Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ed25519]

Ed25519 is an algorithm for producing digital signatures. The algorithm is based on Edwards curves introduced by Bernstein et al. (2007) and named after mathematician Harold M. Edwards.

Ed25519 is an algorithm for producing digital signatures. The algorithm is based on Edwards curves introduced by Bernstein et al. (2007) and named after mathematician Harold M. Edwards.

204 questions
26
votes
1 answer

Why are the lower 3 bits of curve25519/ed25519 secret keys cleared during creation?

I am currently experimenting with ed25519 and I noticed that on secret key creation, bit 254 is always set and the lower 3 bits are always cleared. I found that bit 254 is always set to protect against timing attacks in this question: When using…
MepAhoo
  • 263
  • 3
  • 4
10
votes
1 answer

Why Ed25519 encodes y-coordinates rather than x-coordinates

As stated in RFC8032 and FIPS 186-5, Ed25519 signatures uses the following encoding method: A curve point (x,y), with coordinates in the range 0 <= x,y < p, is coded as follows. First, encode the y-coordinate as a little-endian string of 32…
Raoul722
  • 2,836
  • 2
  • 20
  • 39
5
votes
2 answers

Weaker alternative to Ed25519?

For me, the main advantages of Ed25519 are that it avoids patents (by computing in one dimension) and that it is fast. However, the 128bit security of Ed25519 is sometimes too strong to comply with export regulations. So I wonder if there are any…
Chris
  • 989
  • 6
  • 15
3
votes
1 answer

Verifying EdDSA signatures using xedDSA verify function.

I'm running into a problem where I generate signatures using a library like pynacl's (https://pynacl.readthedocs.io/en/stable/signing/) ed25519 implementation and then when I verify it using xedDSA's verify function…
Maaz
  • 133
  • 5
3
votes
2 answers

How to obtain 256-bit security from Ed25519?

It is said that breaking Ed25519 has similar difficulty to breaking RSA with ~3000-bit keys" 1 When using RSA, I prefer 4096-bit keys, but I would like to use Ed25519. If I wanted to double the security level - similar to RSA with ~6000 bits - what…
fizk
  • 435
  • 1
  • 5
  • 6
2
votes
0 answers

ed25519 base point coordinates

For the ed25519 standard Base Point is $B = (x, 4/5)$. According to Stack Question the y coordinate equals 46316835694926478169428394003475163141307993866256225615783033603165251855960 But how this value is received? As I understand $y = 4 \cdot…
Кирилл Волков
  • 151
  • 5
2
votes
2 answers

ed25519 adoption -- challenges

If ed25519 is that attractive that it seems to be, can someone explain why adoption has been slow and if there are, if any, challenges with implementing ed25519. Nathan Aw
Nathan Aw
  • 2,277
  • 3
  • 17
  • 21
2
votes
2 answers

Point addition and doubling in Ed25519 (ref10)?

I just migrated CodesInChaos' C# port of Ed25519(ref10) to Java, and everything works fine. (I.e. I get the same results for key generation, signature and verification.) Now, I would like to do a Diffie-Hellman key exchange directly on Ed25519.…
Chris
  • 989
  • 6
  • 15
2
votes
1 answer

What is a masked secret key in the conxt of Ed25519?

The documentation for Ed25519-dalek states the following for Secretkey: The caller is responsible for ensuring that the bytes represent a masked secret key. https://docs.rs/ed25519-dalek/0.3.2/ed25519_dalek/struct.SecretKey.html What does a masked…
Nick Decroos
  • 131
  • 6
1
vote
1 answer

Short Ed25519 keys: can I use as ID?

I am building the distributed system, where each user sends signed messages. I dont want to have a certificates system for public keys, like it is done in SSL, so I thought to use public keys themselves as user id. Like: a message from My public key…
shal
  • 207
  • 1
  • 2
  • 6
1
vote
1 answer

what is the maximum size of the payload data when using ed25519

When using ed25519 what is the maximum size of the message/payload data? From the specs: The Diffie-Hellman key exchange is then defined as follows: each party generates a random number 1 <= d < N (the private key), computes Q = d G (the public…
nbari
  • 255
  • 1
  • 2
  • 8
1
vote
2 answers

Which US standard includes a signature based on Ed25519?

Which standard organization (e.g. NIST or ANSI) standardizes signature Ed25519?
J.Madison
  • 133
  • 2
  • 6
1
vote
0 answers

Mapping integers to Ed25519 and back again?

I would like to map integer values to points on Ed25519, and then back again. Is there a technique that takes advantage of the specific structure of Ed25519?
Chris
  • 989
  • 6
  • 15
0
votes
1 answer

Why does ed25519 seem to accept and use 96-byte / 384-bit signatures?

Why do ed25519 signature verify functions accept 96-byte signatures? Take this piece of code for one example: crypto_sign_ed25519_open() requires that signatures be at least 64 bytes (512 bits) but will accept longer ones, and get_hram() will…
Adam Ierymenko
  • 896
  • 6
  • 20
0
votes
1 answer

How to convert d into 64bit limbs?

Given a d value = -(10240/10241) How would I convert this into 64 bit limbs? I have to expand on this because of stackoverflow quality algorithm, I've tried using python to get the integer rep/hex rep, but it's not a whole number, so I'm a bit lost
WeCanBeFriends
  • 1,303
  • 11
  • 20
1
2