# Questions tagged as ['ed25519']

Ed25519 is an algorithm for producing digital signatures. The algorithm is based on Edwards curves introduced by Bernstein et al. (2007) and named after mathematician Harold M. Edwards.
Score: 1
Birational transformation from Edwards curve with not square d to Edwards curve with square d

How can I transform a complete twisted Edwards curve $$ax^2+y^2 = 1+dx^2y^2$$ with not square $$d$$ and square $$a$$ into an isomorphic Edwards curve $$X^2+Y^2 = 1+DX^2Y^2$$ with a square $$-D$$ i.e. $$D = -r^2$$?

I tried to set $$X = \frac{x}{\sqrt{a}}; Y=y$$, but $$-\frac{d}{a}$$ is also a non square (at least for Edwards25519). This answer is not working as well (i.e. $$-1/d$$ is not a square), because $$-1$$ is squ ...

Score: 1
Should Ed25519 verification multiply by the cofactor?

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

1. Check the group equation $$[8][S]B = [8]R + [8][k]A'$$. It's sufficient, but not required, to instead check $$[S]B = R + [k]A'$$.

Does that mean that code doing verification should point-multiply both sides by $$8 = 2^c$$ for cofactor $$c$$ or should they not? The document and

Score: 0
Why is the cofactor of the twisted Edwards curve equal to 8?

While The cofactor of the Edwards curve is chosen $$4$$ in standards, the cofactor of the twisted Edwards curve is chosen $$8$$. I can't understand the reason for this. Can we choose cofactor $$4$$ for the twisted Edwards curve? What happens in this case? Is there any security problem in this case?

Score: 3
Digital Signatures with Curve25519 key-pair

I have a public/private key pair of Curve25519 keys used by Wireguard.

How can I use this keypair to generate/verify digital signatures?

Preferrably, I would like to use EdDSA/Ed25519 but I struggle to derive a Ed25519 keypair from the Curve25519 keys used by Wireguard.

Score: 1
ed25519 base point coordinates

For the ed25519 standard Base Point is $$B = (x, 4/5)$$. According to Stack Question the y coordinate equals

46316835694926478169428394003475163141307993866256225615783033603165251855960


But how this value is received? As I understand $$y = 4 \cdot 5^{-1} \mod l$$, where $$l = 2^{252} + 27742317777372353535851937790883648493$$.

So $$5^{-1} \mod l$$ gives

1447401115466452442794637312608598848171423271875981521200 ...
Score: 1
Why is implementation relevant to timing attacks?

Discussions from highly respected sources (details below) emphasize the importance of the implementation of cryptographic software to the effective security provided, with one particular case being sensitivity to timing attacks.

Clarification - Context is cryptographic signing of non-secret messages

@poncho's initial answer notes that attackers don't always have the luxury of determining the "user's" im ...

Score: 8
Why Elliptic Curve Cryptography protocols depend on fixed curves?

I'm learning about Ed25519. It depends on a bunch of magic values: The finite field of order $$2^{255}-19$$, the specific elliptic curve over that field, a specific point on that curve. This is in contrast to Diffie-Hellman or RSA.

Why is that? And conversely, why doesn't DH fix the prime number & the generator, or RSA fix, say, the $$n = pq$$ value?

I suspect that in case of DH & RSA it's very easy  ...

Score: 0
How to securly save ED25519 private key on hard drive

I am developing an application which stores user's private Identity key (ed 25519) on user's hard drive without any security.

What are the best practices / standards to save private key on hard drive, so even if the filesystem is hacked, keys are secure.