ed25519
https://tools.ietf.org/html/rfc7748#section-4.1
https://blog.csdn.net/mutourend/article/details/98597316
Curve25519
For the ~128-bit security level, the prime 2^255 - 19 is recommended
for performance on a wide range of architectures. Few primes of the
form 2^c-s with s small exist between 2^250 and 2^521, and other
choices of coefficient are not as competitive in performance. This
prime is congruent to 1 mod 4, and the derivation procedure in
Appendix A results in the following Montgomery curve
v^2 = u^3 + A*u^2 + u, called "curve25519":
p 2^255 - 19
A 486662
order 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed
cofactor 8
U(P) 9
V(P) 147816194475895447910205935684099868872646061346164752889648818
37755586237401
The base point is u = 9, v = 1478161944758954479102059356840998688726
4606134616475288964881837755586237401.
This curve is birationally equivalent to a twisted Edwards curve -x^2
+ y^2 = 1 + d*x^2*y^2, called "edwards25519", where:
p 2^255 - 19
d 370957059346694393431380835087545651895421138798432190163887855330
85940283555
order 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed
cofactor 8
X(P) 151122213495354007725011514095885315114540126930418572060461132
83949847762202
Y(P) 463168356949264781694283940034751631413079938662562256157830336
03165251855960
Langley, et al. Informational [Page 4]
RFC 7748 Elliptic Curves for Security January 2016 The birational maps are: (u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x) (x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1)) The Montgomery curve defined here is equal to the one defined in [curve25519], and the equivalent twisted Edwards curve is equal to the one defined in [ed25519].
4.2. Curve448
For the ~224-bit security level, the prime 2^448 - 2^224 - 1 is
recommended for performance on a wide range of architectures. This
prime is congruent to 3 mod 4, and the derivation procedure in
Appendix A results in the following Montgomery curve, called
"curve448":
p 2^448 - 2^224 - 1
A 156326
order 2^446 -
0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
cofactor 4
U(P) 5
V(P) 355293926785568175264127502063783334808976399387714271831880898
435169088786967410002932673765864550910142774147268105838985595290
606362
This curve is birationally equivalent to the Edwards curve x^2 + y^2
= 1 + d*x^2*y^2 where:
p 2^448 - 2^224 - 1
d 611975850744529176160423220965553317543219696871016626328968936415
087860042636474891785599283666020414768678979989378147065462815545
017
order 2^446 -
0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
cofactor 4
Langley, et al. Informational [Page 5]
RFC 7748 Elliptic Curves for Security January 2016 X(P) 345397493039729516374008604150537410266655260075183290216406970 281645695073672344430481787759340633221708391583424041788924124567 700732 Y(P) 363419362147803445274661903944002267176820680343659030140745099 590306164083365386343198191849338272965044442230921818680526749009 182718 The birational maps are: (u, v) = ((y-1)/(y+1), sqrt(156324)*u/x) (x, y) = (sqrt(156324)*u/v, (1+u)/(1-u)) Both of those curves are also 4-isogenous to the following Edwards curve x^2 + y^2 = 1 + d*x^2*y^2, called "edwards448", where: p 2^448 - 2^224 - 1 d -39081 order 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d cofactor 4 X(P) 224580040295924300187604334099896036246789641632564134246125461 686950415467406032909029192869357953282578032075146446173674602635 247710 Y(P) 298819210078481492676017930443930673437544040154080242095928241 372331506189835876003536878655418784733982303233503462500531545062 832660 The 4-isogeny maps between the Montgomery curve and this Edwards curve are: (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3) (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1), -(u^5 - 2*u^3 - 4*u*v^2 + u)/ (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u)) The curve edwards448 defined here is also called "Goldilocks" and is equal to the one defined in [goldilocks].
目前主流的签名机制是基于secp256r1或者secp256k1曲线的ECDSA签名机制,而应用ECDSA签名机制时,稍有不慎就会引发各种安全问题,具体请参考” ECDSA在区块链应用中的七宗罪”.安全之外,签名机制的效率也是工程落地中的重要考量, OpenSSL针对曲线secp256r1做了深度优化,签名速度到达大约30000次 /秒,验签速度达到大约12000次每秒,而libsecp256k1中则针对曲线secp256k1做了深度优化,签名速度达到大约20000次每秒,验签速度在同时指定−−enable−endomorphism和−−with−bignum=gmp两个选项进行编译后可以达到19000次验签每秒(自同态特性的利用可以带来大约22%的验签速度的提升,而GMP库的应用则可以为验签过程带来大约14%的速度提升,由于两个速度提升的技术是正交的,相互叠加之后可以将验签速度从大约13000次每秒提升到大约19000次每秒).并且随着技术的改进以及CPU新指令的出现,还可以逐步提升执行速度. 然而更好安全性与更高的执行效率的诉求, 或许无法通过这种小步迭代和缝缝补补方式得到满足.
同时解决前述的应用安全, 实现安全以及执行效率的问题, 要求在工程手段之外更为深度的改进, 一个自然的方向是重新构建椭圆曲线以及签名机制以便在多个层次上同时改进: 改进底层算术运算加速中层点群运算, 中层点群运算适配上层协议, 并在上层签名机制设计时同时考虑 ECDSA 签名机制的问题与局限性加以避免. EdDSA (Edwards-curve Digital Signature Algorithm) 签名机制是这个研究方向上的成果. EdDSA 签名机制是 Bernstein 等人在 2012 年设计的基于爱德华曲线 (Edwards Curves) 的数字签名算法. EdDSA 签名机制是 Schnorr 签名机制的一个变种, 其设计初衷是在不牺牲安全性的前提下提升签名/验签速 度, 并同时解决前述的 ECDSA 在应用方面存在的一些问题.
Ed25519是基于扭曲爱德华曲线Edwards25519和SHA-512的EdDSA签名机制.其中Edwards25519曲线是Bernstein等人在2005年提出的蒙哥马利曲线Curve25619的等价变换形式, Curve25519的提出是为了加速ECDH的计算. 之所以采用Curve25519的等价变换形式而不是直接利用Curve25519的原因在于ECDH与EdDSA依赖 的点群运算不同,这可以看成是为上层协议适配中层点群运算的经典示例.另外两个曲线在底层有限域的选取中也充分考虑了快速实现与应用编码问题.而Ed25519的签名设计则将ECDSA中常见的随机数问题纳入考量,直接在签名机制内部解决了随机数产生的问题.
Ed25519带来了安全性和性能方面多个维度的改进,但是其底层的扭曲爱德华曲线或者等价的蒙哥马利曲线相比secp256k1/secp256r1曲线的short-Weierstrass形式来说,显得尤为陌生.为了深入理解Ed25519签名机制,首先需要理解这三种曲线形式之间的关系.从广义Weierstrass形式变换成为short-Weierstrass形式, short-Weierstrass形式与蒙哥马利形式曲线的变换以及蒙哥马利形式与扭曲爱德华曲线之间转换请戳阅读原文.
另外,Ed25519也确实引入了一个在基于secp256k1或者secp256r1的ECDSA签名机制中不存在的问题.一个由于椭圆曲线的余因子(cofactor)不为1导致的问题,使得Monero中可以八花一笔交易(问题已经被修正).secp256k1和secp256r1的余因子为1,所以无需考虑余因子的问题,也不会引发安全问题.而Edwards25519的余因子为8,此时就不得不在应用时将余因子纳入考量的范畴.而余因子为8也部分影响了Ed25519签名机制的设计.然而在上层协议设计中不断为底层曲线填坑不是我们喜欢的方式,也因此有了相应的应对措施. 随后我们会逐步讲解Ed25519的签名机制,优势与可能存在的问题以及改进措施.本次我们首先尝试去理解蒙哥马利曲线与扭曲爱德华曲线.
作者:CoinExChain
链接:https://www.jianshu.com/p/53f7bd3405cc
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
Edwards curve的定义为:
x
x2+y2=1+dx2y2,d∈/0,1,characteristic不为2
对于Curve25519,其Montgomery form为:
v2=u3+486662u2+u,q=2255−19
v2=u3+486662u2+u,q=2255−19
对应的Edwards curve表示为:
xx2+y2=1+(121665/121666)x2y2
相互之间的变换关系为:
(x