RFC 8032 - Edwards-Curve Digital Signature Algorithm (EdDSA)

Internet Research Task Force (IRTF)                         S. Josefsson
Request for Comments: 8032                                        SJD AB
Category: Informational                                     I. Liusvaara
ISSN: 2070-1721                                              Independent
                                                            January 2017


           Edwards-Curve Digital Signature Algorithm (EdDSA)

Abstract

   This document describes elliptic curve signature scheme Edwards-curve
   Digital Signature Algorithm (EdDSA).  The algorithm is instantiated
   with recommended parameters for the edwards25519 and edwards448
   curves.  An example implementation and test vectors are provided.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Crypto Forum
   Research Group of the Internet Research Task Force (IRTF).  Documents
   approved for publication by the IRSG are not a candidate for any
   level of Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8032.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.







Josefsson & Liusvaara         Informational                     [Page 1]


RFC 8032                EdDSA: Ed25519 and Ed448            January 2017


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Notation and Conventions  . . . . . . . . . . . . . . . . . .   4
   3.  EdDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Keys  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  Sign  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.4.  Verify  . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.  PureEdDSA, HashEdDSA, and Naming  . . . . . . . . . . . . . .   8
   5.  EdDSA Instances . . . . . . . . . . . . . . . . . . . . . . .   9
     5.1.  Ed25519ph, Ed25519ctx, and Ed25519  . . . . . . . . . . .   9
       5.1.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  10
       5.1.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  10
       5.1.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  11
       5.1.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  11
       5.1.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  13
       5.1.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  13
       5.1.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  14
     5.2.  Ed448ph and Ed448 . . . . . . . . . . . . . . . . . . . .  15
       5.2.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  16
       5.2.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  17
       5.2.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  18
       5.2.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  19
       5.2.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  19
   6.  Ed25519 Python Illustration . . . . . . . . . . . . . . . . .  20
   7.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  23
     7.1.  Test Vectors for Ed25519  . . . . . . . . . . . . . . . .  24
     7.2.  Test Vectors for Ed25519ctx . . . . . . . . . . . . . . .  27
     7.3.  Test Vectors for Ed25519ph  . . . . . . . . . . . . . . .  30
     7.4.  Test Vectors for Ed448  . . . . . . . . . . . . . . . . .  30
     7.5.  Test Vectors for Ed448ph  . . . . . . . . . . . . . . . .  38
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  40
     8.1.  Side-Channel Leaks  . . . . . . . . . . . . . . . . . . .  40
     8.2.  Randomness Considerations . . . . . . . . . . . . . . . .  40
     8.3.  Use of Contexts . . . . . . . . . . . . . . . . . . . . .  41
     8.4.  Signature Malleability  . . . . . . . . . . . . . . . . .  41
     8.5.  Choice of Signature Primitive . . . . . . . . . . . . . .

	Title	Edwards-Curve Digital Signature Algorithm (EdDSA)
Document	Document type	RFC - Informational January 2017 View errata Report errata Was draft-irtf-cfrg-eddsa (cfrg RG) This RFC was published on the Internet Research Task Force (IRTF) stream. This RFC is not endorsed by the IETF and has no formal standing in the IETF standards process.
	Select version	00 01 02 03 04 05 06 07 08 RFC 8032
	Compare versions
	Authors	Simon Josefsson , Ilari Liusvaara Email authors
	RFC stream
	Other formats	txt html pdf w/errata bibtex
	Additional resources	Mailing list discussion
		Report a bug