Edwards-Curve Digital Signature Algorithm (EdDSA)
RFC 8032

Document Type RFC - Informational (January 2017; No errata)
Was draft-irtf-cfrg-eddsa (cfrg RG)
Last updated 2017-01-24
Replaces draft-josefsson-eddsa-ed25519
Stream IRTF
Formats plain text pdf html bibtex
IETF conflict review conflict-review-irtf-cfrg-eddsa
Stream IRTF state Published RFC
Consensus Boilerplate Yes
RFC Editor Note (None)
IESG IESG state RFC 8032 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
IANA IANA review state IANA OK - No Actions Needed
IANA action state RFC-Ed-Ack
Internet Research Task Force (IRTF)                         S. Josefsson
Request for Comments: 8032                                        SJD AB
Category: Informational                                     I. Liusvaara
ISSN: 2070-1721                                              Independent
                                                            January 2017

           Edwards-Curve Digital Signature Algorithm (EdDSA)

Abstract

   This document describes elliptic curve signature scheme Edwards-curve
   Digital Signature Algorithm (EdDSA).  The algorithm is instantiated
   with recommended parameters for the edwards25519 and edwards448
   curves.  An example implementation and test vectors are provided.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Crypto Forum
   Research Group of the Internet Research Task Force (IRTF).  Documents
   approved for publication by the IRSG are not a candidate for any
   level of Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8032.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Josefsson & Liusvaara         Informational                     [Page 1]
RFC 8032                EdDSA: Ed25519 and Ed448            January 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Notation and Conventions  . . . . . . . . . . . . . . . . . .   4
   3.  EdDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Keys  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  Sign  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.4.  Verify  . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.  PureEdDSA, HashEdDSA, and Naming  . . . . . . . . . . . . . .   8
   5.  EdDSA Instances . . . . . . . . . . . . . . . . . . . . . . .   9
     5.1.  Ed25519ph, Ed25519ctx, and Ed25519  . . . . . . . . . . .   9
       5.1.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  10
       5.1.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  10
       5.1.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  11
       5.1.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  11
       5.1.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  13
       5.1.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  13
       5.1.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  14
     5.2.  Ed448ph and Ed448 . . . . . . . . . . . . . . . . . . . .  15
       5.2.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  16
       5.2.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  17
       5.2.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  18
       5.2.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  19
       5.2.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  19
   6.  Ed25519 Python Illustration . . . . . . . . . . . . . . . . .  20
   7.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  23
     7.1.  Test Vectors for Ed25519  . . . . . . . . . . . . . . . .  24
     7.2.  Test Vectors for Ed25519ctx . . . . . . . . . . . . . . .  27
     7.3.  Test Vectors for Ed25519ph  . . . . . . . . . . . . . . .  30
     7.4.  Test Vectors for Ed448  . . . . . . . . . . . . . . . . .  30
     7.5.  Test Vectors for Ed448ph  . . . . . . . . . . . . . . . .  38
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  40
     8.1.  Side-Channel Leaks  . . . . . . . . . . . . . . . . . . .  40
     8.2.  Randomness Considerations . . . . . . . . . . . . . . . .  40
     8.3.  Use of Contexts . . . . . . . . . . . . . . . . . . . . .  41
     8.4.  Signature Malleability  . . . . . . . . . . . . . . . . .  41
     8.5.  Choice of Signature Primitive . . . . . . . . . . . . . .  41
Show full document text