Collective Edwards-Curve Digital Signature Algorithm

Document Type Expired Internet-Draft (individual)
Last updated 2018-01-01 (latest revision 2017-06-30)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Collective signatures are compact cryptographic proofs showing that several distinct secret key holders, called cosigners, have cooperated to sign a given message. This document describes a collective signature extension to the EdDSA signing schemes for the Ed25519 and Ed448 elliptic curves. A collective EdDSA signature consists of a point R, a scalar s, and a bitmask Z indicating the specific subset of a known group of cosigners that produced this signature. A collective signature produced by n cosigners is of size 64+ceil(n/8) bytes for Ed25519 and 114+ceil(n/8) bytes for Ed448, respectively, instead of 64n and 114n bytes for n individual signatures. Further, collective signature verification requires only one double scalar multiplication rather than n. The verifier learns exactly which subset of the cosigners participated, enabling the verifier to implement flexible acceptance-threshold policies, and preserving transparency and accountability in the event a bad message is collectively signed.


Bryan Ford (
Nicolas Gailly ( (
Philipp Jovanovic (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)