### The Provable Security of Ed25519: Theory and Practice

Jacqueline Brendel, Cas Cremers, Dennis Jackson, and Mang Zhao

##### Abstract

A standard requirement for a signature scheme is that it is existentially unforgeable under chosen message attacks (EUF-CMA), alongside other properties of interest such as strong unforgeability (SUF-CMA), and resilience against key substitution attacks. Remarkably, no detailed proofs have ever been given for these security properties for EdDSA, and in particular its Ed25519 instantiations. Ed25519 is one of the most efficient and widely used signature schemes, and different instantiations of Ed25519 are used in protocols such as TLS 1.3, SSH, Tor, Zcash, and WhatsApp/Signal. The differences between these instantiations are subtle, and only supported by informal arguments, with many works assuming results can be directly transferred from Schnorr signatures. Similarly, several proofs of protocol security simply assume that Ed25519 satisfies properties such as EUF-CMA or SUF-CMA. In this work we provide the first detailed analysis and security proofs of Ed25519 signature schemes. While the design of the schemes follows the well-established Fiat-Shamir paradigm, which should guarantee existential unforgeability, there are many side cases and encoding details that complicate the proofs, and all other security properties needed to be proven independently. Our work provides scientific rationale for choosing among several Ed25519 variants and understanding their properties, fills a much needed proof gap in modern protocol proofs that use these signatures, and supports further standardisation efforts.

Available format(s)
Category
Public-key cryptography
Publication info
Published elsewhere. MINOR revision.IEEE Symposium on Security and Privacy (S&P 2021)
Keywords
digital signaturesapplicationsprovable security
Contact author(s)
cremers @ cispa saarland
History
2020-10-14: last of 3 revisions
See all versions
Short URL
https://ia.cr/2020/823

CC BY

BibTeX

@misc{cryptoeprint:2020/823,
author = {Jacqueline Brendel and Cas Cremers and Dennis Jackson and Mang Zhao},
title = {The Provable Security of Ed25519: Theory and Practice},
howpublished = {Cryptology ePrint Archive, Paper 2020/823},
year = {2020},
note = {\url{https://eprint.iacr.org/2020/823}},
url = {https://eprint.iacr.org/2020/823}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.