Ed25519

High-Speed High-Security Signatures

Introduction

• This paper do not claim novelty for any of the individual modifications that used.
• Selecting a good combination of modifications is critical for top performance.
• The most obvious modification is that using twisted Edwards curves rather than Weierstrass curves.

EdDSA Parameters

• An integer \(b \geq 10\).
• A cryptographic hash function \(H\) producing \(2b\)-bit output.
• A prime power \(q\) congruent to 1 modulo 4.
• A \((b-1)\)-bit encoding of elements of the finite field \(F_q\).
• A non-square element \(d\) of \(F_q\).
• A prime \(\ell\) between \(2^{b-4}\) and \(2^{b-3}\).
• And an element \(B \neq (0, 1)\) of the set:

\(E = \{(x,y)\in F_q\times F_q:-x^2+y^2=1+dx^2y^2\}\)

EdDSA Parameters

• \(\ell B=0\) where \(nB\) means the \(n\)th multiple of \(B\) in this group.
• An element \((x,y)\in E\) is encoded as a \(b\)-bit string, this encoding immediately determines \(y\) and it determines \(x\) via the equation \(x=\pm\sqrt{(y^2-1)/(d_{y^2}+1)}\)

EdDSA Keys

• An EdDSA secret key is a \(b\)-bit string \(k\).
• The hash \(H(k)=(h_0, h_1,...,h_{2b-1})\) determines an integer \(a\):
  • \(a=2^{b-2}+\sum_{3\leq i\leq b-3}2^ih_i\in\{2^{b-2},2^{b-2}+8,...,2^{b-1}-8\}\)
• Which in turn determines the multiple \(A=aB\).
• \(A\) is public key.

EdDSA Signatures

• The signature of a message \(M\) under this secret key \(k\) is defined as follows:
  • \(r=H(h_b,...,h_{2b-1},M)\in\{0,1,...,2^{2b}-1\}\)
  • \(R=rB\)
  • \(S=(r+H(R,A,M)a)\mod\ell\)
  • The signature of \(M\) under \(k\) is then the \(2b\)-bit string \((R,S)\).

EdDSA Verification

• The verifier computes \(H(R,A,M)\) and then checks the group equation \(8SB=8R+8H(R,A,M)A\) in E.

Choice of Curve

• The recommended curve for EdDSA is a twisted Edwards curve birationally equivalent to the curve Curve25519.
• Ed25519-SHA-512 is EdDSA with the following parameters:
  • \(b=256\).
  • \(H\) is SHA-512.
  • \(q\) is the prime \(2^{255}-19\).
  • The 255-bit encoding of \(F_{2^{255}-19}\).
  • \(\ell\) is the prime \(2^{252}+27742317777372353535851937790883648493\).
  • \(d=-121665/121666\in F_q\).
  • \(B\) is the unique point \((x,4/5)\in E\) for which \(x\) is positive.

Pseudorandom Generation

EdDSA Session Key

• EdDSA avoids these issues by generating:
  • \(r=H(h_b,...,h_{2b-1},M)\)
• So that different messages will lead to different, hard-to-predict values of \(r\).
• No per-message randomness is consumed.

Cryptographic Hash Function

• Verification equation of this paper is the same as Schnorr's verification.
• With double-size hashing instead of half-size hashing.
• With A inserted as an extra hash input.
• And without Schnorr's compression of R.

Cryptographic Hash Function

Difficulties in Comparison

• Most papers on fast ECC have been limited to ECDH and have not implemented ECC signature verification.
• Most implementations use secret array indices and secret branch conditions.
  • Assume to be breakable by side-channel attacks.

This System

• 273364 cycles for single signature verification.
• 134000 cycles for batch verification.
• 87548 cycles for signing.
• Key generation is almost as fast as signing.
  • Only a slight penalty for key generation to obtain a secure random number from OS.
  • About 6000 cycles under Linux.

The Closest System in eBATS

• ecdonaldp256 ECDSA signatures using NIST P-256 elliptic curve:
  • 1690936 cycles for key generation.
  • 1790936 cycles for signing.
  • 2087500 cycles for verification.

• Better speeds were reported for ECDH:
  • Third place was curve25519.
  • Second place was 307180 cycles for ecfp256e.
  • First place was 278256 cycles for gls1271.
• Kasper 2011, reported 457813 cycles for side-channel-protected ECDH on the NIST P-244 curve.
  • Has not yet been integrated into eBATS.

ECDH Implementation

• This paper implemented ECDH with the side-channel defenses.
• Reported that the software uses 226871 cycles.
  • This is a new speed record for public ECDH software and side-channel-protected ECDH.

Comparison to Other Signature Systems

• The eBATS benchmarks cover 42 different signature systems.
  • Including various size of RSA, DSA, ECDSA, etc.
• This paper beats almost all of the signature times and verification times.

vs. Multivariate-Quadratic

• Multivariate-quadratic signatures are competitive in speed.
  • sflashv2 takes 12470 cycles to sign and 165884 cycles to verify.
  • mqqsig256 takes 4212 cycles to sign and 134900 cycles to verify.
• But sflashv2 was broken by Dubois et al., 2007.
• mqqsig256 has 789552-byte public key.

vs. DSA

• donald512 (512-bit DSA) takes 334508 cycles to verify.
  • Comparable to single-signature verification.
  • But much slow than batch verification speed.
• And it is at a far lower security level, breakable in about \(2^{60}\) simple operations.

vs. RSA

• Some RSA-type systems provide faster verification.
  • But this advantage decreases as the security level increases.
• rwb0fuz1024 (1024-bit Rabin-Williams) uses 12304 cycles to verify but 1751284 cycles to sign and 128 bytes for public key.
• ronald1024 (1024-bit RSA) uses 60300 cycles to verify but 2171124 cycles to sign and 128 bytes for public key.
• ronald3072 (3072-bit RSA) uses 231536 cycles to verify but 31456912 cycles to sign and 384 bytes for a public key.

Conclusion

• The conventional wisdom is that RSA signatures are much better than ECC signatures.
  • Each signatures is verified many times.
• The ECC speed results call this conventional wisdom into question.
• The verification speeds might be beaten by RSA at the same security level.
• But this speed is fast enough to make ECC an attractive option even for verification-intensive application.