Goldilocks and the Edwards Bears

The usage of Curve 25519 is well known in the industry and is used with key exchange methods in SSL, Tor, and many other applications. Overall, Curve 25519 (created by Daniel J Bernstein,) uses a Montgomery curve of y² = x³ + 486662 x² + x with a prime number of 2²⁵⁵-19. In its key exchange mode, it integrates with ECDH (Elliptic Curve Diffie Hellman) and is named X25519.

But, we can also use a twisted Edwards Curve (x²+y²=1−dx²y²) to give us Ed25519. And so while Ed25519 gives 128-bit security, Ed448 enhances Ed25519 with the goldilocks prime (2⁴⁴⁸−2²²⁴−1) and increase the security from around 112 to 224 bits [paper]:

With Ed448, the public and the private keys are the same lengths, but the signature is double this length. In Ed448 we use the goldilocks version of an untwisted Edwards curve with x²+y²=1−39081x²y² and a prime of 2⁴⁴⁸−2²²⁴−1. An EdDSA private key (k) has b bits. We can then create a hash of this — and which is 2b long — to create a number of hash bits (such as using SHAKE256):

H(k)=(h0,h1,…,h2b−1)

We then calculate a value of s:

s=2n+∑2^i×h_i