]>
Edwards-curve Digital Signature Algorithm (EdDSA)
SJD ABsimon@josefsson.orghttp://josefsson.org/Independentilariliusvaara@welho.comThe elliptic curve signature scheme Edwards-curve Digital
Signature Algorithm (EdDSA) is described. The algorithm is
instantiated with recommended parameters for the Curve25519 and
Curve448 curves. An example implementation and test vectors are
provided.NOTE: Anything not about Ed25519 in this document is
extremely premature and there is at least one FIXME that makes
some things unimplementable.The Edwards-curve Digital Signature Algorithm (EdDSA) is a
variant of Schnorr's signature system with (possibly Twisted)
Edwards curves. EdDSA needs to be instantiated with certain
parameters and this document describe some recommended variants.To facilitate adoption in the Internet community of EdDSA,
this document describe the signature scheme in an
implementation-oriented way, and provide sample code and test
vectors.The advantages with EdDSA include:
High-performance on a variety of platforms.Does not require the use of a unique random number for each
signature.More resilient to side-channel attacks.Small public keys (32 or 57 bytes) and signatures (64 or 114
bytes).The formulas are "strongly unified", i.e., they are valid
for all points on the curve, with no exceptions. This
obviates the need for EdDSA to perform expensive point
validation on untrusted public values.Collision resilience, meaning that hash-function collisions
do not break this system. (Only holds for PureEdDSA.)For further background, see the original EdDSA paper and the generalized version
described in EdDSA for more curves.
The document discuss
specific curves, including Curve25519 and Ed448-Goldilocks.FIXME: make sure this is aligned with irtf-cfrg-curvesThe following notation is used throughout the document:GF(p) --- finite field with p elementsx^y --- x multiplied by itself y timesB --- generator of the group or subgroup of interestn B --- B added to itself n times.h_i --- the i'th bit of ha || b --- (bit-)string a concatenated with (bit-)string ba <= b --- a is less than or equal to bA + B --- sum of A and BA x B --- cartesian product of A and BEdDSA is a digital signature system with eleven
parameters.The generic EdDSA digital signature system with its eleven
input parameters is not intended to be implemented directly.
Chosing parameters is critical for secure and efficient
operation. Instead, you would implement a particular parameter
choice for EdDSA (such as Ed25519 or Ed448), sometimes slightly
generalized to achieve code re-use to cover Ed25519 and
Ed448.Therefor, a precise explanation of the generic EdDSA is thus
not particularly useful for implementers. For background and
completeness, a succinct description of the generic EdDSA
algorithm is given here.The definition of some parameters, such as n and c, may help
to explain some non-intuitive steps of the algorithm.This description closely follows .EdDSA has elevent parameters:
An odd prime power p. EdDSA uses an elliptic curve over the
finite field GF(p).An integer b with 2^(bâˆ’1) > p. EdDSA public keys have
exactly b bits, and EdDSA signatures have exactly 2b bits.A (b-1)-bit encoding of elements of the finite field GF(p).A cryptographic hash function H producing 2b-bit
output. Conservative hash functions are recommended and do not
have much impact on the total cost of EdDSA.An integer c that is 2 or 3. Secret EdDSA scalars are
multiples of 2^c.An integer n with c <= n <= b. Secret EdDSA scalars
have exactly n + 1 bits, with the top bit (the 2^n position)
always set and the bottom c bits always cleared.A nonzero square element a of GF(p). The usual
recommendation for best performance is a = âˆ’1 if p mod 4 = 1,
and a = 1 if p mod 4 = 3.An element B != (0,1) of the set E = { (x,y) is a member of
GF(p) x GF(p) such that a x^2 + y^2 = 1 + d x^2 y^2 }.An odd prime l such that l B = 0 and 2^c l = #E. The number
#E is part of the standard data provided for an elliptic curve
E.A "prehash" function PH. PureEdDSA means EdDSA where PH is
the identity function, i.e., PH(M) = M. HashEdDSA means EdDSA
where PH generates a short output, no matter how long the
message is; for example, PH(M) = SHA-512(M).Points on the curve form a group under addition, (x3, y3) =
(x1, y1) + (x2, y2), with the formulasThe neutral element in the group is (0, 1).For Ed25519, the curve used is equivalent to Curve25519, under a change of
coordinates, which means that the difficulty of the discrete
logarithm problem is the same as for Curve25519.For Ed448, the curve is equivalent to Ed448-Goldilocks under
change of basepoint, which also preserves difficulty of the
discrete logarithm.Unlike many other curves used for cryptographic applications,
these formulas are "strongly unified": they are valid for all
points on the curve, with no exceptions. In particular, the
denominators are non-zero for all input points.There are more efficient formulas, which are still strongly
unified, which use homogeneous coordinates to avoid the
expensive modulo p inversions. See
and .An integer 0 < S < l - 1 is encoded in little-endian
form as a b-bit string ENC(S).An element (x,y) of E is encoded as a b-bit string called
ENC(x,y) which is the (b-1)-bit encoding of y concatenated
with one bit that is 1 if x is negative and 0 if x is not
negative.The encoding of GF(p) is used to define "negative" elements
of GF(p): specifically, x is negative if the (b-1)-bit
encoding of x is lexicographically larger than the (b-1)-bit
encoding of -x.An EdDSA secret key is a b-bit string k. Let the hash H(k)
= (h_0, h_1, ..., h_(2b-1)) determine an integer s which is
2^n plus the sum of m = 2^i * h_i for all i equal or larger
than c and equal to or less than n. Let s determine the
multiple A = s B. The EdDSA public key is ENC(A). The bits
h_b, ..., h_(2b-1) is used below during signing.The EdDSA signature of a message M under a secret key k is
defined as the PureEdDSA signature of PH(M). In other words,
EdDSA simply uses PureEdDSA to sign PH(M).The PureEdDSA signature of a message M under a secret key k
is the 2b-bit string ENC(R) || ENC(S). R and S are derived as
follows. First define r = H(h_b, ... h_(2b-1), M)
interpreting 2b-bit strings in little-endian form as integers
in {0, 1, ..., 2^(2b) - 1}. Let R = r B and S = (r + H(ENC(R)
|| ENC(A) || P(M)) s) mod l. The s used here is from the
previous section.To verify a signature ENC(R) || ENC(S) on a message M under
a public key ENC(A), proceed as follows. Parse the inputs so
that A and R is an element of E, and S is a member of the set
{0, 1, ..., l-1 }. Compute h = H(ENC(R) || ENC(A) || M) and
check the group equation 2^c S B = 2^c R + 2^c h A in E.
Verification is rejected if parsing fails or the group
equation does not hold.EdDSA verification for a message M is defined as PureEdDSA
verification for PH(M).One of the parameters of the EdDSA algorithm is the "prehash"
function. This may be the identity function, resulting in an
algorithm called PureEdDSA, or a collision-resistant hash
function such as SHA-512, resulting in an algorithm called
HashEdDSA.Chosing which variant to use depends on which property is
deemed to be more important between 1) collision resilience, and
2) a single-pass interface. The collision reilience property
means EdDSA is secure even if it is feasible to compute
collisions for the hash function. The single-pass interface
property means that only one pass over the input message is
required, whereas PureEdDSA requires two passes over the input.
Many existing APIs, protocols and environments assume digital
signature algorithms only need one pass over the input, and may
have API or bandwidth concerns supporting anything else.This document specify parameters resulting in the HashEdDSA
variants Ed25519ph and Ed448ph, and the PureEdDSA variants
Ed25519 and Ed448.This section instantiate the general EdDSA algorithm for the
Curve25519 and Ed448 curves, each for the PureEdDSA and
HashEdDSA variants. Thus four different parameter sets are
described.Ed25519 is PureEdDSA instantiated with p as the prime
2^255-19, b=256, the 255-bit encoding of GF(p) being the
little-endian encoding of {0, 1, ..., p-1}, H being SHA-512, c being 3, n being 254, a
being -1, d = -121665/121666 which is a member of GF(p), and B
is the unique point (x, 4/5) in E for which x is "positive",
which with the encoding used simply means that the least
significant bit of x is 0, l is the prime 2^252 +
27742317777372353535851937790883648493.Ed25519ph is the same but with PH being SHA-512 instead,
i.e., the input is hashed using SHA-512 before signing with
Ed25519.Written out explicitly, B is the point
(15112221349535400772501151409588531511454012693041857206046113283949847762202,
46316835694926478169428394003475163141307993866256225615783033603165251855960).
The values for p, a, d, B and l follows from the
"edwards25519" values in .FIXME: Ilari: Do we want to refer more to "Edwards25519"
from CFRG-CURVES to get rid of those long-looking constants
from above? Simon: I think we do with the previous paragraph
-- do you want to remove them from this document? The
cfrg-curves draft uses the same variable name for many
different values, so repeating the values here may help.
Maybe we can split this up into "specified here" and
"specified in cfrg-curves" for easier double checking.For advise on how to implement arithmetic modulo p =
2^255 - 19 efficiently and securely, see Curve25519. For inversion modulo
p, it is recommended to use the identity x^-1 = x^(p-2) (mod
p).For point decoding or "decompression", square roots
modulo p are needed. They can be computed using the
Tonelli-Shanks algorithm, or the special case for p = 5 (mod
8). To find a square root of a, first compute the candidate
root x = a^((p+3)/8) (mod p). Then there are three cases:
x^2 = a (mod p). Then x is a square root. x^2 = -a (mod p). Then 2^((p-1)/4) x is a square root. a is not a square modulo p.All values are coded as octet strings, and integers are
coded using little endian convention. I.e., a 32-octet
string h h[0],...h[31] represents the integer h[0] + 2^8
h[1] + ... + 2^248 h[31].A curve point (x,y), with coordinates in the range 0
<= x,y < p, is coded as follows. First encode the
y-coordinate as a little-endian string of 32 octets. The
most significant bit of the final octet is always zero. To
form the encoding of the point, copy the least significant
bit of the x-coordinate to the most significant bit of the
final octet.Decoding a point, given as a 32-octet string, is a little
more complicated.
First interpret the string as an integer in
little-endian representation. Bit 255 of this number is
the least significant bit of the x-coordinate, and denote
this value x_0. The y-coordinate is recovered simply by
clearing this bit. If the resulting value is >= p,
decoding fails.To recover the x coordinate, the curve equation implies
x^2 = (y^2 - 1) / (d y^2 + 1) (mod p). Since d is a
non-square and -1 is a square, the numerator, (d y^2 + 1),
is always invertible modulo p. Let u = y^2 - 1 and v = d
y^2 + 1. To compute the square root of (u/v), the first
step is to compute the candidate root x =
(u/v)^((p+3)/8). This can be done using the following
trick, to use a single modular powering for both the
inversion of v and the square root:
Again, there are three cases:
If v x^2 = u (mod p), x is a square root.If v x^2 = -u (mod p), set x <-- x 2^((p-1)/4),
which is a square root.Otherwise, no square root exists modulo p, and decoding
fails.Finally, use the x_0 bit to select the right square root.
If x = 0, and x_0 = 1, decoding fails. Otherwise, if x_0 !=
x mod 2, set x <-- p - x. Return the decoded point
(x,y).For point addition, the following method is recommended.
A point (x,y) is represented in extended homogeneous
coordinates (X, Y, Z, T), with x = X/Z, y = Y/Z, x y = T/Z.
The following formulas for adding two points, (x3,y3) =
(x1,y1)+(x2,y2) are described in , section 3.1. They are strongly
unified, i.e., they work for any pair of valid input points.
The secret is 32 octets (256 bits, corresponding to b) of
cryptographically-secure random data. See for a discussion about randomness.The 32-byte public key is generated by the following steps.
Hash the 32-byte secret using SHA-512, storing the digest
in a 64-octet large buffer, denoted h. Only the lower 32
bytes are used for generating the public key.Prune the buffer. In C terminology:
Interpret the buffer as the little-endian integer,
forming a secret scalar a. Perform a known-base-point scalar
multiplication a B.The public key A is the encoding of the point aB. First
encode the y coordinate (in the range 0 <= y < p) as a
little-endian string of 32 octets. The most significant bit
of the final octet is always zero. To form the encoding of
the point aB, copy the least significant bit of the x
coordinate to the most significant bit of the final octet.
The result is the public key.The inputs to the signing procedure is the secret key, a
32-octet string, and a message M of arbitrary size.
Hash the secret key, 32-octets, using SHA-512. Let h
denote the resulting digest. Construct the secret scalar a
from the first half of the digest, and the corresponding
public key A, as described in the previous section. Let
prefix denote the second half of the hash digest,
h[32],...,h[63].Compute SHA-512(prefix || M), where M is the message to
be signed. Interpret the 64-octet digest as a little-endian
integer r.Compute the point rB. For efficiency, do this by first
reducing r modulo q, the group order of B. Let the string R
be the encoding of this point.Compute SHA512(R || A || M), and interpret the 64-octet
digest as a little-endian integer k.Compute s = (r + k a) mod q. For efficiency, again reduce
k modulo q first.Form the signature of the concatenation of R (32 octets)
and the little-endian encoding of s (32 octets, three most
significant bits of the final octets always zero).To verify a signature on a message M, first split the
signature into two 32-octet halves. Decode the first half as
a point R, and the second half as an integer s, in the range
0 <= s < q. If the decoding fails, the signature is
invalid.Compute SHA512(R || A || M), and interpret the 64-octet
digest as a little-endian integer k.Check the group equation 8s B = 8 R + 8k A. It's
sufficient, but not required, to instead check s B = R + k
A.Ed448 is PureEdDSA instantiated with p as the prime 2^448 -
2^224 - 1, b=456, the 455-bit encoding of GF(2^448-2^224-1) is
the usual little-endian encoding of {0, 1, ..., 2^448 - 2^224
- 2}, H is [FIXME: needs 912-bit hash], c being 2, n being
448, a being 1, d being - 39081, B is (X(P), Y(P)), and l is
the prime 2^446 -
13818066809895115352007386748515426880336692474882178609894547503885.Ed448ph is the same but with P being SHA-512 instead, i.e.,
the input is hashed using SHA-512 before signing with
Ed448.The values of p, a, d, X(p), Y(p), and l are taken from
curve named "edwards448" in .FIXME: Everything except the hash is straightforward
generalization from Ed25519 case (but duplicating all the text
does not seem very sensible), except now the curve is
untwisted, so point formulas are bit different, keys are 57
bytes, signatures 114, and the pruning formula becomes:
The rest of this section describes how Ed25519 can be
implemented in Python (version 3.2 or later) for illustration.
See appendix A for the complete implementation and appendix B
for a test-driver to run it through some test vectors.Note that this code is not intended for production as it is
not proven to be correct for all inputs, nor does it protect
against side-channel attacks. The purpose is to illustrate
the algorithm to help implementers with their own
implementation.First some preliminaries that will be needed.Then follows functions to perform point operations.Now follows functions for point compression.These are functions for manipulating the secret.The signature function works as below.And finally the verification function.This section contains test vectors for Ed25519ph, Ed448ph,
Ed25519 and Ed448.TODOTODOBelow is a sequence of octets with test vectors for the the
Ed25519 signature algorithm. The octets are hex encoded and
whitespace is inserted for readability. Private keys are 64
bytes, public keys 32 bytes, message of arbitrary length, and
signatures are 64 bytes. The test vectors are taken from
(but we removed the
public key as a suffix of the secret key, and removed the
message from the signature) and .TODOFeedback on this document was received from Werner Koch,
Damien Miller, Bob Bradley, and Franck Rondepierre. The Ed25519
test vectors were double checked by Bob Bradley using 3 separate
implementations (one based on TweetNaCl and 2 different
implementations based on code from SUPERCOP).None.For implementations performing signatures, secrecy of the
key is fundamental. It is possible to protect against some
side-channel attacks by ensuring that the implementation
executes exactly the same sequence of instructions and
performs exactly the same memory accesses, for any value of
the secret key. To make an implementation side-channel silent in this way,
the modulo p arithmetic must not use any data-dependent
branches, e.g., related to carry propagation. Side channel-silent point addition is
straight-forward, thanks to the unified formulas.Scalar multiplication, multiplying a point by an integer,
needs some additional effort to implement in a side-channel
silent manner. One simple approach is to implement a
side-channel silent conditional assignment, and use together
with the binary algorithm to examine one bit of the integer at
a time.Note that the example implementation in this document does
not attempt to be side-channel silent.
&RFC4634;
&CURVES;
&RFC4086;
High-speed high-security signaturesEdDSA for more curvesFaster addition and doubling on elliptic curvesTwisted Edwards Curves RevisitedCurve25519: new Diffie-Hellman speed recordsEd448-Goldilocks, a new elliptic curveEd25519 test vectorsEd25519 Libgcrypt test vectorsBelow is an example implementation of Ed25519 written in
Python, version 3.2 or higher is required.Below is a command-line tool that uses the library above to
perform computations, for interactive use or for
self-checking.