Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ed25519]

Ed25519 is an algorithm for producing digital signatures. The algorithm is based on Edwards curves introduced by Bernstein et al. (2007) and named after mathematician Harold M. Edwards.

Ed25519 is an algorithm for producing digital signatures. The algorithm is based on Edwards curves introduced by Bernstein et al. (2007) and named after mathematician Harold M. Edwards.

215 questions
70
votes
3 answers

Why Curve25519 for encryption but Ed25519 for signatures?

NaCl and libsodium libraries use Curve25519 for authenticated encryption (actually for sharing a key which is used for encryption) and Ed25519 for signatures. What is the purpose of using different primitives for these operations? Why just not to…
user10651
41
votes
2 answers

Elliptic curve ed25519 vs ed448 - Differences

Other than key size, What are some differences between the Elliptic curve ed25519 and ed448?
Nathan Aw
  • 2,357
  • 3
  • 18
  • 22
40
votes
1 answer

ECDSA, EdDSA and ed25519 relationship / compatibility

I'm trying to understand the relationship between those three signature schemes (ECDSA, EdDSA, and ed25519) and mainly to what degree they are mutually compatible in the sense of key-pair derivation, signing, and signature verification. But I was…
Rafael Korbas
  • 503
  • 1
  • 4
  • 6
34
votes
5 answers

Is it bad to expose the public key?

I am studying about blockchain and have been focusing on encryption protocols that allow authentication. The digital signature of public and private key seems solid, I have focused on the algorithm ED25519. But in some places, some people say about…
Victor França
  • 459
  • 1
  • 5
  • 6
27
votes
1 answer

Why are the lower 3 bits of curve25519/ed25519 secret keys cleared during creation?

I am currently experimenting with ed25519 and I noticed that on secret key creation, bit 254 is always set and the lower 3 bits are always cleared. I found that bit 254 is always set to protect against timing attacks in this question: When using…
MepAhoo
  • 273
  • 3
  • 4
23
votes
2 answers

Difference between X25519 vs. Ed25519

I am reading https://en.wikipedia.org/wiki/Curve25519 and it states Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It requires mandatory support for X25519, Ed25519, X448, and Ed448 algorithms.[24] I…
ams
  • 701
  • 1
  • 8
  • 14
22
votes
1 answer

How many qubits are required to break RSA 2048 or 4096 with a universal quantum computer?

So in the news this week, IBM have created a universal quantum computer with 5 fully functional qubits. Logic and Moore's law dictates they will be able to scale this up to a lot more qubits within a few years. With Shor's algorithm, elliptic curve…
ite
  • 231
  • 1
  • 2
  • 5
21
votes
1 answer

Using a single Ed25519 key for encryption and signature

The libsodium documentation contains a function crypto_sign_ed25519_pk_to_curve25519 that converts an Ed25519 key into a Curve25519 one, so it can be used for both key exchange/encryption and signing: "Ed25519 keys can be converted to Curve25519…
user2552
19
votes
1 answer

Message-Recovery variant of Ed25519 signature?

What would be a Message-Recovery variant of the Ed25519 signature scheme? Ed25519-MR should be simple to use, fast, with a strong security argument, and striving to stay out of the patent minefield, as the original does. [Ed25519] is a signature…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
19
votes
1 answer

Edwards / Montgomery ECC with Weierstrass Implementation?

So let's assume I want to perform Ed448 or Ed25519 digital signatures or want to perform a DH key-exchange. Assume further that those curves (Curve448 or Curve25519) are required. But the problem is, that I have only a constrained device given,…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
17
votes
1 answer

Why are ed25519 keys not recommended for encryption?

Was wondering why there is no straightforward way of using ed25519 keys for encryption. Then I found this: https://github.com/indutny/elliptic/issues/108 There it is stated that it's unlike RSA not recommendable for this purpose - one should rather…
Lenny
  • 193
  • 1
  • 1
  • 5
17
votes
1 answer

Curve25519 over Ed25519 for key exchange? Why?

I've been reading up on the Signal Protocol (in this PDF) and it seems to be using Curve25519 for ECDH and EdDSA (with Ed25519) for signatures. My question is why not use only Ed25519? This implementation supports Ed25519 and key exchange so what is…
OughtToPrevail
  • 374
  • 4
  • 17
15
votes
2 answers

ed25519 ssh public key is always 80 characters long?

I am creating some ssh keys using ed25519, something like: $ ssh-keygen -t ed25519 $ ssh-keygen -o -a 10 -t ed25519 $ ssh-keygen -o -a 100 -t ed25519 $ ssh-keygen -o -a 1000 -t ed25519 But I notice that the output of the public key is always the…
nbari
  • 265
  • 1
  • 2
  • 8
14
votes
2 answers

Why OpenSSH prefers ECDSA nistp256 keys over -384 and -521, and those over Ed25519, for host key verification?

According to ssh_config(5), HostKeyAlgorithms “specifies the host key algorithms that the client wants to use in order of preference ... The default for this…
squirrel
  • 351
  • 1
  • 2
  • 9
14
votes
4 answers

Is it possible to pick your Ed25519 public key?

Is it possible to generate an Ed25519 keypair that has a very similar public key as another keypair (fooling a casual visual comparison) or is this as hard as solving one of SHA-512 or the discrete logarithm problem?
joeforker
  • 571
  • 5
  • 13
1
2 3
14 15