Edwards-Curve Digital Signature Algorithm (EdDSA)
RFC 8032
Document | Type |
RFC - Informational
(January 2017; Errata)
Was draft-irtf-cfrg-eddsa (cfrg RG)
|
|
---|---|---|---|
Last updated | 2018-10-11 | ||
Replaces | draft-josefsson-eddsa-ed25519 | ||
Stream | IRTF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
IETF conflict review | conflict-review-irtf-cfrg-eddsa | ||
Stream | IRTF state | Published RFC | |
Consensus Boilerplate | Yes | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 8032 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) | ||
IANA | IANA review state | IANA OK - No Actions Needed | |
IANA action state | RFC-Ed-Ack |
Internet Research Task Force (IRTF) S. Josefsson Request for Comments: 8032 SJD AB Category: Informational I. Liusvaara ISSN: 2070-1721 Independent January 2017 Edwards-Curve Digital Signature Algorithm (EdDSA) Abstract This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8032. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Josefsson & Liusvaara Informational [Page 1] RFC 8032 EdDSA: Ed25519 and Ed448 January 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Notation and Conventions . . . . . . . . . . . . . . . . . . 4 3. EdDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3. Sign . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.4. Verify . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. PureEdDSA, HashEdDSA, and Naming . . . . . . . . . . . . . . 8 5. EdDSA Instances . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. Ed25519ph, Ed25519ctx, and Ed25519 . . . . . . . . . . . 9 5.1.1. Modular Arithmetic . . . . . . . . . . . . . . . . . 10 5.1.2. Encoding . . . . . . . . . . . . . . . . . . . . . . 10 5.1.3. Decoding . . . . . . . . . . . . . . . . . . . . . . 11 5.1.4. Point Addition . . . . . . . . . . . . . . . . . . . 11 5.1.5. Key Generation . . . . . . . . . . . . . . . . . . . 13 5.1.6. Sign . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1.7. Verify . . . . . . . . . . . . . . . . . . . . . . . 14 5.2. Ed448ph and Ed448 . . . . . . . . . . . . . . . . . . . . 15 5.2.1. Modular Arithmetic . . . . . . . . . . . . . . . . . 16 5.2.2. Encoding . . . . . . . . . . . . . . . . . . . . . . 16 5.2.3. Decoding . . . . . . . . . . . . . . . . . . . . . . 16 5.2.4. Point Addition . . . . . . . . . . . . . . . . . . . 17 5.2.5. Key Generation . . . . . . . . . . . . . . . . . . . 18 5.2.6. Sign . . . . . . . . . . . . . . . . . . . . . . . . 19 5.2.7. Verify . . . . . . . . . . . . . . . . . . . . . . . 19 6. Ed25519 Python Illustration . . . . . . . . . . . . . . . . . 20 7. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 23 7.1. Test Vectors for Ed25519 . . . . . . . . . . . . . . . . 24 7.2. Test Vectors for Ed25519ctx . . . . . . . . . . . . . . . 27 7.3. Test Vectors for Ed25519ph . . . . . . . . . . . . . . . 30 7.4. Test Vectors for Ed448 . . . . . . . . . . . . . . . . . 30 7.5. Test Vectors for Ed448ph . . . . . . . . . . . . . . . . 38 8. Security Considerations . . . . . . . . . . . . . . . . . . . 40 8.1. Side-Channel Leaks . . . . . . . . . . . . . . . . . . . 40 8.2. Randomness Considerations . . . . . . . . . . . . . . . . 40 8.3. Use of Contexts . . . . . . . . . . . . . . . . . . . . . 41 8.4. Signature Malleability . . . . . . . . . . . . . . . . . 41 8.5. Choice of Signature Primitive . . . . . . . . . . . . . . 41 8.6. Mixing Different Prehashes . . . . . . . . . . . . . . . 42 8.7. Signing Large Amounts of Data at Once . . . . . . . . . . 42Show full document text