# Questions tagged as ['ed25519']

How can I transform a complete twisted Edwards curve $ax^2+y^2 = 1+dx^2y^2$ with not square $d$ and square $a$ into an isomorphic Edwards curve $X^2+Y^2 = 1+DX^2Y^2$ with a square $-D$ i.e. $D = -r^2$?

I tried to set $X = \frac{x}{\sqrt{a}}; Y=y$, but $-\frac{d}{a}$ is also a non square (at least for Edwards25519). This answer is not working as well (i.e. $-1/d$ is not a square), because $-1$ is squ ...

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

- Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and

While The cofactor of the Edwards curve is chosen $4$ in standards, the cofactor of the twisted Edwards curve is chosen $8$. I can't understand the reason for this. Can we choose cofactor $4$ for the twisted Edwards curve? What happens in this case? Is there any security problem in this case?

I have a public/private key pair of Curve25519 keys used by Wireguard.

How can I use this keypair to generate/verify digital signatures?

Preferrably, I would like to use EdDSA/Ed25519 but I struggle to derive a Ed25519 keypair from the Curve25519 keys used by Wireguard.

For the ed25519 standard Base Point is $B = (x, 4/5)$. According to Stack Question the y coordinate equals

```
46316835694926478169428394003475163141307993866256225615783033603165251855960
```

But how this value is received? As I understand $y = 4 \cdot 5^{-1} \mod l$, where $l = 2^{252} + 27742317777372353535851937790883648493$.

So $5^{-1} \mod l$ gives

`1447401115466452442794637312608598848171423271875981521200 ...`

Discussions from highly respected sources (details below) emphasize the importance of the **implementation** of cryptographic software to the effective security provided, with one particular case being sensitivity to **timing attacks**.

**Clarification - Context is cryptographic signing of non-secret messages**

@poncho's initial answer notes that attackers don't always have the luxury of determining the "user's" im ...

I'm learning about `Ed25519`

. It depends on a bunch of magic values: The finite field of order $2^{255}-19$, the specific elliptic curve over that field, a specific point on that curve. This is in contrast to Diffie-Hellman or RSA.

Why is that? And conversely, why doesn't DH fix the prime number & the generator, or RSA fix, say, the $n = pq$ value?

I suspect that in case of DH & RSA it's very easy ...

I am developing an application which stores user's private Identity key (ed 25519) on user's hard drive without any security.

What are the best practices / standards to save private key on hard drive, so even if the filesystem is hacked, keys are secure.