2

I need some guidance on elliptic curves that support signing and key agreement.

I am trying to develop a protocol for sending encrypted, deniably authenticated messages. To do this I will sign the message with a 2-key ring signature using the sender's signing key and the recipient's encryption key.

Is there a sensible elliptic curve to use for this? Ideally it would meet the safe curves standards and provide the same level of security as Curve25519 (i.e. 256 bit length / 128 bit security).

Ed448-Goldilocks looks like it fits the bill as a curve intended to support both functions but is there anything more lightweight?

geoff_h
  • 337
  • 1
  • 10

1 Answers1

4

Technically, any elliptic curve can support both signing and key agreement. However, Curve25519 as described in the original paper is meant for $x$-only arithmetic. This means that one never computes the $y$-coordinate. The issue is that you need the $y$-coordinate for signature verification in the standard algorithms (ECDSA, EdDSA).

Therefore, if you want to do signatures with the Curve25519 curve, you need to compute the $y$-coordinate. There are different ways to do this, one is to simply leave the curve as is (in "Montgomery form") and compute its $y$-coordinate. A different way, is to transform the curve into a new shape (the "twisted Edwards form") and do arithmetic there. This new curve is called Ed25519, and it is "(birationally) equivalent" to the old curve. There are even more flavours.

Again, the choice you make will be for efficiency and security. Not because one curve can be used for signatures while the other can't. I suppose the $y$-coordinate computation on Curve25519 is slow enough for people to prefer using Ed25519 instead.

CurveEnthusiast
  • 3,534
  • 16
  • 21