ed25519

 https://tools.ietf.org/html/rfc7748#section-4.1

 https://blog.csdn.net/mutourend/article/details/98597316

Curve25519

   For the ~128-bit security level, the prime 2^255 - 19 is recommended
   for performance on a wide range of architectures.  Few primes of the
   form 2^c-s with s small exist between 2^250 and 2^521, and other
   choices of coefficient are not as competitive in performance.  This
   prime is congruent to 1 mod 4, and the derivation procedure in
   Appendix A results in the following Montgomery curve
   v^2 = u^3 + A*u^2 + u, called "curve25519":

   p  2^255 - 19

   A  486662

   order  2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed

   cofactor  8

   U(P)  9

   V(P)  147816194475895447910205935684099868872646061346164752889648818
      37755586237401

   The base point is u = 9, v = 1478161944758954479102059356840998688726
   4606134616475288964881837755586237401.

   This curve is birationally equivalent to a twisted Edwards curve -x^2
   + y^2 = 1 + d*x^2*y^2, called "edwards25519", where:

   p  2^255 - 19

   d  370957059346694393431380835087545651895421138798432190163887855330
      85940283555

   order  2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed

   cofactor  8

   X(P)  151122213495354007725011514095885315114540126930418572060461132
      83949847762202

   Y(P)  463168356949264781694283940034751631413079938662562256157830336
      03165251855960






Langley, et al.               Informational                     [Page 4]

---

 
RFC 7748              Elliptic Curves for Security          January 2016


   The birational maps are:

     (u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)
     (x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))

   The Montgomery curve defined here is equal to the one defined in
   [curve25519], and the equivalent twisted Edwards curve is equal to
   the one defined in [ed25519].

4.2. Curve448

   For the ~224-bit security level, the prime 2^448 - 2^224 - 1 is
   recommended for performance on a wide range of architectures.  This
   prime is congruent to 3 mod 4, and the derivation procedure in
   Appendix A results in the following Montgomery curve, called
   "curve448":

   p  2^448 - 2^224 - 1

   A  156326

   order  2^446 -
      0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d

   cofactor  4

   U(P)  5

   V(P)  355293926785568175264127502063783334808976399387714271831880898
      435169088786967410002932673765864550910142774147268105838985595290
      606362

   This curve is birationally equivalent to the Edwards curve x^2 + y^2
   = 1 + d*x^2*y^2 where:

   p  2^448 - 2^224 - 1

   d  611975850744529176160423220965553317543219696871016626328968936415
      087860042636474891785599283666020414768678979989378147065462815545
      017

   order  2^446 -
      0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d

   cofactor  4






Langley, et al.               Informational                     [Page 5]

---

 
RFC 7748              Elliptic Curves for Security          January 2016


   X(P)  345397493039729516374008604150537410266655260075183290216406970
      281645695073672344430481787759340633221708391583424041788924124567
      700732

   Y(P)  363419362147803445274661903944002267176820680343659030140745099
      590306164083365386343198191849338272965044442230921818680526749009
      182718

   The birational maps are:

     (u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)
     (x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))

   Both of those curves are also 4-isogenous to the following Edwards
   curve x^2 + y^2 = 1 + d*x^2*y^2, called "edwards448", where:

   p  2^448 - 2^224 - 1

   d  -39081

   order  2^446 -
      0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d

   cofactor  4

   X(P)  224580040295924300187604334099896036246789641632564134246125461
      686950415467406032909029192869357953282578032075146446173674602635
      247710

   Y(P)  298819210078481492676017930443930673437544040154080242095928241
      372331506189835876003536878655418784733982303233503462500531545062
      832660

   The 4-isogeny maps between the Montgomery curve and this Edwards
   curve are:

     (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
     (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
               -(u^5 - 2*u^3 - 4*u*v^2 + u)/
               (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))

   The curve edwards448 defined here is also called "Goldilocks" and is
   equal to the one defined in [goldilocks].

 

 

 

目前主流的签名机制是基于secp256r1或者secp256k1曲线的ECDSA签名机制,而应用ECDSA签名机制时,稍有不慎就会引发各种安全问题,具体请参考” ECDSA在区块链应用中的七宗罪”.安全之外,签名机制的效率也是工程落地中的重要考量, OpenSSL针对曲线secp256r1做了深度优化,签名速度到达大约30000次 /秒,验签速度达到大约12000次每秒,而libsecp256k1中则针对曲线secp256k1做了深度优化,签名速度达到大约20000次每秒,验签速度在同时指定−−enable−endomorphism和−−with−bignum=gmp两个选项进行编译后可以达到19000次验签每秒(自同态特性的利用可以带来大约22%的验签速度的提升,而GMP库的应用则可以为验签过程带来大约14%的速度提升,由于两个速度提升的技术是正交的,相互叠加之后可以将验签速度从大约13000次每秒提升到大约19000次每秒).并且随着技术的改进以及CPU新指令的出现,还可以逐步提升执行速度. 然而更好安全性与更高的执行效率的诉求, 或许无法通过这种小步迭代和缝缝补补方式得到满足.

同时解决前述的应用安全, 实现安全以及执行效率的问题, 要求在工程手段之外更为深度的改进, 一个自然的方向是重新构建椭圆曲线以及签名机制以便在多个层次上同时改进: 改进底层算术运算加速中层点群运算, 中层点群运算适配上层协议, 并在上层签名机制设计时同时考虑 ECDSA 签名机制的问题与局限性加以避免. EdDSA (Edwards-curve Digital Signature Algorithm) 签名机制是这个研究方向上的成果. EdDSA 签名机制是 Bernstein 等人在 2012 年设计的基于爱德华曲线 (Edwards Curves) 的数字签名算法. EdDSA 签名机制是 Schnorr 签名机制的一个变种, 其设计初衷是在不牺牲安全性的前提下提升签名/验签速 度, 并同时解决前述的 ECDSA 在应用方面存在的一些问题.

Ed25519是基于扭曲爱德华曲线Edwards25519和SHA-512的EdDSA签名机制.其中Edwards25519曲线是Bernstein等人在2005年提出的蒙哥马利曲线Curve25619的等价变换形式, Curve25519的提出是为了加速ECDH的计算. 之所以采用Curve25519的等价变换形式而不是直接利用Curve25519的原因在于ECDH与EdDSA依赖 的点群运算不同,这可以看成是为上层协议适配中层点群运算的经典示例.另外两个曲线在底层有限域的选取中也充分考虑了快速实现与应用编码问题.而Ed25519的签名设计则将ECDSA中常见的随机数问题纳入考量,直接在签名机制内部解决了随机数产生的问题.

Ed25519带来了安全性和性能方面多个维度的改进,但是其底层的扭曲爱德华曲线或者等价的蒙哥马利曲线相比secp256k1/secp256r1曲线的short-Weierstrass形式来说,显得尤为陌生.为了深入理解Ed25519签名机制,首先需要理解这三种曲线形式之间的关系.从广义Weierstrass形式变换成为short-Weierstrass形式, short-Weierstrass形式与蒙哥马利形式曲线的变换以及蒙哥马利形式与扭曲爱德华曲线之间转换请戳阅读原文.

另外,Ed25519也确实引入了一个在基于secp256k1或者secp256r1的ECDSA签名机制中不存在的问题.一个由于椭圆曲线的余因子(cofactor)不为1导致的问题,使得Monero中可以八花一笔交易(问题已经被修正).secp256k1和secp256r1的余因子为1,所以无需考虑余因子的问题,也不会引发安全问题.而Edwards25519的余因子为8,此时就不得不在应用时将余因子纳入考量的范畴.而余因子为8也部分影响了Ed25519签名机制的设计.然而在上层协议设计中不断为底层曲线填坑不是我们喜欢的方式,也因此有了相应的应对措施. 随后我们会逐步讲解Ed25519的签名机制,优势与可能存在的问题以及改进措施.本次我们首先尝试去理解蒙哥马利曲线与扭曲爱德华曲线.

作者：CoinExChain
链接：https://www.jianshu.com/p/53f7bd3405cc
来源：简书
著作权归作者所有。商业转载请联系作者获得授权，非商业转载请注明出处。

 

 

 

 

 

Edwards curve的定义为：
x2+y2=1+dx2y2,d∉0,1,characteristic不为2

x2+y2=1+dx2y2,d∈/​0,1,characteristic不为2

对于Curve25519，其Montgomery form为：
v2=u3+486662u2+u,q=2255−19

v2=u3+486662u2+u,q=2255−19
对应的Edwards curve表示为：
x2+y2=1+(121665/121666)x2y2x2+y2=1+(121665/121666)x2y2
相互之间的变换关系为：
(x,y)↦(u,v):u=(1+y)/(1−y),v=486664‾‾‾‾‾‾‾√u/x(x,y)↦(u,v):u=(1+y)/(1−y),v=486664​u/x
(u,v)↦(x,y):x=486664‾‾‾‾‾‾‾√u/v,y=(u−1)/(u+1)(u,v)↦(x,y):x=486664

​u/v,y=(u−1)/(u+1)

---

Every Edwards curve has a point of order 4.

---

curve25519 co-factor为8 sage脚本验证：

sage: q=2^255-19
sage: E=EllipticCurve(GF(q),[0,486662,0,1,0])
sage: n=E.cardinality()
sage: n
57896044618658097711785492504343953926856930875039260848015607506283634007912
sage: factor(n)
2^3 * 7237005577332262213973186563042994240857116359379907606001950938285454250989
sage: r=2^252+27742317777372353535851937790883648493
sage: n/r
8

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10

1.2 Twisted Edwards Curve定义

根据论文《Twisted Edwards Curves》中的Definition 2.1定义：

---

根据此定义可知，每条Edwards curve，都是twisted Edwards curve。

---

1.3 isomorphic elliptic curve定义

1.4 edwards25519

对于Curve25519的Edwards curve表示：
x2+y2=1+dx2y2,d=(121665/121666),q=2255−19

x2+y2=1+dx2y2,d=(121665/121666),q=2255−19
由于-1在Fq(q=2^255-19)域内存在平方根，所以可做如下映射：
(x,y)↦(x−1√,y)(x,y)↦(−1​x​,y) 对应的曲线表示为：

−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19 该曲线与
x2+y2=1+dx2y2

 

x2+y2=1+dx2y2具有同构性isomomorphic。

《Elliptic Curves for Security》中，将

−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19

 

−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19被称为edwards25519。

magma脚本为：

clear; q:=2^255-19; LegendreSymbol(-1, q); //1,即-1是域Fq内的平方值。

• 1
• 2
• 3

sage脚本为：

sage: q=2^255-19 sage: (q-1)/4 14474011154664524427946373126085988481658748083205070504932198000989141204987 sage: sage: mod(-121665/121666,q) 37095705934669439343138083508754565189542113879843219016388785533085940283555

• 1
• 2
• 3
• 4
• 5
• 6

 

1.5 edwards25519与Curve25519映射关系

 

v2=u3+486662u2+u,q=2255−19v2=u3+486662u2+u,q=2255−19 与

−x2+y2=1+d′x2y2,q=2255−19,d′=−(121665/121666)≡37095705934669439343138083508754565189542113879843219016388785533085940283555(mod q)−x2+y2=1+d′x2y2,q=2255−19,d′=−(121665/121666)≡37095705934669439343138083508754565189542113879843219016388785533085940283555(mod q) 的相互转换关系为：

(x,y)↦(u,v):x=−486664‾‾‾‾‾‾‾‾‾√u/v,y=(u−1)/(u+1)(x,y)↦(u,v):x=−486664​u/v,y=(u−1)/(u+1)
(u,v)↦(x,y):u=(1+y)/(1−y),v=−486664‾‾‾‾‾‾‾‾‾√u/x(u,v)↦(x,y):u=(1+y)/(1−y),v=−486664

 

​u/x

2. 坐标系表示

根据论文《Twisted Edwards Curves Revisited》，常见的affine和projective坐标系表示：

• affine coordinate:

(x,y)

 

(x,y)

• projective coordinate:

(X,Y,Z)(X,Y,Z)

由此可知，对于twisted Edwards curve affine coordinate表示:

ax2+y2=1+dx2y2ax2+y2=1+dx2y2 对应的同态projective coordinate表示为
(x,y)↦(X/Z,Y/Z)(x,y)↦(X/Z,Y/Z)：
(aX2+Y2)Z2=Z4+dX2Y2

 

(aX2+Y2)Z2=Z4+dX2Y2

相应的，identity element为(0:1:1)，(X:Y:Z)的负数为(-X:Y:Z)，同时对于所有的非零值

λ∈q,(X:Y:Z)=(λX:λY:λZ)

 

λ∈q,(X:Y:Z)=(λX:λY:λZ)。

2.1 affine coordinate模式下twisted Edwards curve的point加法运算

对于affine coordinate模式下twisted Edwards curve的point加法运算为：

(x1,y1)+(x2,y2)=(x1y2+y1x21+dx1y1x2y2,y1y2−ax1x21−dx1y1x2y2)=(x3,y3)(x1​,y1​)+(x2​,y2​)=(1+dx1​y1​x2​y2​x1​y2​+y1​x2​​,1−dx1​y1​x2​y2​y1​y2​−ax1​x2​​)=(x3​,y3​) 论文《Twisted Edwards Curves Revisited》中，进一步演化为与
dd值无关的计算公式为：
(x1,y1)+(x2,y2)=(x1y1+x2y2y1y2+ax1x2,x1y1−x2y2x1y2−y1x2)=(x3,y3)

 

(x1​,y1​)+(x2​,y2​)=(y1​y2​+ax1​x2​x1​y1​+x2​y2​​,x1​y2​−y1​x2​x1​y1​−x2​y2​​)=(x3​,y3​) 以上算法中，存在求倒数的情况。

2.2 projective coordinate模式下twisted Edwards curve的point加法运算

在论文中有： 由此可知，将twisted Edwards curve的point加法运算转换到projective coordinate坐标系下计算，将没有affine coordinate下的求倒数运算，效率更高。

《Twisted Edwards Curves》

2.3 Extened Twisted Edwards coordinate下的point加法运算

2.3.1 Extened Twisted Edwards coordinate

针对

ax2+y2=1+dx2y2ax2+y2=1+dx2y2增加一个辅助坐标t=xyt=xy来表示point点(x,y)(x,y)，(x,y,t)(x,y,t)即可称为extended affine coordinate，可通过map (x,y,t)↦(x:y:t:1)

 

(x,y,t)↦(x:y:t:1)转换为extended projective coordinate。

对于所有的非零值

λ∈q,(X:Y:T:Z)=(λX:λY:λT:λZ)

 

λ∈q,(X:Y:T:Z)=(λX:λY:λT:λZ)。

论文《Twisted Edwards Curves Revisited》中的转换细节不好理解，可参看 更直观好理解。

https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html

在curve25519中以edwards25519为例来讲解如何转换为extended model：

−x2+y2=1+dx2y2−x2+y2=1+dx2y2 设
x=X/Z,y=Y/Tx=X/Z,y=Y/T带入上面公式，清除分母，有：
−X2T2+Y2Z2=Z2T2+dX2Y2

 

−X2T2+Y2Z2=Z2T2+dX2Y2

进行Segre embedding转换：

σ:((X:Z),(Y:T))↦(XY:XT:ZY:ZT)↦(W0:W1:W2:W3)

 

σ:((X:Z),(Y:T))↦(XY:XT:ZY:ZT)↦(W0​:W1​:W2​:W3​)

/// A `CompletedPoint` is a point \\(((X:Z), (Y:T))\\) on the \\(\mathbb /// P\^1 \times \mathbb P\^1 \\) model of the curve. /// A point (x,y) in the affine model corresponds to \\( ((x:1),(y:1)) /// \\). /// /// More details on the relationships between the different curve models /// can be found in the module-level documentation. #[derive(Copy, Clone)] #[allow(missing_docs)] pub struct CompletedPoint { pub X: FieldElement, pub Y: FieldElement, pub Z: FieldElement, pub T: FieldElement, }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15

从而可有方程组来代表edwards25519：

{W0W3=W1W2−W21+W22=W23+dW20

 

{W0​W3​=W1​W2​−W12​+W22​=W32​+dW02​​

 

(W0:W1:W2:W3)

 

(W0​:W1​:W2​:W3​)即为extended 坐标系。

/// An `EdwardsPoint` represents a point on the Edwards form of Curve25519. #[derive(Copy, Clone)] #[allow(missing_docs)] pub struct EdwardsPoint { pub(crate) X: FieldElement, pub(crate) Y: FieldElement, pub(crate) Z: FieldElement, pub(crate) T: FieldElement, }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9

通过

(W0:W1:W2:W3)↦(W1:W2:W3)(W0​:W1​:W2​:W3​)↦(W1​:W2​:W3​)，有：
W1W3=XTZT=XZ=xW3​W1​​=ZTXT​=ZX​=x
W2W3=YZZT=YT=y

 

W3​W2​​=ZTYZ​=TY​=y

/// A `ProjectivePoint` is a point \\((X:Y:Z)\\) on the \\(\mathbb /// P\^2\\) model of the curve. /// A point \\((x,y)\\) in the affine model corresponds to /// \\((x:y:1)\\). /// /// More details on the relationships between the different curve models /// can be found in the module-level documentation. #[derive(Copy, Clone)] pub struct ProjectivePoint { pub X: FieldElement, pub Y: FieldElement, pub Z: FieldElement, }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13

其中identity element为

(0:1:0:1)(0:1:0:1)，(X:Y:T:Z)(X:Y:T:Z)的负数为 (−X:Y:−T:Z)

 

(−X:Y:−T:Z)。

---

 

尽管TT和ZZ可取任意值，不过在curve25519-dalek实现中，为了简化计算，取的是T=X∗Y,Z=1

 

T=X∗Y,Z=1。

---

 

2.3.2 Extened Twisted Edwards coordinate下的point加法运算

求

(X1:Y1:T1:Z1)+(X2:Y2:T2:Z2)=(X3:Y3:T3:Z3)(X1​:Y1​:T1​:Z1​)+(X2​:Y2​:T2​:Z2​)=(X3​:Y3​:T3​:Z3​)，其中：
X3=(X1Y2+Y1X2)(Z1Z2−dT1T2)X3​=(X1​Y2​+Y1​X2​)(Z1​Z2​−dT1​T2​)
Y3=(Y1Y2−aX1X2)(Z1Z2+dT1T2)Y3​=(Y1​Y2​−aX1​X2​)(Z1​Z2​+dT1​T2​)
T3=(Y1Y2−aX1X2)(X1Y2+Y1X2)T3​=(Y1​Y2​−aX1​X2​)(X1​Y2​+Y1​X2​)
Z3=(Z1Z2−dT1T2)(Z1Z2+dT1T2)

 

Z3​=(Z1​Z2​−dT1​T2​)(Z1​Z2​+dT1​T2​)

论文《Twisted Edwards Curves Revisited》中，进一步演化为与

d

 

d值无关的计算公式为：

3. 总结

---

 

注意，在Extended坐标系下，可提供更快的加法运算，在Projective坐标系下，可提供更快的double运算！！！实际使用时，可根据不同的计算选择不同的坐标系。

---

从【

CompletedPointσ:((X:Z),(Y:T))

 

σ:((X:Z),(Y:T))，即为affine坐标系】转换为【即为Extended 坐标系】，相应的代码为：EdwardsPoint

impl CompletedPoint { /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1 /// \\) model to the \\( \mathbb P\^3 \\) model. /// /// This costs \\(4 \mathrm M \\). pub fn to_extended(&self) -> EdwardsPoint { EdwardsPoint { X: &self.X * &self.T, Y: &self.Y * &self.Z, Z: &self.Z * &self.T, T: &self.X * &self.Y, } } }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15

从【

CompletedPointσ:((X:Z),(Y:T))

 

σ:((X:Z),(Y:T))，即为affine坐标系】转换为【即为Projective坐标系】的实现代码为：ProjectivePoint

impl CompletedPoint { /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1 /// \\) model to the \\( \mathbb P\^2 \\) model. /// /// This costs \\(3 \mathrm M \\). pub fn to_projective(&self) -> ProjectivePoint { ProjectivePoint { X: &self.X * &self.T, Y: &self.Y * &self.Z, Z: &self.Z * &self.T, } } }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13

从【即为Projective坐标系】转换为【即为Extended 坐标系】的实现代码为：

ProjectivePointEdwardsPoint

impl ProjectivePoint { /// Convert this point from the \\( \mathbb P\^2 \\) model to the /// \\( \mathbb P\^3 \\) model. /// /// This costs \\(3 \mathrm M + 1 \mathrm S\\). pub fn to_extended(&self) -> EdwardsPoint { EdwardsPoint { X: &self.X * &self.Z, Y: &self.Y * &self.Z, Z: self.Z.square(), T: &self.X * &self.Y, } } }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14

从【即为Extended 坐标系】转换为【即affine坐标系下，只取x坐标】，：

EdwardsPointMontgomeryPoint两者的映射关系为2-to-1

/// Convert this `EdwardsPoint` on the Edwards model to the /// corresponding `MontgomeryPoint` on the Montgomery model. /// /// This function has one exceptional case; the identity point of /// the Edwards curve is sent to the 2-torsion point \\((0,0)\\) /// on the Montgomery curve. /// /// Note that this is a one-way conversion, since the Montgomery /// model does not retain sign information. pub fn to_montgomery(&self) -> MontgomeryPoint { // We have u = (1+y)/(1-y) = (Z+Y)/(Z-Y). // // The denominator is zero only when y=1, the identity point of // the Edwards curve. Since 0.invert() = 0, in this case we // compute the 2-torsion point (0,0). let U = &self.Z + &self.Y; let W = &self.Z - &self.Y; let u = &U * &W.invert(); MontgomeryPoint(u.to_bytes()) }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20

从【即affine坐标系下，只取x坐标】转换为【即为Extended 坐标系】，：

MontgomeryPointEdwardsPoint两者的映射关系为1-to-2，所以要带上符号标识符，表示相应的的X坐标是整数还是负数signEdwardsPoint

/// Attempt to convert to an `EdwardsPoint`, using the supplied /// choice of sign for the `EdwardsPoint`. /// /// # Return /// /// * `Some(EdwardsPoint)` if `self` is the \\(u\\)-coordinate of a /// point on (the Montgomery form of) Curve25519; /// /// * `None` if `self` is the \\(u\\)-coordinate of a point on the /// twist of (the Montgomery form of) Curve25519; /// pub fn to_edwards(&self, sign: u8) -> Option<EdwardsPoint> { // To decompress the Montgomery u coordinate to an // `EdwardsPoint`, we apply the birational map to obtain the // Edwards y coordinate, then do Edwards decompression. // // The birational map is y = (u-1)/(u+1). // // The exceptional points are the zeros of the denominator, // i.e., u = -1. // // But when u = -1, v^2 = u*(u^2+486662*u+1) = 486660. // // Since this is nonsquare mod p, u = -1 corresponds to a point // on the twist, not the curve, so we can reject it early. let u = FieldElement::from_bytes(&self.0); if u == FieldElement::minus_one() { return None; } let one = FieldElement::one(); let y = &(&u - &one) * &(&u + &one).invert(); let mut y_bytes = y.to_bytes(); y_bytes[31] ^= sign << 7; CompressedEdwardsY(y_bytes).decompress() }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39

参考资料： [1] 论文《Twisted Edwards Curves Revisited》 [2] [3] 论文《Faster addition and doubling on elliptic curves》 [4] 论文《High-speed high-security signatures》 [5] 《Elliptic Curves for Security》 [6] 书《Guide to elliptic curve cryptography》 [7] 论文 [8]

https://en.wikipedia.org/wiki/Edwards_curve




《Twisted Edwards Curves》
https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html

Edwards curve的定义为：
x2+y2=1+dx2y2,d∉0,1,characteristic不为2

x2+y2=1+dx2y2,d∈/​0,1,characteristic不为2

对于Curve25519，其Montgomery form为：
v2=u3+486662u2+u,q=2255−19

v2=u3+486662u2+u,q=2255−19
对应的Edwards curve表示为：
x2+y2=1+(121665/121666)x2y2x2+y2=1+(121665/121666)x2y2
相互之间的变换关系为：
(x,y)↦(u,v):u=(1+y)/(1−y),v=486664‾‾‾‾‾‾‾√u/x(x,y)↦(u,v):u=(1+y)/(1−y),v=486664​u/x
(u,v)↦(x,y):x=486664‾‾‾‾‾‾‾√u/v,y=(u−1)/(u+1)(u,v)↦(x,y):x=486664

​u/v,y=(u−1)/(u+1)

---

Every Edwards curve has a point of order 4.

---

curve25519 co-factor为8 sage脚本验证：

sage: q=2^255-19
sage: E=EllipticCurve(GF(q),[0,486662,0,1,0])
sage: n=E.cardinality()
sage: n
57896044618658097711785492504343953926856930875039260848015607506283634007912
sage: factor(n)
2^3 * 7237005577332262213973186563042994240857116359379907606001950938285454250989
sage: r=2^252+27742317777372353535851937790883648493
sage: n/r
8

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10

1.2 Twisted Edwards Curve定义

根据论文《Twisted Edwards Curves》中的Definition 2.1定义：

---

根据此定义可知，每条Edwards curve，都是twisted Edwards curve。

---

1.3 isomorphic elliptic curve定义

1.4 edwards25519

对于Curve25519的Edwards curve表示：
x2+y2=1+dx2y2,d=(121665/121666),q=2255−19

x2+y2=1+dx2y2,d=(121665/121666),q=2255−19
由于-1在Fq(q=2^255-19)域内存在平方根，所以可做如下映射：
(x,y)↦(x−1√,y)(x,y)↦(−1​x​,y) 对应的曲线表示为：

−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19 该曲线与
x2+y2=1+dx2y2

 

x2+y2=1+dx2y2具有同构性isomomorphic。

《Elliptic Curves for Security》中，将

−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19

 

−x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19被称为edwards25519。

magma脚本为：

clear; q:=2^255-19; LegendreSymbol(-1, q); //1,即-1是域Fq内的平方值。

• 1
• 2
• 3

sage脚本为：

sage: q=2^255-19 sage: (q-1)/4 14474011154664524427946373126085988481658748083205070504932198000989141204987 sage: sage: mod(-121665/121666,q) 37095705934669439343138083508754565189542113879843219016388785533085940283555

• 1
• 2
• 3
• 4
• 5
• 6

 

1.5 edwards25519与Curve25519映射关系

 

v2=u3+486662u2+u,q=2255−19v2=u3+486662u2+u,q=2255−19 与

−x2+y2=1+d′x2y2,q=2255−19,d′=−(121665/121666)≡37095705934669439343138083508754565189542113879843219016388785533085940283555(mod q)−x2+y2=1+d′x2y2,q=2255−19,d′=−(121665/121666)≡37095705934669439343138083508754565189542113879843219016388785533085940283555(mod q) 的相互转换关系为：

(x,y)↦(u,v):x=−486664‾‾‾‾‾‾‾‾‾√u/v,y=(u−1)/(u+1)(x,y)↦(u,v):x=−486664​u/v,y=(u−1)/(u+1)
(u,v)↦(x,y):u=(1+y)/(1−y),v=−486664‾‾‾‾‾‾‾‾‾√u/x(u,v)↦(x,y):u=(1+y)/(1−y),v=−486664

 

​u/x

2. 坐标系表示

根据论文《Twisted Edwards Curves Revisited》，常见的affine和projective坐标系表示：

• affine coordinate:

(x,y)

 

(x,y)

• projective coordinate:

(X,Y,Z)(X,Y,Z)

由此可知，对于twisted Edwards curve affine coordinate表示:

ax2+y2=1+dx2y2ax2+y2=1+dx2y2 对应的同态projective coordinate表示为
(x,y)↦(X/Z,Y/Z)(x,y)↦(X/Z,Y/Z)：
(aX2+Y2)Z2=Z4+dX2Y2

 

(aX2+Y2)Z2=Z4+dX2Y2

相应的，identity element为(0:1:1)，(X:Y:Z)的负数为(-X:Y:Z)，同时对于所有的非零值

λ∈q,(X:Y:Z)=(λX:λY:λZ)

 

λ∈q,(X:Y:Z)=(λX:λY:λZ)。

2.1 affine coordinate模式下twisted Edwards curve的point加法运算

对于affine coordinate模式下twisted Edwards curve的point加法运算为：

(x1,y1)+(x2,y2)=(x1y2+y1x21+dx1y1x2y2,y1y2−ax1x21−dx1y1x2y2)=(x3,y3)(x1​,y1​)+(x2​,y2​)=(1+dx1​y1​x2​y2​x1​y2​+y1​x2​​,1−dx1​y1​x2​y2​y1​y2​−ax1​x2​​)=(x3​,y3​) 论文《Twisted Edwards Curves Revisited》中，进一步演化为与
dd值无关的计算公式为：
(x1,y1)+(x2,y2)=(x1y1+x2y2y1y2+ax1x2,x1y1−x2y2x1y2−y1x2)=(x3,y3)

 

(x1​,y1​)+(x2​,y2​)=(y1​y2​+ax1​x2​x1​y1​+x2​y2​​,x1​y2​−y1​x2​x1​y1​−x2​y2​​)=(x3​,y3​) 以上算法中，存在求倒数的情况。

2.2 projective coordinate模式下twisted Edwards curve的point加法运算

在论文中有： 由此可知，将twisted Edwards curve的point加法运算转换到projective coordinate坐标系下计算，将没有affine coordinate下的求倒数运算，效率更高。

《Twisted Edwards Curves》

2.3 Extened Twisted Edwards coordinate下的point加法运算

2.3.1 Extened Twisted Edwards coordinate

针对

ax2+y2=1+dx2y2ax2+y2=1+dx2y2增加一个辅助坐标t=xyt=xy来表示point点(x,y)(x,y)，(x,y,t)(x,y,t)即可称为extended affine coordinate，可通过map (x,y,t)↦(x:y:t:1)

 

(x,y,t)↦(x:y:t:1)转换为extended projective coordinate。

对于所有的非零值

λ∈q,(X:Y:T:Z)=(λX:λY:λT:λZ)

 

λ∈q,(X:Y:T:Z)=(λX:λY:λT:λZ)。

论文《Twisted Edwards Curves Revisited》中的转换细节不好理解，可参看 更直观好理解。

https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html

在curve25519中以edwards25519为例来讲解如何转换为extended model：

−x2+y2=1+dx2y2−x2+y2=1+dx2y2 设
x=X/Z,y=Y/Tx=X/Z,y=Y/T带入上面公式，清除分母，有：
−X2T2+Y2Z2=Z2T2+dX2Y2

 

−X2T2+Y2Z2=Z2T2+dX2Y2

进行Segre embedding转换：

σ:((X:Z),(Y:T))↦(XY:XT:ZY:ZT)↦(W0:W1:W2:W3)

 

σ:((X:Z),(Y:T))↦(XY:XT:ZY:ZT)↦(W0​:W1​:W2​:W3​)

/// A `CompletedPoint` is a point \\(((X:Z), (Y:T))\\) on the \\(\mathbb /// P\^1 \times \mathbb P\^1 \\) model of the curve. /// A point (x,y) in the affine model corresponds to \\( ((x:1),(y:1)) /// \\). /// /// More details on the relationships between the different curve models /// can be found in the module-level documentation. #[derive(Copy, Clone)] #[allow(missing_docs)] pub struct CompletedPoint { pub X: FieldElement, pub Y: FieldElement, pub Z: FieldElement, pub T: FieldElement, }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15

从而可有方程组来代表edwards25519：

{W0W3=W1W2−W21+W22=W23+dW20

 

{W0​W3​=W1​W2​−W12​+W22​=W32​+dW02​​

 

(W0:W1:W2:W3)

 

(W0​:W1​:W2​:W3​)即为extended 坐标系。

/// An `EdwardsPoint` represents a point on the Edwards form of Curve25519. #[derive(Copy, Clone)] #[allow(missing_docs)] pub struct EdwardsPoint { pub(crate) X: FieldElement, pub(crate) Y: FieldElement, pub(crate) Z: FieldElement, pub(crate) T: FieldElement, }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9

通过

(W0:W1:W2:W3)↦(W1:W2:W3)(W0​:W1​:W2​:W3​)↦(W1​:W2​:W3​)，有：
W1W3=XTZT=XZ=xW3​W1​​=ZTXT​=ZX​=x
W2W3=YZZT=YT=y

 

W3​W2​​=ZTYZ​=TY​=y

/// A `ProjectivePoint` is a point \\((X:Y:Z)\\) on the \\(\mathbb /// P\^2\\) model of the curve. /// A point \\((x,y)\\) in the affine model corresponds to /// \\((x:y:1)\\). /// /// More details on the relationships between the different curve models /// can be found in the module-level documentation. #[derive(Copy, Clone)] pub struct ProjectivePoint { pub X: FieldElement, pub Y: FieldElement, pub Z: FieldElement, }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13

其中identity element为

(0:1:0:1)(0:1:0:1)，(X:Y:T:Z)(X:Y:T:Z)的负数为 (−X:Y:−T:Z)

 

(−X:Y:−T:Z)。

---

 

尽管TT和ZZ可取任意值，不过在curve25519-dalek实现中，为了简化计算，取的是T=X∗Y,Z=1

 

T=X∗Y,Z=1。

---

 

2.3.2 Extened Twisted Edwards coordinate下的point加法运算

求

(X1:Y1:T1:Z1)+(X2:Y2:T2:Z2)=(X3:Y3:T3:Z3)(X1​:Y1​:T1​:Z1​)+(X2​:Y2​:T2​:Z2​)=(X3​:Y3​:T3​:Z3​)，其中：
X3=(X1Y2+Y1X2)(Z1Z2−dT1T2)X3​=(X1​Y2​+Y1​X2​)(Z1​Z2​−dT1​T2​)
Y3=(Y1Y2−aX1X2)(Z1Z2+dT1T2)Y3​=(Y1​Y2​−aX1​X2​)(Z1​Z2​+dT1​T2​)
T3=(Y1Y2−aX1X2)(X1Y2+Y1X2)T3​=(Y1​Y2​−aX1​X2​)(X1​Y2​+Y1​X2​)
Z3=(Z1Z2−dT1T2)(Z1Z2+dT1T2)

 

Z3​=(Z1​Z2​−dT1​T2​)(Z1​Z2​+dT1​T2​)

论文《Twisted Edwards Curves Revisited》中，进一步演化为与

d

 

d值无关的计算公式为：

3. 总结

---

 

注意，在Extended坐标系下，可提供更快的加法运算，在Projective坐标系下，可提供更快的double运算！！！实际使用时，可根据不同的计算选择不同的坐标系。

---

从【

CompletedPointσ:((X:Z),(Y:T))

 

σ:((X:Z),(Y:T))，即为affine坐标系】转换为【即为Extended 坐标系】，相应的代码为：EdwardsPoint

impl CompletedPoint { /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1 /// \\) model to the \\( \mathbb P\^3 \\) model. /// /// This costs \\(4 \mathrm M \\). pub fn to_extended(&self) -> EdwardsPoint { EdwardsPoint { X: &self.X * &self.T, Y: &self.Y * &self.Z, Z: &self.Z * &self.T, T: &self.X * &self.Y, } } }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15

从【

CompletedPointσ:((X:Z),(Y:T))

 

σ:((X:Z),(Y:T))，即为affine坐标系】转换为【即为Projective坐标系】的实现代码为：ProjectivePoint

impl CompletedPoint { /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1 /// \\) model to the \\( \mathbb P\^2 \\) model. /// /// This costs \\(3 \mathrm M \\). pub fn to_projective(&self) -> ProjectivePoint { ProjectivePoint { X: &self.X * &self.T, Y: &self.Y * &self.Z, Z: &self.Z * &self.T, } } }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13

从【即为Projective坐标系】转换为【即为Extended 坐标系】的实现代码为：

ProjectivePointEdwardsPoint

impl ProjectivePoint { /// Convert this point from the \\( \mathbb P\^2 \\) model to the /// \\( \mathbb P\^3 \\) model. /// /// This costs \\(3 \mathrm M + 1 \mathrm S\\). pub fn to_extended(&self) -> EdwardsPoint { EdwardsPoint { X: &self.X * &self.Z, Y: &self.Y * &self.Z, Z: self.Z.square(), T: &self.X * &self.Y, } } }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14

从【即为Extended 坐标系】转换为【即affine坐标系下，只取x坐标】，：

EdwardsPointMontgomeryPoint两者的映射关系为2-to-1

/// Convert this `EdwardsPoint` on the Edwards model to the /// corresponding `MontgomeryPoint` on the Montgomery model. /// /// This function has one exceptional case; the identity point of /// the Edwards curve is sent to the 2-torsion point \\((0,0)\\) /// on the Montgomery curve. /// /// Note that this is a one-way conversion, since the Montgomery /// model does not retain sign information. pub fn to_montgomery(&self) -> MontgomeryPoint { // We have u = (1+y)/(1-y) = (Z+Y)/(Z-Y). // // The denominator is zero only when y=1, the identity point of // the Edwards curve. Since 0.invert() = 0, in this case we // compute the 2-torsion point (0,0). let U = &self.Z + &self.Y; let W = &self.Z - &self.Y; let u = &U * &W.invert(); MontgomeryPoint(u.to_bytes()) }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20

从【即affine坐标系下，只取x坐标】转换为【即为Extended 坐标系】，：

MontgomeryPointEdwardsPoint两者的映射关系为1-to-2，所以要带上符号标识符，表示相应的的X坐标是整数还是负数signEdwardsPoint

/// Attempt to convert to an `EdwardsPoint`, using the supplied /// choice of sign for the `EdwardsPoint`. /// /// # Return /// /// * `Some(EdwardsPoint)` if `self` is the \\(u\\)-coordinate of a /// point on (the Montgomery form of) Curve25519; /// /// * `None` if `self` is the \\(u\\)-coordinate of a point on the /// twist of (the Montgomery form of) Curve25519; /// pub fn to_edwards(&self, sign: u8) -> Option<EdwardsPoint> { // To decompress the Montgomery u coordinate to an // `EdwardsPoint`, we apply the birational map to obtain the // Edwards y coordinate, then do Edwards decompression. // // The birational map is y = (u-1)/(u+1). // // The exceptional points are the zeros of the denominator, // i.e., u = -1. // // But when u = -1, v^2 = u*(u^2+486662*u+1) = 486660. // // Since this is nonsquare mod p, u = -1 corresponds to a point // on the twist, not the curve, so we can reject it early. let u = FieldElement::from_bytes(&self.0); if u == FieldElement::minus_one() { return None; } let one = FieldElement::one(); let y = &(&u - &one) * &(&u + &one).invert(); let mut y_bytes = y.to_bytes(); y_bytes[31] ^= sign << 7; CompressedEdwardsY(y_bytes).decompress() }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39

参考资料： [1] 论文《Twisted Edwards Curves Revisited》 [2] [3] 论文《Faster addition and doubling on elliptic curves》 [4] 论文《High-speed high-security signatures》 [5] 《Elliptic Curves for Security》 [6] 书《Guide to elliptic curve cryptography》 [7] 论文 [8]

https://en.wikipedia.org/wiki/Edwards_curve




《Twisted Edwards Curves》
https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html

 

https://www.chainnode.com/post/217433

 

ed25519采用的曲线方程为。

私钥长度：32字节。

公钥长度：32字节，无其它长度。

签名长度：64字节。

2 签名算法

2.1 生成密钥对

私钥：使用随机数发生器生成随机数k作为私钥。

公钥生成过程：

1. 计算私钥哈希值：
2. 生成整数：
3. 生成公钥：

A就是公钥。

2.2 生成签名

则签名就是(R,S)。

2.3 签名验证

只需要检验是否成立。

2.4 签名验证原理分析

3 参考资料

• High-speed high-security signatures：描述ed25519签名过程的说明文档。

 

http://ed25519.cr.yp.to/Ed25519是一个数字签名算法，签名和验证的性能都极高， 一个4核2.4GHz 的 Westmere cpu，每秒可以验证 71000 个签名，安全性极高，等价于RSA约3000-bit。签名过程不依赖随机数生成器，不依赖hash函数的防碰撞性，没有时间通道攻击的问题，并且签名很小，只有64字节，公钥也很小，只有32字节。 部署情 况http://ianix.com/pub/ed25519-deployment.html

最近看到恒星（Stellar）网络使用了Ed25519算法作为签名算法，有点兴趣，无奈资料太少，其算法网站也比较简陋，结合找到的资料和网站介绍，粗略看了看，25519这个算法很有特点，相比传统椭圆曲线算法有较大优势，今天简单介绍给大家

Curve25519/Ed25519/X25519 是著名密码学家 Daniel J. Bernstein 在 2006 年独立设计的椭圆曲线加密 /签名 /密钥交换算法，和现有的任何椭圆曲线算法都完全独立，其中Ed25519用于签名，可在区块链中进行签名，Stellar就是使用了Ed25519作为签名算法的

Daniel J. Bernstein 是世界著名的密码学家，他在大学曾经开设过一门 UNIX 系统安全的课程给学生，结果一学期下来，发现了 UNIX 程序中的 91 个安全漏洞；
他早年在美国依然禁止出口加密算法时，曾因为把自己设计的加密算法发布到网上遭到了美国政府的起诉，他本人抗争六年，最后美国政府撤销所有指控，目前另一个非常火的高性能安全流密码 ChaCha20 也是出自 Bernstein 之手
25519 系列曲线自 2006 年发表以来，除了学术界无人问津， 2013 年爱德华·斯诺登曝光棱镜计划后，该算法突然大火。大量软件，如 OpenSSH 都迅速增加了对 25519 系列的支持，如今 25519 已经是大势所趋，可疑的 NIST 曲线迟早要退出椭圆曲线的历史舞台，目前， RFC 增加了 SSL/TLS 对 X25519 密钥交换协议的支持，而新版 OpenSSL 1.1 也加入支持，是摆脱老大哥的第一步，下一步是将 Ed25519 做为可选的 TLS 证书签名算法，彻底摆脱 NIST 。

根据其网站介绍，Ed25519算法具有以下优势：

完全开放设计，算法各参数的选择直截了当，非常明确，没有任何可疑之处，相比之下，目前广泛使用的椭圆曲线是 NIST 系列标准，方程的系数是使用来历不明的随机种子 c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 生成的，至于这个种子的来历没有资料介绍；

安全性高，一个椭圆曲线加密算法就算在数学上是安全的，在实用上也并不一定安全，有很大的概率通过缓存、时间、恶意输入摧毁安全性，而 25519 系列椭圆曲线经过特别设计，尽可能的将出错的概率降到了最低，可以说是实践上最安全的加密算法。例如，任何一个 32 位随机数都是一个合法的 X25519 公钥，因此通过恶意数值攻击是不可能的，算法在设计的时候刻意避免的某些分支操作，这样在编程的时候可以不使用 if ，减少了不同 if 分支代码执行时间不同的时序攻击概率，相反， NIST 系列椭圆曲线算法在实际应用中出错的可能性非常大，而且对于某些理论攻击的免疫能力不高。Bernstein 对市面上所有的加密算法使用 12 个标准进行了考察， 25519 是几乎唯一满足这些标准的。

以下是评价的截图，具体可以看网站：https://safecurves.cr.yp.to/index.html

速度快， 25519 系列曲线是目前最快的椭圆曲线加密算法，性能远远超过 NIST 系列，而且具有比 P-256 更高的安全性；
以下是其网站的介绍，都是比较简单的英语描述，最近事情太多，实在来不及翻译了，偷下懒

Fast single-signature verification.The softwaretakes only 273364 cycles to verify a signature on Intel's widely deployed Nehalem/Westmere lines of CPUs. (This performance measurement is for short messages; for very long messages, verification time is dominated by hashing time.) Nehalem and Westmere include all Core i7, i5, and i3 CPUs released between 2008 and 2010, and most Xeon CPUs released in the same period.

Even faster batch verification.The software performs a batch of 64 separate signature verifications (verifying 64 signatures of 64 messages under 64 public keys) in only 8.55 million cycles, i.e., under 134000 cycles per signature. The software fits easily into L1 cache, so contention between cores is negligible: a quad-core 2.4GHz Westmere verifies 71000 signatures per second, while keeping the maximum verification latency below 4 milliseconds.

Very fast signing.The software takes only 87548 cycles to sign a message. A quad-core 2.4GHz Westmere signs 109000 messages per second.

Fast key generation.Key generation is almost as fast as signing. There is a slight penalty for key generation to obtain a secure random number from the operating system;/dev/urandomunder Linux costs about 6000 cycles.

High security level.This system has a 2^128 security target; breaking it has similar difficulty to breaking NIST P-256, RSA with ~3000-bit keys, strong 128-bit block ciphers, etc. The best attacks known actually cost more than 2^140 bit operations on average, and degrade quadratically in success probability as the number of bit operations drops.

Foolproof session keys.Signatures are generated deterministically; key generation consumes new randomness but new signatures do not. This is not only a speed feature but also a security feature, directly relevant to the recent collapse of the Sony PlayStation 3 security system.

Collision resilience.Hash-function collisions do not break this system. This adds a layer of defense against the possibility of weakness in the selected hash function.

No secret array indices.The software never reads or writes data from secret addresses in RAM; the pattern of addresses is completely predictable. The software is therefore immune to cache-timing attacks, hyperthreading attacks, and other side-channel attacks that rely on leakage of addresses through the CPU cache.

No secret branch conditions.The software never performs conditional branches based on secret data; the pattern of jumps is completely predictable. The software is therefore immune to side-channel attacks that rely on leakage of information through the branch-prediction unit.

Small signatures.Signatures fit into 64 bytes. These signatures are actually compressed versions of longer signatures; the times for compression and decompression are included in the cycle counts reported above.

Small keys.Public keys consume only 32 bytes. The times for compression and decompression are again included.

关于本文

了解这些主要是为了扩充知识面，毕竟算法设计太专业，没有超强的数学功底还是不建议自己设计算法；您也可以将本文分享出去让更多人了解这些知识，您的支持和鼓励是我最大的动力，长按二维码关注