The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of Schnorr’s signature system with twisted Edwards curves. It is a high-security and high-speed public key signature algorithm. EdDSA should be instantiated with certain parameters. One of the most used instances is called Ed25519. This article will introduce the parameters of EdDSA and the variables of Ed25519.
EdDSA has 11 parameters as follows:
- The parameters of Ed25519
EdDSA uses an elliptic curve over the finite field GF(p). For Ed25519, the value of p is 2²⁵⁵-19.
2. An integer b with 2^(b-1) > p.
The length of EdDSA’s public key is b and the length of signature is 2*b. Usually, b is an integer multiple of 8, so the lengths of public key and signature are always integral number of octets. For Ed25519, the b value is 256, and that makes the public keys to have 32 octets and signature have 64 octets.
3. A (b-1)-bit encoding of elements of the finite field GF(p).
An encoding scheme is always necessary for a practical cryptographic standard, in order to compatible with a variety of input format. Ed25519 choose 255-bit little-endian form as its encoding method.
4. A cryptographic hash function H producing 2*b-bit output.
Usually, signature algorithms use indicated hash functions to digest original message at first, and then sign the hash result instead of the real message. The hash function H is specified as SHA-512 for Ed25519.
5. An integer c that is 2 or 3.
Secret EdDSA scalars are multiples of 2^c. For Ed25519, c is 3.
6. An integer n with c <= n < b.
Secret EdDSA scalars have n+1 bits, with the top bit always be 1 and the bottom c bits always be 0. n is 254 for Ed25519.
7. A non-square element d of GF(p).
For Ed25519, d is 37095705934669439343138083508754565189542113879843219016388785533085940283555. The value is determined by curve edward25519, and defined in RFC7748.
8. A non-zero square element a of GF(p). For Ed25519, a is -1.
9. An element B≠(0,1) of the set E which is determined by the chosen curve.
For Ed25519, B is (15112221349535400772501151409588531511454012693041857206046113283949847762202, 46316835694926478169428394003475163141307993866256225615783033603165251855960). This definition also could be found in RFC7748.
10. An odd prime L such that [L]B = 0 and 2^c * L = #E. [L]B means B added to itself L times. The number #E is the number of points on the curve which could be easily calculated by cofactor * order. For Ed25519, L is 2²⁵²+27742317777372353535851937790883648493.
11. A “pre-hash” function PH.
For Ed25519, PH(x) = x. The function is also called the identity function.
by Zhang Hao
hao.zhang@nbltrust.com
