Jump to content


From Wikipedia, the free encyclopedia
DesignersDaniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang, et al.
First published26 September 2011 (12 years ago) (2011-09-26)
StructureElliptic-curve cryptography

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves.[1] It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.[2] The reference implementation is public-domain software.[3]


The following is a simplified description of EdDSA, ignoring details of encoding integers and curve points as bit strings; the full details are in the papers and RFC.[4][2][1]

An EdDSA signature scheme is a choice:[4]: 1–2 [2]: 5–6 [1]: 5–7 

  • of finite field over odd prime power ;
  • of elliptic curve over whose group of -rational points has order , where is a large prime and is called the cofactor;
  • of base point with order ; and
  • of cryptographic hash function with -bit outputs, where so that elements of and curve points in can be represented by strings of bits.

These parameters are common to all users of the EdDSA signature scheme. The security of the EdDSA signature scheme depends critically on the choices of parameters, except for the arbitrary choice of base point—for example, Pollard's rho algorithm for logarithms is expected to take approximately curve additions before it can compute a discrete logarithm,[5] so must be large enough for this to be infeasible, and is typically taken to exceed 2200.[6] The choice of is limited by the choice of , since by Hasse's theorem, cannot differ from by more than . The hash function is normally modelled as a random oracle in formal analyses of EdDSA's security.

Within an EdDSA signature scheme,

Public key
An EdDSA public key is a curve point , encoded in bits.
Signature verification
An EdDSA signature on a message by public key is the pair , encoded in bits, of a curve point and an integer satisfying the following verification equation, where denotes concatenation:

Private key
An EdDSA private key is a -bit string which should be chosen uniformly at random. The corresponding public key is , where is the least significant bits of interpreted as an integer in little-endian.
The signature on a message is deterministically computed as where for , and This satisfies the verification equation


Ed25519 is the EdDSA signature scheme using SHA-512 (SHA-2) and Curve25519[2] where

  • is the twisted Edwards curve

  • and
  • is the unique point in whose coordinate is and whose coordinate is positive.
    "positive" is defined in terms of bit-encoding:
    • "positive" coordinates are even coordinates (least significant bit is cleared)
    • "negative" coordinates are odd coordinates (least significant bit is set)
  • is SHA-512, with .

The curve is birationally equivalent to the Montgomery curve known as Curve25519. The equivalence is[2][7]


The original team has optimized Ed25519 for the x86-64 Nehalem/Westmere processor family. Verification can be performed in batches of 64 signatures for even greater throughput. Ed25519 is intended to provide attack resistance comparable to quality 128-bit symmetric ciphers.[8]

Public keys are 256 bits long and signatures are 512 bits long.[9]

Secure coding[edit]

Ed25519 is designed to avoid implementations that use branch conditions or array indices that depend on secret data,[2]: 2 [1]: 40  in order to mitigate side-channel attacks.

As with other discrete-log-based signature schemes, EdDSA uses a secret value called a nonce unique to each signature. In the signature schemes DSA and ECDSA, this nonce is traditionally generated randomly for each signature—and if the random number generator is ever broken and predictable when making a signature, the signature can leak the private key, as happened with the Sony PlayStation 3 firmware update signing key.[10][11][12][13]

In contrast, EdDSA chooses the nonce deterministically as the hash of a part of the private key and the message. Thus, once a private key is generated, EdDSA has no further need for a random number generator in order to make signatures, and there is no danger that a broken random number generator used to make a signature will reveal the private key.[2]: 8 

Standardization and implementation inconsistencies[edit]

Note that there are two standardization efforts for EdDSA, one from IETF, an informational RFC 8032 and one from NIST as part of FIPS 186-5.[14] The differences between the standards have been analyzed,[15][16] and test vectors are available.[17]


Notable uses of Ed25519 include OpenSSH,[18] GnuPG[19] and various alternatives, and the signify tool by OpenBSD.[20] Usage of Ed25519 (and Ed448) in the SSH protocol has been standardized.[21] In 2023 the final version of the FIPS 186-5 standard included deterministic Ed25519 as an approved signature scheme.[14]


Ed448 is the EdDSA signature scheme using SHAKE256 and Curve448 defined in RFC 8032. It has also been approved in the final version the FIPS 186-5 standard.[14]


  1. ^ a b c d Josefsson, S.; Liusvaara, I. (January 2017). Edwards-Curve Digital Signature Algorithm (EdDSA). IRTF. doi:10.17487/RFC8032. ISSN 2070-1721. RFC 8032. Retrieved 2022-07-11.
  2. ^ a b c d e f g Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Bo-Yin Yang (2012). "High-speed high-security signatures" (PDF). Journal of Cryptographic Engineering. 2 (2): 77–89. doi:10.1007/s13389-012-0027-1. S2CID 945254.
  3. ^ "Software". 2015-06-11. Retrieved 2016-10-07. The Ed25519 software is in the public domain.
  4. ^ a b Daniel J. Bernstein; Simon Josefsson; Tanja Lange; Peter Schwabe; Bo-Yin Yang (2015-07-04). EdDSA for more curves (PDF) (Technical report). Retrieved 2016-11-14.
  5. ^ Daniel J. Bernstein; Tanja Lange; Peter Schwabe (2011-01-01). On the correct use of the negation map in the Pollard rho method (Technical report). IACR Cryptology ePrint Archive. 2011/003. Retrieved 2016-11-14.
  6. ^ Bernstein, Daniel J.; Lange, Tanja. "ECDLP Security: Rho". SafeCurves: choosing safe curves for elliptic-curve cryptography. Retrieved 2016-11-16.
  7. ^ Bernstein, Daniel J.; Lange, Tanja (2007). Kurosawa, Kaoru (ed.). Faster addition and doubling on elliptic curves. Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. Vol. 4833. Berlin: Springer. pp. 29–50. doi:10.1007/978-3-540-76900-2_3. ISBN 978-3-540-76899-9. MR 2565722.
  8. ^ Bernstein, Daniel J. (2017-01-22). "Ed25519: high-speed high-security signatures". Retrieved 2019-09-27. This system has a 2^128 security target; breaking it has similar difficulty to breaking NIST P-256, RSA with ~3000-bit keys, strong 128-bit block ciphers, etc.
  9. ^ Bernstein, Daniel J. (2017-01-22). "Ed25519: high-speed high-security signatures". Retrieved 2020-06-01. Signatures fit into 64 bytes. […] Public keys consume only 32 bytes.
  10. ^ Johnston, Casey (2010-12-30). "PS3 hacked through poor cryptography implementation". Ars Technica. Retrieved 2016-11-15.
  11. ^ fail0verflow (2010-12-29). Console Hacking 2010: PS3 Epic Fail (PDF). Chaos Communication Congress. Archived from the original (PDF) on 2018-10-26. Retrieved 2016-11-15.{{cite conference}}: CS1 maint: numeric names: authors list (link)
  12. ^ "27th Chaos Communication Congress: Console Hacking 2010: PS3 Epic Fail" (PDF). Retrieved 2019-08-04.
  13. ^ Buchanan, Bill (2018-11-12). "Not Playing Randomly: The Sony PS3 and Bitcoin Crypto Hacks. Watch those random number generators". Medium. Archived from the original on 2018-11-30. Retrieved 2024-03-11.
  14. ^ a b c Moody, Dustin (2023-02-03). FIPS 186-5: Digital Signature Standard (DSS). NIST. doi:10.6028/NIST.FIPS.186-5. S2CID 256480883. Retrieved 2023-03-04.
  15. ^ Konstantinos Chalkias, Francois Garillot and Valeria Nikolaenko (2020-10-01). Taming the many EdDSAs. Security Standardisation Research Conference (SSR 2020). Retrieved 2021-02-15.
  16. ^ Jacqueline Brendel, Cas Cremers, Dennis Jackson, and Mang Zhao (2020-07-03). The provable security of ed25519: Theory and practice. IEEE Symposium on Security and Privacy (S&P 2021). Retrieved 2021-02-15.{{cite conference}}: CS1 maint: multiple names: authors list (link)
  17. ^ "ed25519-speccheck". GitHub. Retrieved 2021-02-15.
  18. ^ "Changes since OpenSSH 6.4". 2014-01-03. Retrieved 2016-10-07.
  19. ^ "What's new in GnuPG 2.1". 2016-07-14. Retrieved 2016-10-07.
  20. ^ "Things that use Ed25519". 2016-10-06. Retrieved 2016-10-07.
  21. ^ Harris, B.; Velvindron, L. (February 2020). Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol. IETF. doi:10.17487/RFC8709. ISSN 2070-1721. RFC 8709. Retrieved 2022-07-11.
  22. ^ "System security for watchOS". Retrieved 2021-06-07.
  23. ^ Matt Johnston (2013-11-14). "DROPBEAR_2013.61test". Archived from the original on 2019-08-05. Retrieved 2019-08-05.
  24. ^ "Heuristic Algorithms and Distributed Computing" (PDF). Èvrističeskie Algoritmy I Raspredelennye Vyčisleniâ (in Russian): 55–56. 2015. ISSN 2311-8563. Archived from the original (PDF) on 2016-10-20. Retrieved 2016-10-07.
  25. ^ Frank Denis. "Minisign: A dead simple tool to sign files and verify signatures". Retrieved 2016-10-07.
  26. ^ minisign-misc on GitHub
  27. ^ Frank Denis (2016-06-29). "libsodium/ChangeLog". GitHub. Retrieved 2016-10-07.
  28. ^ "OpenSSL CHANGES". July 31, 2019. Archived from the original on May 18, 2018. Retrieved August 5, 2019.
  29. ^ "python/ed25519.py: the main subroutines". 2011-07-06. Retrieved 2016-10-07.
  30. ^ "Software: Alternate implementations". 2015-06-11. Retrieved 2016-10-07.
  31. ^ "eBACS: ECRYPT Benchmarking of Cryptographic Systems: SUPERCOP". 2016-09-10. Retrieved 2016-10-07.
  32. ^ "Virgil Security Crypto Library for C: Library: Foundation". GitHub. Retrieved 2019-08-04.
  33. ^ "wolfSSL Embedded SSL Library (formerly CyaSSL)". Retrieved 2016-10-07.

External links[edit]