# EdDSA

EdDSA
General
DesignersDaniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang, et. al.
First published2011-09-26
Detail
StructureElliptic-curve cryptography

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves.[1] It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.[2] The reference implementation is public domain software.[3]

## Summary

The following is a simplified description of EdDSA, ignoring details of encoding integers and curve points as bit strings; the full details are in the papers and RFC.[4][2][1]

An EdDSA signature scheme is a choice

• of finite field ${\displaystyle \mathbb {F} _{q}}$ over odd prime power ${\displaystyle q}$;
• of elliptic curve ${\displaystyle E}$ over ${\displaystyle \mathbb {F} _{q}}$ whose group ${\displaystyle E(\mathbb {F} _{q})}$ of ${\displaystyle \mathbb {F} _{q}}$-rational points has order ${\displaystyle \#E(\mathbb {F} _{q})=2^{c}\ell }$, where ${\displaystyle \ell }$ is a large prime and ${\displaystyle 2^{c}}$ is called the cofactor;
• of base point ${\displaystyle B\in E(\mathbb {F} _{q})}$ with order ${\displaystyle \ell }$; and
• of target-collision-resistant hash function ${\displaystyle H}$ with ${\displaystyle 2b}$-bit outputs, where ${\displaystyle 2^{b-1}>q}$ so that elements of ${\displaystyle \mathbb {F} _{q}}$ and curve points in ${\displaystyle E(\mathbb {F} _{q})}$ can be represented by strings of ${\displaystyle b}$ bits.

These parameters are common to all users of the EdDSA signature scheme. The security of the EdDSA signature scheme depends critically on the choices of parameters, except for the arbitrary choice of base point—for example, Pollard's rho algorithm for logarithms is expected to take approximately ${\displaystyle {\sqrt {\ell \pi /4}}}$ curve additions before it can compute a discrete logarithm,[5] so ${\displaystyle \ell }$ must be large enough for this to be infeasible, and is typically taken to exceed 2200.[6] The choice of ${\displaystyle \ell }$ is limited by the choice of ${\displaystyle q}$, since by Hasse's theorem, ${\displaystyle \#E(\mathbb {F} _{q})=2^{c}\ell }$ cannot differ from ${\displaystyle q+1}$ by more than ${\displaystyle 2{\sqrt {q}}}$.

Within an EdDSA signature scheme,

Public key
An EdDSA public key is a curve point ${\displaystyle A\in E(\mathbb {F} _{q})}$, encoded in ${\displaystyle b}$ bits.
Signature
An EdDSA signature on a message ${\displaystyle M}$ by public key ${\displaystyle A}$ is the pair ${\displaystyle (R,S)}$, encoded in ${\displaystyle 2b}$ bits, of a curve point ${\displaystyle R\in E(\mathbb {F} _{q})}$ and an integer ${\displaystyle 0 satisfying the verification equation
${\displaystyle 2^{c}SB=2^{c}R+2^{c}H(R,A,M)A.}$
Private key
An EdDSA private key is a ${\displaystyle b}$-bit string ${\displaystyle k}$ which should be chosen uniformly at random. The corresponding public key is ${\displaystyle A=sB}$, where ${\displaystyle s=H_{0,\dots ,b-1}(k)}$ is the least significant ${\displaystyle b}$ bits of ${\displaystyle H(k)}$ interpreted as an integer in little-endian. The signature on a message ${\displaystyle M}$ is ${\displaystyle (R,S)}$ where ${\displaystyle R=rB}$ for ${\displaystyle r=H(H_{b,\dots ,2b-1}(k),M)}$, and
${\displaystyle S\equiv r+H(R,A,M)s{\pmod {\ell }}.}$
This satisfies the verification equation:

{\displaystyle {\begin{aligned}2^{c}SB&=2^{c}(r+H(R,A,M)s)B\\&=2^{c}rB+2^{c}H(R,A,M)sB\\&=2^{c}R+2^{c}H(R,A,M)A.\end{aligned}}}

## Ed25519

Ed25519 is the EdDSA signature scheme using SHA-512 and Curve25519[2] where

• ${\displaystyle q=2^{255}-19,}$
• ${\displaystyle E/\mathbb {F} _{q}}$ is the twisted Edwards curve

${\displaystyle -x^{2}+y^{2}=1-{\frac {121665}{121666}}x^{2}y^{2},}$

• ${\displaystyle \ell =2^{252}+27742317777372353535851937790883648493}$ and ${\displaystyle c=3}$
• ${\displaystyle B}$ is the unique point in ${\displaystyle E(\mathbb {F} _{q})}$ whose ${\displaystyle y}$ coordinate is ${\displaystyle 4/5}$ and whose ${\displaystyle x}$ coordinate is positive ("positive" is defined in terms of bit-encoding), and
• ${\displaystyle H}$ is SHA-512, with ${\displaystyle b=256}$.

The curve ${\displaystyle E(\mathbb {F} _{q})}$ is birationally equivalent to the Montgomery curve known as Curve25519. The equivalence is[2][7]

${\displaystyle x={\frac {u}{v}}{\sqrt {-486664}},\quad y={\frac {u-1}{u+1}}.}$

### Performance

The Bernstein team has optimized Ed25519 for the x86-64 Nehalem/Westmere processor family. Verification can be performed in batches of 64 signatures for even greater throughput. Ed25519 is intended to provide attack resistance comparable to quality 128-bit symmetric ciphers. Public keys are 256 bits in length and signatures are twice that size.

### Secure coding

As security features, Ed25519 does not use branch operations and array indexing steps that depend on secret data, so as to defeat many side channel attacks.

Like other discrete-log-based signature schemes, EdDSA uses a secret value called a nonce unique to each signature. In the signature schemes DSA and ECDSA, this nonce is traditionally generated randomly for each signature—and if the random number generator is ever broken and predictable when making a signature, the signature can leak the private key, as happened with the Sony PlayStation 3 firmware update signing key.[8][9] In contrast, EdDSA chooses the nonce deterministically as the hash of the private key and the message. Thus, once a private key is generated, EdDSA has no further need for a random number generator in order to make signatures, and there is no danger that a broken random number generator used to make a signature will reveal the private key.

### Software

Notable uses of Ed25519 include OpenSSH,[10] GnuPG[11] and various alternatives, and the signify tool by OpenBSD.[12]

• I2Pd has its own implementation of EdDSA[18]
• Virgil PKI uses Ed25519 keys by default[21]

## References

1. ^ a b Josefsson, S.; Liusvaara, I. (January 2017). Edwards-Curve Digital Signature Algorithm (EdDSA). Internet Engineering Task Force. doi:10.17487/RFC8032. ISSN 2070-1721. RFC 8032. Retrieved 2017-07-31.
2. ^ a b c d Bernstein, Daniel J.; Duif, Niels; Lange, Tanja; Schwabe, Peter; Bo-Yin Yang (2012). "High-speed high-security signatures" (PDF). Journal of Cryptographic Engineering. 2 (2): 77–89. doi:10.1007/s13389-012-0027-1.
3. ^ "Software". 2015-06-11. Retrieved 2016-10-07. The Ed25519 software is in the public domain.
4. ^ Daniel J. Bernstein, Simon Josefsson, Tanja Lange, Peter Schwabe, and Bo-Yin Yang (2015-07-04). EdDSA for more curves (PDF) (Technical report). Retrieved 2016-11-14.CS1 maint: Uses authors parameter (link)
5. ^ Daniel J. Bernstein, Tanja Lange, and Peter Schwabe (2011-01-01). On the correct use of the negation map in the Pollard rho method (Technical report). IACR Cryptology ePrint Archive. 2011/003. Retrieved 2016-11-14.CS1 maint: Uses authors parameter (link)
6. ^ Daniel J. Bernstein and Tanja Lange. "ECDLP Security: Rho". SafeCurves: choosing safe curves for elliptic-curve cryptography. Retrieved 2016-11-16.CS1 maint: Uses authors parameter (link)
7. ^ Bernstein, Daniel J.; Lange, Tanja (2007). Kurosawa, Kaoru, ed. Faster addition and doubling on elliptic curves. Advances in cryptology—ASIACRYPT. Lecture Notes in Computer Science. 4833. Berlin: Springer. pp. 29–50. doi:10.1007/978-3-540-76900-2_3. ISBN 978-3-540-76899-9. MR 2565722.
8. ^ Johnston, Casey (2010-12-30). "PS3 hacked through poor cryptography implementation". Ars Technica. Retrieved 2016-11-15.
9. ^ fail0verflow (2010-12-29). Console Hacking 2010: PS3 Epic Fail (PDF). 27C3: 27th Chaos Communication Conference. Retrieved 2016-11-15.
10. ^ "Changes since OpenSSH 6.4". 2014-01-03. Retrieved 2016-10-07.
11. ^ "What's new in GnuPG 2.1". 2016-07-14. Retrieved 2016-10-07.
12. ^ "Things that use Ed25519". 2016-10-06. Retrieved 2016-10-07.
13. ^ "eBACS: ECRYPT Benchmarking of Cryptographic Systems: SUPERCOP". 2016-09-10. Retrieved 2016-10-07.
14. ^ "python/ed25519.py: the main subroutines". 2011-07-06. Retrieved 2016-10-07.
15. ^ "Software: Alternate implementations". 2015-06-11. Retrieved 2016-10-07.
16. ^ Frank Denis (2016-06-29). "libsodium/ChangeLog". Retrieved 2016-10-07.
17. ^ "wolfSSL Embedded SSL Library (formerly CyaSSL)". Retrieved 2016-10-07.
18. ^ "Heuristic Algorithms and Distributed Computing" (PDF) (in Russian). 2015. pp. 55–56. ISSN 2311-8563. Retrieved 2016-10-07.
19. ^ Frank Denis. "Minisign: A dead simple tool to sign files and verify signatures". Retrieved 2016-10-07.
20. ^
21. ^