Ed25519: Difference between revisions
From Elliptic Curve Crypto
properties of finite field |
illustration |
||
| Line 1: | Line 1: | ||
[[Image:Ed25519.svg|frame|left|<tt>−x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2</tt> <ref>Monero Project: Monero docs: Edwards25519 Elliptic Curve https://docs.getmonero.org/cryptography/asymmetric/edwards25519/</ref>]] | |||
'''Ed25519''' is a particular implementation of Elliptic Curve Digital Signature Algorithm ([[ECDSA]]) on a particular elliptic curve over a particular finite field, uniquely specified for the purpose, and named “Curve25519.” | '''Ed25519''' is a particular implementation of Elliptic Curve Digital Signature Algorithm ([[ECDSA]]) on a particular elliptic curve over a particular finite field, uniquely specified for the purpose, and named “Curve25519.” | ||
| Line 7: | Line 8: | ||
</ref>. Schneier <ref>Bruce Schneier. “Bounty to Recover NIST’s Elliptic Curve Seeds.” ''Schneier on Security,'' Oct 12, 2023. https://www.schneier.com/blog/archives/2023/10/bounty-to-recover-nists-elliptic-curve-seeds.html</ref><ref>Filippo Valsorda. “Announcing the $12K NIST elliptic curve seeds bounty.” ''Cryptography Dispatches,'' Oct 5, 2023. https://words.filippo.io/dispatches/seeds-bounty/</ref> feels that some of these schemes are overspecified <ref>A. Langley, M. Hamburg and S. Turner. “Elliptic Curves for Security.” Technical Report RFC 7748, Jan. 2016. https://datatracker.ietf.org/doc/html/rfc7748</ref>, and possibly backdoored by the NSA. For that matter we could just as easily pull a CIA [https://www.cia.gov/the-world-factbook/countries/tonga/factbook factbook on the Tonga], official registrant of the <tt>.to</tt> top level country code domain. | </ref>. Schneier <ref>Bruce Schneier. “Bounty to Recover NIST’s Elliptic Curve Seeds.” ''Schneier on Security,'' Oct 12, 2023. https://www.schneier.com/blog/archives/2023/10/bounty-to-recover-nists-elliptic-curve-seeds.html</ref><ref>Filippo Valsorda. “Announcing the $12K NIST elliptic curve seeds bounty.” ''Cryptography Dispatches,'' Oct 5, 2023. https://words.filippo.io/dispatches/seeds-bounty/</ref> feels that some of these schemes are overspecified <ref>A. Langley, M. Hamburg and S. Turner. “Elliptic Curves for Security.” Technical Report RFC 7748, Jan. 2016. https://datatracker.ietf.org/doc/html/rfc7748</ref>, and possibly backdoored by the NSA. For that matter we could just as easily pull a CIA [https://www.cia.gov/the-world-factbook/countries/tonga/factbook factbook on the Tonga], official registrant of the <tt>.to</tt> top level country code domain. | ||
The figure | The figure “25519” refers to the prime number 2<sup>255</sup> – 19 = | ||
57896044618658097711785492504343953926634992332820282019728792003956564819949 | 57896044618658097711785492504343953926634992332820282019728792003956564819949 | ||
used as the modulus of the finite field. This particular choice of prime number is not difficult to explain or justify as simply the largest suitable prime number that will not overflow a 256-bit or 8-byte array of memory allocated for the efficient machine implementation of arithmetic which is mentioned in the literature. The properties of the [[finite field]] ''GF''(''p''), however, depend heavily on the prime factorization of <math>\phi(p)=p-1</math>. | used as the modulus of the finite field. This particular choice of prime number is not difficult to explain or justify as simply the largest suitable prime number that will not overflow a 256-bit or 8-byte array of memory allocated for the efficient machine implementation of arithmetic which is mentioned in the literature. The properties of the [[finite field]] ''GF''(''p''), however, depend heavily on the prime factorization of <math>\phi(p)=p-1</math>. | ||
Revision as of 12:00, 29 December 2024
Ed25519 is a particular implementation of Elliptic Curve Digital Signature Algorithm (ECDSA) on a particular elliptic curve over a particular finite field, uniquely specified for the purpose, and named “Curve25519.”
Or is it “birationally equivalent?”
It is described perhaps most definitively on its author’s homepage [2]. It has been extensively studied and reviewed [3]. Schneier [4][5] feels that some of these schemes are overspecified [6], and possibly backdoored by the NSA. For that matter we could just as easily pull a CIA factbook on the Tonga, official registrant of the .to top level country code domain.
The figure “25519” refers to the prime number 2255 – 19 =
57896044618658097711785492504343953926634992332820282019728792003956564819949
used as the modulus of the finite field. This particular choice of prime number is not difficult to explain or justify as simply the largest suitable prime number that will not overflow a 256-bit or 8-byte array of memory allocated for the efficient machine implementation of arithmetic which is mentioned in the literature. The properties of the finite field GF(p), however, depend heavily on the prime factorization of .
- ↑ Monero Project: Monero docs: Edwards25519 Elliptic Curve https://docs.getmonero.org/cryptography/asymmetric/edwards25519/
- ↑ Daniel Bernstein. https://ed25519.cr.yp.to/, last updated 2017.01.22.
- ↑ Jacqueline Brendel, Cas Cremers, Dennis Jackson, and Mang Zhao. “The Provable Security of Ed25519: Theory and Practice.” Cryptology ePrint Archive, vol. 2020, no. 823. https://eprint.iacr.org/2020/823.pdf
- ↑ Bruce Schneier. “Bounty to Recover NIST’s Elliptic Curve Seeds.” Schneier on Security, Oct 12, 2023. https://www.schneier.com/blog/archives/2023/10/bounty-to-recover-nists-elliptic-curve-seeds.html
- ↑ Filippo Valsorda. “Announcing the $12K NIST elliptic curve seeds bounty.” Cryptography Dispatches, Oct 5, 2023. https://words.filippo.io/dispatches/seeds-bounty/
- ↑ A. Langley, M. Hamburg and S. Turner. “Elliptic Curves for Security.” Technical Report RFC 7748, Jan. 2016. https://datatracker.ietf.org/doc/html/rfc7748
