# Ed25519 curve !!! danger Article author is nowhere close to being a cryptographer. Be sceptical on accuracy. !!! note This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately. !!! note Before we get to Monero, a little bit of context. We are talking asymmetric cryptography here. The "asymmetric" simply means the are two keys: * the private key (used primarily for signing data and for decrypting data) * the public key (used primarily for signature verification and encrypting data) This is in contrast to symmetric cryptography which uses a single (secret) key. Historically, asymmetric cryptography was based on the problem of factorization of a very large integers back into prime numbers (which is practically impossible for large enough integers). Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves. Ed25519 is a specific, well researched and standardized elliptic curve. Monero employs Ed25519 elliptic curve as a basis for its key pair generation. However, Monero does not exactly follow EdDSA reference signature scheme. ## Definition This is the standard Ed25519 curve definition, no Monero specific stuff here. Curve equation: −x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2 Base point: # The base point is the specific point on the curve. It is used # as a basis for further calculations. It is an arbitrary choice # by the curve authors, just to standarize the scheme. # # Note that it is enough to specify the y value and the sign of the x value. # That's because the specific x can be calculated from the curve equation. G = (x, 4/5) # take the point with the positive x # The hex representation of the base point 5866666666666666666666666666666666666666666666666666666666666666 Prime order of the base point: # In layment terms, the "canvas" where the curve is drawn is assumed # to have a finite "resolution", so point coordinates must "wrap around" # at some point. This is achieved by modulo the "l" value. # In other words, the "l" defines the maximum scalar we can use. l = 2^252 + 27742317777372353535851937790883648493 The total number of points on the curve, a prime number: q = 2^255 - 19 ## Implementation Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein. ## Reference * [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi * [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ) * [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand * [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a) * [Ed25519 on Wikipedia](https://en.wikipedia.org/wiki/EdDSA#Ed25519) * [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)