom4(0, "") = ASCII("SigEd448") || 0x00 0x00`
+ * prepended to the input.
+ */
+#define PSA_ALG_ED448PH                                 \
+    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_64 & PSA_ALG_HASH_MASK))
+
 /* Default definition, to be overridden if the library is extended with
  * more hash-and-sign algorithms that we want to keep out of this header
  * file. */
@@ -1378,7 +1455,7 @@
  */
 #define PSA_ALG_IS_HASH_AND_SIGN(alg)                                   \
     (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||    \
-     PSA_ALG_IS_ECDSA(alg) ||                                           \
+     PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) ||             \
      PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
 
 /** Get the hash used by a hash-and-sign signature algorithm.
diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c
index 4410432c9..5906b6d5f 100644
--- a/programs/psa/psa_constant_names_generated.c
+++ b/programs/psa/psa_constant_names_generated.c
@@ -67,6 +67,7 @@ static const char *psa_hash_algorithm_name(psa_algorithm_t hash_alg)
     case PSA_ALG_SHA3_256: return "PSA_ALG_SHA3_256";
     case PSA_ALG_SHA3_384: return "PSA_ALG_SHA3_384";
     case PSA_ALG_SHA3_512: return "PSA_ALG_SHA3_512";
+    case PSA_ALG_SHAKE256_64: return "PSA_ALG_SHAKE256_64";
     case PSA_ALG_SHA_1: return "PSA_ALG_SHA_1";
     case PSA_ALG_SHA_224: return "PSA_ALG_SHA_224";
     case PSA_ALG_SHA_256: return "PSA_ALG_SHA_256";
@@ -209,14 +210,18 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size,
     case PSA_ALG_ECB_NO_PADDING: append(&buffer, buffer_size, &required_size, "PSA_ALG_ECB_NO_PADDING", 22); break;
     case PSA_ALG_ECDH: append(&buffer, buffer_size, &required_size, "PSA_ALG_ECDH", 12); break;
     case PSA_ALG_ECDSA_ANY: append(&buffer, buffer_size, &required_size, "PSA_ALG_ECDSA_ANY", 17); break;
+    case PSA_ALG_ED25519PH: append(&buffer, buffer_size, &required_size, "PSA_ALG_ED25519PH", 17); break;
+    case PSA_ALG_ED448PH: append(&buffer, buffer_size, &required_size, "PSA_ALG_ED448PH", 15); break;
     case PSA_ALG_FFDH: append(&buffer, buffer_size, &required_size, "PSA_ALG_FFDH", 12); break;
     case PSA_ALG_GCM: append(&buffer, buffer_size, &required_size, "PSA_ALG_GCM", 11); break;
+    case PSA_ALG_HASH_EDDSA_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_HASH_EDDSA_BASE", 23); break;
     case PSA_ALG_HKDF_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_HKDF_BASE", 17); break;
     case PSA_ALG_HMAC_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_HMAC_BASE", 17); break;
     case PSA_ALG_MD2: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD2", 11); break;
     case PSA_ALG_MD4: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD4", 11); break;
     case PSA_ALG_MD5: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD5", 11); break;
     case PSA_ALG_OFB: append(&buffer, buffer_size, &required_size, "PSA_ALG_OFB", 11); break;
+    case PSA_ALG_PURE_EDDSA: append(&buffer, buffer_size, &required_size, "PSA_ALG_PURE_EDDSA", 18); break;
     case PSA_ALG_RIPEMD160: append(&buffer, buffer_size, &required_size, "PSA_ALG_RIPEMD160", 17); break;
     case PSA_ALG_RSA_OAEP_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_RSA_OAEP_BASE", 21); break;
     case PSA_ALG_RSA_PKCS1V15_CRYPT: append(&buffer, buffer_size, &required_size, "PSA_ALG_RSA_PKCS1V15_CRYPT", 26); break;
@@ -226,6 +231,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size,
     case PSA_ALG_SHA3_256: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_256", 16); break;
     case PSA_ALG_SHA3_384: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_384", 16); break;
     case PSA_ALG_SHA3_512: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_512", 16); break;
+    case PSA_ALG_SHAKE256_64: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHAKE256_64", 19); break;
     case PSA_ALG_SHA_1: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_1", 13); break;
     case PSA_ALG_SHA_224: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_224", 15); break;
     case PSA_ALG_SHA_256: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_256", 15); break;
diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data
index 5e3a8604a..1167a67c3 100644
--- a/tests/suites/test_suite_psa_crypto_metadata.data
+++ b/tests/suites/test_suite_psa_crypto_metadata.data
@@ -170,6 +170,18 @@ Asymmetric signature: SHA-256 + deterministic ECDSA using SHA-256
 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256
 asymmetric_signature_algorithm:PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):ALG_IS_ECDSA | ALG_IS_DETERMINISTIC_ECDSA | ALG_ECDSA_IS_DETERMINISTIC | ALG_IS_HASH_AND_SIGN
 
+Asymmetric signature: pure EdDSA
+#depends_on:PSA_WANT_ALG_EDDSA
+asymmetric_signature_algorithm:PSA_ALG_PURE_EDDSA:0
+
+Asymmetric signature: Ed25519ph
+#depends_on:PSA_WANT_ALG_EDDSA
+asymmetric_signature_algorithm:PSA_ALG_ED25519PH:ALG_IS_HASH_EDDSA | ALG_IS_HASH_AND_SIGN
+
+Asymmetric signature: Ed448ph
+#depends_on:PSA_WANT_ALG_EDDSA
+asymmetric_signature_algorithm:PSA_ALG_ED448PH:ALG_IS_HASH_EDDSA | ALG_IS_HASH_AND_SIGN
+
 Asymmetric signature: RSA PKCS#1 v1.5 with wildcard hash
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
 asymmetric_signature_wildcard:PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_ANY_HASH ):ALG_IS_RSA_PKCS1V15_SIGN
diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function
index 0c0091b32..8acbe44a8 100644
--- a/tests/suites/test_suite_psa_crypto_metadata.function
+++ b/tests/suites/test_suite_psa_crypto_metadata.function
@@ -30,16 +30,17 @@
 #define ALG_ECDSA_IS_DETERMINISTIC      ( 1u << 11 )
 #define ALG_IS_DETERMINISTIC_ECDSA      ( 1u << 12 )
 #define ALG_IS_RANDOMIZED_ECDSA         ( 1u << 13 )
-#define ALG_IS_HASH_AND_SIGN            ( 1u << 14 )
-#define ALG_IS_RSA_OAEP                 ( 1u << 15 )
-#define ALG_IS_HKDF                     ( 1u << 16 )
-#define ALG_IS_FFDH                     ( 1u << 17 )
-#define ALG_IS_ECDH                     ( 1u << 18 )
-#define ALG_IS_WILDCARD                 ( 1u << 19 )
-#define ALG_IS_RAW_KEY_AGREEMENT        ( 1u << 20 )
-#define ALG_IS_AEAD_ON_BLOCK_CIPHER     ( 1u << 21 )
-#define ALG_IS_TLS12_PRF                ( 1u << 22 )
-#define ALG_IS_TLS12_PSK_TO_MS          ( 1u << 23 )
+#define ALG_IS_HASH_EDDSA               ( 1u << 14 )
+#define ALG_IS_HASH_AND_SIGN            ( 1u << 15 )
+#define ALG_IS_RSA_OAEP                 ( 1u << 16 )
+#define ALG_IS_HKDF                     ( 1u << 17 )
+#define ALG_IS_FFDH                     ( 1u << 18 )
+#define ALG_IS_ECDH                     ( 1u << 19 )
+#define ALG_IS_WILDCARD                 ( 1u << 20 )
+#define ALG_IS_RAW_KEY_AGREEMENT        ( 1u << 21 )
+#define ALG_IS_AEAD_ON_BLOCK_CIPHER     ( 1u << 22 )
+#define ALG_IS_TLS12_PRF                ( 1u << 23 )
+#define ALG_IS_TLS12_PSK_TO_MS          ( 1u << 24 )
 
 /* Flags for key type classification macros. There is a flag for every
  * key type classification macro PSA_KEY_TYPE_IS_xxx except for some that
@@ -97,6 +98,7 @@ void algorithm_classification( psa_algorithm_t alg, unsigned flags )
         TEST_CLASSIFICATION_MACRO( ALG_ECDSA_IS_DETERMINISTIC, alg, flags );
     TEST_CLASSIFICATION_MACRO( ALG_IS_DETERMINISTIC_ECDSA, alg, flags );
     TEST_CLASSIFICATION_MACRO( ALG_IS_RANDOMIZED_ECDSA, alg, flags );
+    TEST_CLASSIFICATION_MACRO( ALG_IS_HASH_EDDSA, alg, flags );
     TEST_CLASSIFICATION_MACRO( ALG_IS_HASH_AND_SIGN, alg, flags );
     TEST_CLASSIFICATION_MACRO( ALG_IS_RSA_OAEP, alg, flags );
     TEST_CLASSIFICATION_MACRO( ALG_IS_HKDF, alg, flags );