1

I am building the distributed system, where each user sends signed messages. I dont want to have a certificates system for public keys, like it is done in SSL, so I thought to use public keys themselves as user id. Like:

a message from My public key to Your public key: hello! 
and here goes a signature of "hello!", made with sender's secret key.
and anyone can validate the message by sender's id, 
which also happens to be his public key, making the message self-contained

One thing I am not sure about... Ed25519 public keys are so short, isn't it risky to use it as unique user id? What's the odds of system generating same user ID for more than one users? given that when public key is generated - system is unable to check if this user ID already exist (because of the distributed nature of the system)

shal
  • 207
  • 1
  • 2
  • 6

1 Answers1

3

What's the odds of system generating same user ID for more than one users?

You need to have way more than $2^{100}$ key-pairs / users for a collision.

With Ed25519, the public key is $P=[a]G$ with $a$ being the private key and $G$ being the public generator point of the curve. Now because of the determinism of the scalar multiplication, if $P=P'$ then $a=a'$ and thus the users share the same private key. If both users are using a good random number generator, they never pick the same private key. More precisely: If you generate less than $2^{126}$ key pairs there shouldn't be any two key pairs with the same private key, because you would be looking for colliding random 256-bit strings.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • 2
    In concrete terms, unless your RNG has a flaw (which has happened), if every person on Earth generates a million keys every second, it will take over a trillion years (much longer than the universe has existed) to get near 2^120. – dave_thompson_085 Jan 02 '18 at 01:48