23

I am reading https://en.wikipedia.org/wiki/Curve25519 and it states

Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It requires mandatory support for X25519, Ed25519, X448, and Ed448 algorithms.[24]

I understand from various answers on this site that the ECDSA is a different algorithm than EdDSA with EdDSA being simpler, faster and more secure than ECDSA. I am not familiar with the math behind ECC. I am looking for answers to the following questions.

  • Is X25519 and Ed25519 the same curve?
  • Is X25519 used by ECDSA?
  • What does the X in X25519 and X448 stand for?
  • Is the security advantage of EdDSA a result or the Ed25519 curve or the different algorithm it uses than ECDSA?
  • If ECDSA is used with the 25519 curve is it just as secure as EdDSA?
  • Is ECDSA considered to be secure as of Oct 2020?
  • Should EdDSA be always used over ECDSA?
ams
  • 701
  • 1
  • 8
  • 14

2 Answers2

29

Is X25519 and Ed25519 the same curve?

No. X25519 isn't a curve, it's an Elliptic-Curve Diffie-Hellman (ECDH) protocol using the x coordinate of the curve Curve25519. Ed25519 is an Edwards Digital Signature Algorithm using a curve which is birationally equivalent to Curve25519.

Is X25519 used by ECDSA?

No. It's not a curve, it's an ECDH protocol.

What does the X in X25519 and X448 stand for?

The X coordinate is what's transferred, the Y coordinate doesn't need to be transmitted due to the way these protocols work.

Is the security advantage of EdDSA a result or the Ed25519 curve or the different algorithm it uses than ECDSA?

Both (and somewhat neither). EdDSA's algorithm allows it to use curves that are more secure while being fast (ECDSA could be done using the complete point addition formulas over ANY elliptic curve, but it would be slower for many curves).

Additionally EdDSA is deterministic: there's no need to generate a nonce, and no need to track that a nonce is only used once. On the other hand, signing a message twice with the same key will reveal that the same message was signed.

If ECDSA is used with the 25519 curve is it just as secure as EdDSA?

Maybe. It would depend on how the math is done, and on how the nonce generation is handled.

Is ECDSA considered to be secure as of Oct 2020?

This depends on the particular implementation. It's NIST approved, and can be used securely if implemented well.

Should EdDSA be always used over ECDSA?

Not at this time. Some things will require ECDSA, for example the US government's FIPS 140 compliance doesn't allow EdDSA (yet). Edit: FIPS 140-3 & FIPS 186-5 now include EdDSA. New submissions to the cryptographic module validation program may include EdDSA implementations. Legacy FIPS 140-2 modules don't support EdDSA, and those will remain in use for years to come, so EdDSA won't necessarily be avialable. Also EdDSA signatures are deterministic (as mentioned above) which might pose problems to some schemes (though it does eliminate the security issues of nonce reuse that ECDSA has).

As kelalaka pointed out there already exist answers to most of these questions here, I've not bothered to link them.

SAI Peregrinus
  • 5,968
  • 20
  • 27
1

For the exact security guarantees of the Ed25519 signature scheme variants, this paper might be helpful:

The Provable Security of Ed25519: Theory and Practice

user4621
  • 712
  • 3
  • 8