Skip to main content

Collective Edwards-Curve Digital Signature Algorithm

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Bryan Ford , Nicolas Gailly , Linus Gasser , Philipp Jovanovic
Last updated 2018-01-01 (Latest revision 2017-06-30)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


Collective signatures are compact cryptographic proofs showing that several distinct secret key holders, called cosigners, have cooperated to sign a given message. This document describes a collective signature extension to the EdDSA signing schemes for the Ed25519 and Ed448 elliptic curves. A collective EdDSA signature consists of a point R, a scalar s, and a bitmask Z indicating the specific subset of a known group of cosigners that produced this signature. A collective signature produced by n cosigners is of size 64+ceil(n/8) bytes for Ed25519 and 114+ceil(n/8) bytes for Ed448, respectively, instead of 64n and 114n bytes for n individual signatures. Further, collective signature verification requires only one double scalar multiplication rather than n. The verifier learns exactly which subset of the cosigners participated, enabling the verifier to implement flexible acceptance-threshold policies, and preserving transparency and accountability in the event a bad message is collectively signed.


Bryan Ford
Nicolas Gailly
Linus Gasser
Philipp Jovanovic

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)