Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [eddsa]

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public domain software.

Ref:https://en.wikipedia.org/wiki/EdDSA

33 questions
40
votes
1 answer

ECDSA, EdDSA and ed25519 relationship / compatibility

I'm trying to understand the relationship between those three signature schemes (ECDSA, EdDSA, and ed25519) and mainly to what degree they are mutually compatible in the sense of key-pair derivation, signing, and signature verification. But I was…
Rafael Korbas
  • 503
  • 1
  • 4
  • 6
22
votes
1 answer

What is the difference between ECDSA and EdDSA?

As I understand it, both work with elliptic curves, but there seems to be a difference as EdDSA is generally recommended over ECDSA.
Tartori
  • 323
  • 1
  • 2
  • 6
7
votes
3 answers

Rationale for verification with cofactor $2^c$ in EdDSA?

EdDSA for more curves describes two options of signature verification Verification, which checks $2^c\,S\,B\,=\,2^c\,R+2^c\,H(\underline R,\underline A,M)\,A$ Cofactorless verification, which checks $S\,B\,=\,R+H(\underline R,\underline…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
6
votes
1 answer

Is there any reason not to use EdDSA with Weierstrass curves?

I'm volunterely working for a crypto library and we're planning on adding Curve25519 support (finally). At the same point I had the idea of adding support for EdDSA in the same run. Our library is highly modular, so the question needs to be…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
5
votes
2 answers

Would EdDSA be broken by replacing H(R, A, M) with H(A, M)?

An EdDSA signature is (R, S) where R = r*B and S = r + H(R, A, M)*s. Notation from Wikipedia en.wikipedia.org/wiki/EdDSA. Given that the hash function H, is indeed collision-resistant, would using S = r + H(A, M)*s be a secure variant? In the…
Frans Lundberg
  • 385
  • 1
  • 7
5
votes
0 answers

Does EdDSA share Schnorr signature secure linearity property?

EdDSA, Edwards-curve Digital Signature Algorithm (EdDSA), is a digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves (source). Schnorr signatures have a remarkable property: linearity. This allows multiple…
Robert Zaremba
  • 283
  • 1
  • 7
5
votes
1 answer

EdDSA Signature Algorithm - hash of secret key

Why does EdDSA use the (SHA-512) hash of the secret key as the exponent for the public key rather than using the secret key value directly? This seems inefficient, and I can't see how it adds any extra security.
geoff_h
  • 337
  • 1
  • 10
5
votes
1 answer

RFCs & IANA specs about Ed25519 inaccurate?

While designing a crypto system based on existing standards and specifications i find myself questioning some of the accuracy in the current RFC-8037 and IANA specs around Edwards curves, 25519 and ed25519 notation In RFC8037, they say that the…
ehanoc
  • 153
  • 4
4
votes
2 answers

Ed448 parameters wrong in RFC7748

When implementing and testing my own EdDSA program I found out that the old RFC7748 gives wrong parameters for Ed448/Edwards448. There is currently a new Draft were this is…
Habor
  • 43
  • 2
3
votes
1 answer

two closely distanced ECDSA keys

Assume that one uses two private keys $x_1$ and $x_2$ to generate two public ECDSA keys $y_1$ and $y_2$ (e.g., used as public key for Bitcoin address). The distance between $x_1$ and $x_2$ is small (e.g., less than ${2^{20}}$). What's bad about…
Sean
  • 109
  • 9
3
votes
1 answer

Digital Signatures with Curve25519 key-pair

I have a public/private key pair of Curve25519 keys used by Wireguard. How can I use this keypair to generate/verify digital signatures? Preferrably, I would like to use EdDSA/Ed25519 but I struggle to derive a Ed25519 keypair from the Curve25519…
Steffen Vogel
  • 33
  • 4
3
votes
1 answer

Public key derivation for Ed448

Another potentially silly question here, but I seem to have developed tunnel vision and I am missing something very basic. In RFC 8032 one can find a number of test vectors for Ed488 - for example: SECRET KEY: c4eab05d357007c632f3dbb48489924d …
Jay Smith
  • 71
  • 1
3
votes
1 answer

How is EdDSA different from ECDSA with a custom curve?

I just found this draft/informal IETF specification: Alternative Elliptic Curve Representation: This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can…
DurandA
  • 453
  • 5
  • 22
3
votes
1 answer

Likelihood of signature collision with EdDSA

Taking EdDSA as an example, given the length of a signature is 512-bits for a given data payload, what is the probability of a collision where there is another 512-bit value that is also a valid signature? With symmetric crypto we know there is only…
Woodstock
  • 1,454
  • 1
  • 15
  • 26
3
votes
2 answers

Can data be preprocessed when using EdDSA with a hash (SHA or SHAKE)?

According to this comment on a GitHub request for a streaming implementation for digests, ciphers and signature algorithms it is seemingly not possible to start hashing the data before the signature can be generated. Is it possible to preprocess…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
1
2 3