**EdDSA** (Edwards-curve Digital Signature Algorithm) is a modern and secure digital signature algorithm based on performance-optimized elliptic curves, such as the 255-bit curve **Curve25519** and the 448-bit curve **Curve448-Goldilocks**. The EdDSA signatures use the **Edwards form** of the elliptic curves (for performance reasons), respectively `edwards25519`

and `edwards448`

. The **EdDSA** algorithm is based on the **Schnorr signature algorithm** and relies on the difficulty of the **ECDLP problem**.

The **EdDSA** signature algorithm and its variants **Ed25519** and **Ed448** are technically described in the RFC 8032.

**Ed25519** and **Ed448** use small **private keys** (32 or 57 bytes respectively), small **public keys** (32 or 57 bytes) and **small signatures** (64 or 114 bytes) with **high security level** at the same time (128-bit or 224-bit respectively).

Assume the elliptic curve for the EdDSA algorithm comes with a generator point **G** and a subgroup order ** q** for the EC points, generated from

The **EdDSA key-pair** consists of:

**private key**(integer):*privKey***public key**(EC point):=*pubKey***privKey***G**

The **private key** is generated from a **random integer**, known as ** seed** (which should have similar bit length, like the curve order). The

The public key ** pubKey** is a point on the elliptic curve, calculated by the EC point multiplication:

The **EdDSA signing** algorithm (RFC 8032) takes as input a text message ** msg** + the signer's EdDSA

`EdDSA_sign(msg, privKey) --> { R, s }`

Calculate

=*pubKey***privKey***G**Deterministically generate a secret integer

= hash(hash(*r*) +*privKey*) mod*msg*(this is a bit simplified)*q*Calculate the public key point behind

by multiplying it by the curve generator:*r*=*R***r***G**Calculate

= hash(*h*+*R*+*pubKey*) mod*msg**q*Calculate

= (*s*+*r***h*) mod*privKey**q*Return the

**signature**{,*R*}*s*

The produced **digital signature** is 64 bytes (32 + 32 bytes) for **Ed25519** and 114 bytes (57 + 57 bytes) for **Ed448**. It holds a compressed point ** R** + the integer

The **EdDSA signature verification **algorithm (RFC 8032) takes as input a text message ** msg** + the signer's EdDSA

`EdDSA_signature_verify(msg, pubKey, signature { R, s } ) --> valid / invalid`

Calculate

= hash(*h*+*R*+*pubKey*) mod*msg**q*Calculate

=*P1***s***G**Calculate

=*P2*+*R***h**pubKey*Return

==*P1**P2*

During the verification the point ** P1** is calculated as:

During the signing ** s** = (

=*P1***s***G =**(+*r***h*) mod*privKey***q***G**=**r***G**+**h***privKey***G**=+*R***h**pubKey*

The above is exactly the other point ** P2**. If these points

If we compare the signing and verification for EdDSA, we shall find that **EdDSA is simpler than ECDSA**, easier to understand and to implement. Both signature algorithms have **similar security strength** for curves with similar key lengths. For the most popular curves (liked `edwards25519`

and `edwards448`

) the **EdDSA algorithm is slightly faster than ECDSA**, but this highly depends on the curves used and on the certain implementation. Unlike ECDSA the EdDSA signatures do not provide a way to **recover the signer's public key** from the signature and the message. Generally, it is considered that EdDSA is recommended for most modern apps.