3.3 KiB
Ed25519 curve
!!! danger Article author is nowhere close to being a cryptographer. Be sceptical on accuracy.
!!! note This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately.
!!! note Before we get to Monero, a little bit of context. We are talking asymmetric cryptography here. The "asymmetric" simply means the are two keys:
* the private key (used primarily for signing data and for decrypting data)
* the public key (used primarily for signature verification and encrypting data)
This is in contrast to symmetric cryptography which uses a single (secret) key.
Historically, asymmetric cryptography was based on the problem of factorization of a very large integers
back into prime numbers (which is practically impossible for large enough integers).
Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves.
Ed25519 is a specific, well researched and standardized elliptic curve.
Monero employs Ed25519 elliptic curve as a basis for its key pair generation.
However, Monero does not exactly follow EdDSA reference signature scheme.
Definition
This is the standard Ed25519 curve definition, no Monero specific stuff here.
Curve equation:
−x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2
Base point:
# The base point is the specific point on the curve. It is used
# as a basis for further calculations. It is an arbitrary choice
# by the curve authors, just to standarize the scheme.
#
# Note that it is enough to specify the y value and the sign of the x value.
# That's because the specific x can be calculated from the curve equation.
G = (x, 4/5) # take the point with the positive x
# The hex representation of the base point
5866666666666666666666666666666666666666666666666666666666666666
Prime order of the base point:
# In layment terms, the "canvas" where the curve is drawn is assumed
# to have a finite "resolution", so point coordinates must "wrap around"
# at some point. This is achieved by modulo the "l" value.
# In other words, the "l" defines the maximum scalar we can use.
l = 2^252 + 27742317777372353535851937790883648493
The total number of points on the curve, a prime number:
q = 2^255 - 19
Implementation
Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
Reference
- Understanding Monero Cryptography - excellent writeup by Luigi
- StackOverflow answer
- Python implementation - not the reference one but easier to understand
- Encoding point to hex
- Ed25519 on Wikipedia
- A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography