mirror of
https://github.com/monero-project/monero-docs.git
synced 2024-10-30 19:07:35 +00:00
72 lines
3.3 KiB
Markdown
72 lines
3.3 KiB
Markdown
# Ed25519 curve
|
||
|
||
!!! danger
|
||
Article author is nowhere close to being a cryptographer. Be sceptical on accuracy.
|
||
|
||
!!! note
|
||
This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately.
|
||
|
||
!!! note
|
||
Before we get to Monero, a little bit of context. We are talking asymmetric cryptography here.
|
||
The "asymmetric" simply means the are two keys:
|
||
|
||
* the private key (used primarily for signing data and for decrypting data)
|
||
* the public key (used primarily for signature verification and encrypting data)
|
||
|
||
This is in contrast to symmetric cryptography which uses a single (secret) key.
|
||
|
||
Historically, asymmetric cryptography was based on the problem of factorization of a very large integers
|
||
back into prime numbers (which is practically impossible for large enough integers).
|
||
|
||
Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves.
|
||
Ed25519 is a specific, well researched and standardized elliptic curve.
|
||
|
||
Monero employs Ed25519 elliptic curve as a basis for its key pair generation.
|
||
|
||
However, Monero does not exactly follow EdDSA reference signature scheme.
|
||
|
||
## Definition
|
||
|
||
This is the standard Ed25519 curve definition, no Monero specific stuff here.
|
||
|
||
Curve equation:
|
||
|
||
−x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2
|
||
|
||
Base point:
|
||
|
||
# The base point is the specific point on the curve. It is used
|
||
# as a basis for further calculations. It is an arbitrary choice
|
||
# by the curve authors, just to standarize the scheme.
|
||
#
|
||
# Note that it is enough to specify the y value and the sign of the x value.
|
||
# That's because the specific x can be calculated from the curve equation.
|
||
G = (x, 4/5) # take the point with the positive x
|
||
|
||
# The hex representation of the base point
|
||
5866666666666666666666666666666666666666666666666666666666666666
|
||
|
||
Prime order of the base point:
|
||
|
||
# In layment terms, the "canvas" where the curve is drawn is assumed
|
||
# to have a finite "resolution", so point coordinates must "wrap around"
|
||
# at some point. This is achieved by modulo the "l" value.
|
||
# In other words, the "l" defines the maximum scalar we can use.
|
||
l = 2^252 + 27742317777372353535851937790883648493
|
||
|
||
The total number of points on the curve, a prime number:
|
||
|
||
q = 2^255 - 19
|
||
|
||
## Implementation
|
||
|
||
Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
|
||
|
||
## Reference
|
||
|
||
* [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi
|
||
* [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ)
|
||
* [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand
|
||
* [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a)
|
||
* [Ed25519 on Wikipedia](https://en.wikipedia.org/wiki/EdDSA#Ed25519)
|
||
* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)
|