1. Introduction
1. Introduction
The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of Schnorr's signature system with (possibly twisted) Edwards curves. EdDSA needs to be instantiated with certain parameters, and this document describes some recommended variants.
To facilitate adoption of EdDSA in the Internet community, this document describes the signature scheme in an implementation-oriented way and provides sample code and test vectors.
The advantages with EdDSA are as follows:
-
EdDSA provides high performance on a variety of platforms;
-
The use of a unique random number for each signature is not required;
-
It is more resilient to side-channel attacks;
-
EdDSA uses small public keys (32 or 57 bytes) and signatures (64 or 114 bytes) for Ed25519 and Ed448, respectively;
-
The formulas are "complete", i.e., they are valid for all points on the curve, with no exceptions. This obviates the need for EdDSA to perform expensive point validation on untrusted public values; and
-
EdDSA provides collision resilience, meaning that hash-function collisions do not break this system (only holds for PureEdDSA).
The original EdDSA paper [EDDSA] and the generalized version described in "EdDSA for more curves" [EDDSA2] provide further background. RFC 7748 [RFC7748] discusses specific curves, including Curve25519 [CURVE25519] and Ed448-Goldilocks [ED448].
Ed25519 is intended to operate at around the 128-bit security level and Ed448 at around the 224-bit security level. A sufficiently large quantum computer would be able to break both. Reasonable projections of the abilities of classical computers conclude that Ed25519 is perfectly safe. Ed448 is provided for those applications with relaxed performance requirements and where there is a desire to hedge against analytical attacks on elliptic curves.