EdDSA

EdDSA
Name	EdDSA
Introduced	2011
Designers	Daniel J. Bernstein, Tanja Lange, Peter Schwabe
Based on	Edwards curve, Edwards-curve Digital Signature Algorithm
Key size	varies (e.g., 256-bit, 448-bit)
Signature size	varies
Status	widely used

EdDSA EdDSA is a modern digital signature scheme that emphasizes high performance, deterministic signing, and resilience against implementation pitfalls. It was introduced and developed in the cryptographic community alongside many elliptic curve efforts and has been analyzed in contexts involving standards bodies and software projects. EdDSA is used in numerous protocols and systems driven by practical engineering needs and academic scrutiny.

Overview

EdDSA was designed to provide deterministic signatures on twisted Edwards curve instantiations such as Curve25519 family and Edwards448 while addressing issues seen in earlier schemes like Digital Signature Algorithm and Elliptic Curve Digital Signature Algorithm. Key contributors include researchers associated with projects and institutions such as University of Illinois Urbana–Champaign, Technische Universiteit Eindhoven, TU Eindhoven, and labs affiliated with Microsoft Research, Google, Amazon Web Services, and NIST. Deployment choices have been influenced by standards organizations and software projects including IETF, OpenSSH, OpenSSL, LibreSSL, Mozilla, Linux Kernel, and notable cryptographic libraries like libsodium and BoringSSL.

Design and Algorithms

The algorithmic design centers on deterministic nonce derivation from the private key and message using cryptographic hash functions standardized and implemented by groups including IETF CFRG, SHA-512 proponents and parties in the NIST hash function competition legacy. EdDSA uses point arithmetic on twisted Edwards curves; related mathematical foundations trace to work by researchers at Max Planck Institute for Informatics, CWI, and collaborations among authors publishing in venues like CRYPTO, EUROCRYPT, and PKC. Implementation guidance often references constant-time arithmetic to mitigate timing attacks studied by teams from École Polytechnique, ETH Zurich, University of California, Berkeley, and Princeton University. Algorithmic components interact with coordinate systems and optimization techniques used in implementations by developers at DJ Bernstein's group, NaCl authors, and contributors to SageMath and GMP projects.

Security Properties and Analysis

Security proofs and analyses have been conducted in formal models and under threat models considered by researchers at MIT, Harvard University, Stanford University, and Cornell University. EdDSA aims to provide strong existential unforgeability under chosen-message attacks assuming hardness of the Elliptic Curve Discrete Logarithm Problem on the chosen curve instantiations; related hardness assumptions have been discussed at IACR conferences and in papers referencing Boneh–Franklin and other foundational results. Side-channel and fault-injection studies have been published by teams at KU Leuven, University of Padua, Masaryk University, and industrial labs such as Intel and ARM Research. The scheme’s determinism reduces reliance on high-quality randomness, addressing vulnerabilities implicated in incidents involving Sony BMG, ROCA, and RNG failures observed in various commercial products. Cryptanalysis efforts by researchers affiliated with IMDEA Software Institute and independent cryptographers examine small-subgroup, twist-security, and implementation pitfalls similar to those identified in SECP256k1 and other elliptic curve deployments.

Implementations and Variants

EdDSA appears in multiple implementations and protocol integrations maintained by organizations including OpenBSD, FreeBSD, Debian, Red Hat, Canonical, and projects like WireGuard, OpenVPN, Signal, and Matrix (protocol). Variants include different curve instantiations such as points from Curve25519-derived Edwards forms and Edwards448; these variations have been adopted by standards work from IETF CFRG, experimental stacks at Cloudflare, and database/security products from Google Cloud and Amazon Web Services. Libraries implementing EdDSA include libsodium, BoringSSL, OpenSSL, and language-specific ports in Go (programming language), Rust, Python (programming language), Java (programming language), and Node.js ecosystems. Hardware acceleration and secure element integrations have been pursued by vendors like Yubico, Apple Inc., Samsung Electronics, and Intel.

Performance and Comparisons

Performance benchmarks compare EdDSA against algorithms used in systems by NSA, Cisco Systems, and other large vendors, often highlighting faster signature generation and verification relative to non-Edwards elliptic curves used in ECDSA implementations in OpenSSL and enterprise stacks. Comparative studies from academic groups at University of Waterloo, McGill University, and University College London analyze throughput, latency, and resource use on platforms from ARM Holdings-based devices to x86 servers. Microarchitectural analyses consider cache behavior and microcode interactions relevant to vendors like AMD and Intel, while mobile and embedded comparisons span devices from Qualcomm-powered phones to IoT hardware supported by ARM Cortex ecosystems.

Applications and Adoption

EdDSA is used in secure messaging, authentication, and transport protocols adopted by projects such as OpenSSH, TLS proposals within IETF, SSH Communications Security deployments, and secure messaging apps like Signal and WhatsApp that leverage modern cryptography. It is present in cryptographic tokens and hardware security modules from Yubico, Google Titan, and enterprise key management systems by Thales Group and Gemalto. Financial and blockchain experiments reference EdDSA in comparison to schemes used by Bitcoin, Ethereum, and permissioned ledger projects at Hyperledger. Adoption has been driven by industry consortia, standards bodies including IETF, and large-scale cloud providers such as Google Cloud Platform and Microsoft Azure.

Category:Cryptographic algorithms