Английская Википедия:EdDSA

Материал из Онлайн справочника
Перейти к навигацииПерейти к поиску

Шаблон:Short description Шаблон:Infobox encryption method

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves.[1] It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang.[2] The reference implementation is public-domain software.[3]

Summary

The following is a simplified description of EdDSA, ignoring details of encoding integers and curve points as bit strings; the full details are in the papers and RFC.[4][2][1]

An EdDSA signature scheme is a choice:[4]Шаблон:Rp[2]Шаблон:Rp[1]Шаблон:Rp

  • of finite field <math>\mathbb{F}_q</math> over odd prime power <math>q</math>;
  • of elliptic curve <math>E</math> over <math>\mathbb{F}_q</math> whose group <math>E(\mathbb{F}_q)</math> of <math>\mathbb{F}_q</math>-rational points has order <math>\#E(\mathbb{F}_q) = 2^c \ell</math>, where <math>\ell</math> is a large prime and <math>2^c</math> is called the cofactor;
  • of base point <math>B \in E(\mathbb{F}_q)</math> with order <math>\ell</math>; and
  • of cryptographic hash function <math>H</math> with <math>2b</math>-bit outputs, where <math>2^{b - 1} > q</math> so that elements of <math>\mathbb{F}_q</math> and curve points in <math>E(\mathbb{F}_q)</math> can be represented by strings of <math>b</math> bits.

These parameters are common to all users of the EdDSA signature scheme. The security of the EdDSA signature scheme depends critically on the choices of parameters, except for the arbitrary choice of base point—for example, Pollard's rho algorithm for logarithms is expected to take approximately <math>\sqrt{\ell\pi/4}</math> curve additions before it can compute a discrete logarithm,[5] so <math>\ell</math> must be large enough for this to be infeasible, and is typically taken to exceed Шаблон:Math.[6] The choice of <math>\ell</math> is limited by the choice of <math>q</math>, since by Hasse's theorem, <math>\#E(\mathbb{F}_q) = 2^c \ell</math> cannot differ from <math>q + 1</math> by more than <math>2\sqrt{q}</math>. The hash function <math>H</math> is normally modelled as a random oracle in formal analyses of EdDSA's security.

Within an EdDSA signature scheme,

Public key
An EdDSA public key is a curve point <math>A \in E(\mathbb{F}_q)</math>, encoded in <math>b</math> bits.
Signature
An EdDSA signature on a message <math>M</math> by public key <math>A</math> is the pair <math>(R, S)</math>, encoded in <math>2b</math> bits, of a curve point <math>R \in E(\mathbb{F}_q)</math> and an integer <math>0 < S < \ell</math> satisfying the following verification equation. <math>\parallel</math> denotes concatenation.

<math display="block">2^c S B = 2^c R + 2^c H(R \parallel A \parallel M) A</math>

Private key
An EdDSA private key is a <math>b</math>-bit string <math>k</math> which should be chosen uniformly at random. The corresponding public key is <math>A = s B</math>, where <math>s = H_{0,\dots,b - 1}(k)</math> is the least significant <math>b</math> bits of <math>H(k)</math> interpreted as an integer in little-endian. The signature on a message <math>M</math> is <math>(R, S)</math> where <math>R = r B</math> for <math>r = H(H_{b,\dots,2b - 1}(k) \parallel M)</math>, and <math display="block">S \equiv r + H(R \parallel A \parallel M) s \pmod \ell.</math> This satisfies the verification equation:

<math display="block"> \begin{align} 2^c S B &= 2^c (r + H(R \parallel A \parallel M) s) B \\ 

       &= 2^c r B + 2^c H(R \parallel A \parallel M) s B \\
       &= 2^c R + 2^c H(R \parallel A \parallel M) A.

\end{align} </math>

Ed25519

Ed25519 is the EdDSA signature scheme using SHA-512 (SHA-2) and Curve25519[2] where

<math display="block">-x^2 + y^2 = 1 - \frac{121665}{121666}x^2y^2,</math>

  • <math>\ell = 2^{252} + 27742317777372353535851937790883648493</math> and <math>c = 3</math>
  • <math>B</math> is the unique point in <math>E(\mathbb{F}_q)</math> whose <math>y</math> coordinate is <math>4/5</math> and whose <math>x</math> coordinate is positive.
    "positive" is defined in terms of bit-encoding:
    • "positive" coordinates are even coordinates (least significant bit is cleared)
    • "negative" coordinates are odd coordinates (least significant bit is set)
  • <math>H</math> is SHA-512, with <math>b = 256</math>.

The curve <math>E(\mathbb{F}_q)</math> is birationally equivalent to the Montgomery curve known as Curve25519. The equivalence is[2][7] <math display="block"> x = \frac{u}{v}\sqrt{-486664}, \quad y = \frac{u - 1}{u + 1}. </math>

Performance

The original team has optimized Ed25519 for the x86-64 Nehalem/Westmere processor family. Verification can be performed in batches of 64 signatures for even greater throughput. Ed25519 is intended to provide attack resistance comparable to quality 128-bit symmetric ciphers.[8]

Public keys are 256 bits long and signatures are 512 bits long.[9]

Secure coding

Ed25519 is designed to avoid implementations that use branch conditions or array indices that depend on secret data,[2]Шаблон:Rp[1]Шаблон:Rp in order to mitigate side-channel attacks.

As with other discrete-log-based signature schemes, EdDSA uses a secret value called a nonce unique to each signature. In the signature schemes DSA and ECDSA, this nonce is traditionally generated randomly for each signature—and if the random number generator is ever broken and predictable when making a signature, the signature can leak the private key, as happened with the Sony PlayStation 3 firmware update signing key.[10][11][12]

In contrast, EdDSA chooses the nonce deterministically as the hash of a part of the private key and the message. Thus, once a private key is generated, EdDSA has no further need for a random number generator in order to make signatures, and there is no danger that a broken random number generator used to make a signature will reveal the private key.[2]Шаблон:Rp

Standardization and implementation inconsistencies

Note that there are two standardization efforts for EdDSA, one from IETF, an informational Шаблон:IETF RFC and one from NIST as part of FIPS 186-5.[13] The differences between the standards have been analyzed,[14][15] and test vectors are available.[16]

Software

Notable uses of Ed25519 include OpenSSH,[17] GnuPG[18] and various alternatives, and the signify tool by OpenBSD.[19] Usage of Ed25519 (and Ed448) in the SSH protocol has been standardized.[20] In 2023 the final version of the FIPS 186-5 standard included deterministic Ed25519 as an approved signature scheme.[13]

Ed448

Ed448 is the EdDSA signature scheme using SHAKE256 and Curve448 defined in Шаблон:IETF RFC. It has also been approved in the final version the FIPS 186-5 standard.[13]

References

Шаблон:Reflist

External links

Шаблон:Cryptography public-key

Партнерские ресурсы
Криптовалюты
Магазины
Хостинг
Разное

  1. 1,0 1,1 1,2 1,3 Шаблон:Cite IETF
  2. 2,0 2,1 2,2 2,3 2,4 2,5 2,6 Шаблон:Cite journal
  3. Шаблон:Cite web
  4. 4,0 4,1 Шаблон:Cite tech report
  5. Шаблон:Cite tech report
  6. Шаблон:Cite web
  7. Шаблон:Cite conference
  8. Шаблон:Cite web
  9. Шаблон:Cite web
  10. Шаблон:Cite news
  11. Шаблон:Cite conference
  12. Шаблон:Cite web
  13. 13,0 13,1 13,2 Шаблон:Cite journal
  14. Шаблон:Cite conference
  15. Шаблон:Cite conference
  16. Шаблон:Cite web
  17. Шаблон:Cite web
  18. Шаблон:Cite web
  19. Шаблон:Cite web
  20. Шаблон:Cite IETF
  21. Шаблон:Cite web
  22. Шаблон:Cite web
  23. Шаблон:Cite journal
  24. Шаблон:Cite web
  25. Шаблон:Github
  26. Шаблон:Cite web
  27. Шаблон:Cite web
  28. Шаблон:Cite web
  29. Шаблон:Cite web
  30. Шаблон:Cite web
  31. Шаблон:Cite web
  32. Шаблон:Cite web
Источник — http://wikihandbk.com/ruwiki/index.php?title=Английская_Википедия:EdDSA&oldid=14444765