EdDSA - Wikipedia
In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves.[1] It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.[2] The reference implementation is public domain software.[3]
The following is a simplified description of EdDSA, ignoring details of encoding integers and curve points as bit strings; the full details are in the papers and RFC.[4][2][1]
These parameters are common to all users of the EdDSA signature scheme. The security of the EdDSA signature scheme depends critically on the choices of parameters, except for the arbitrary choice of base point—for example, Pollard's rho algorithm for logarithms is expected to take approximately ℓ π / 4 {\displaystyle {\sqrt {\ell \pi /4}}} curve additions before it can compute a discrete logarithm,[5] so ℓ {\displaystyle \ell } must be large enough for this to be infeasible, and is typically taken to exceed 2200 .[6] The choice of ℓ {\displaystyle \ell } is limited by the choice of q {\displaystyle q} , since by Hasse's theorem, # E ( F q ) = 2 c ℓ {\displaystyle \#E(\mathbb {F} _{q})=2^{c}\ell } cannot differ from q + 1 {\displaystyle q+1} by more than 2 q {\displaystyle 2{\sqrt {q}}} . The hash function H {\displaystyle H} is normally modelled as a random oracle in formal analyses of EdDSA's security. In the HashEdDSA variant, an additional collision-resistant hash function H ′ {\displaystyle H'} is needed.
2 c S B = 2 c ( r + H ( R , A , M ) s ) B = 2 c r B + 2 c H ( R , A , M ) s B = 2 c R + 2 c H ( R , A , M ) A . {\displaystyle {\begin{aligned}2^{c}SB&=2^{c}(r+H(R,A,M)s)B\\&=2^{c}rB+2^{c}H(R,A,M)sB\\&=2^{c}R+2^{c}H(R,A,M)A.\end{aligned}}}
