EdDSA sign

The EdDSA signing algorithm (RFC 8032) takes as input a text message msg + the signer's EdDSA private key privKey and produces as output a pair of integers {R, s}. EdDSA signing works as follows (with minor simplifications):

EdDSA_sign(msg, privKey) --> { R, s }

  1. Calculate pubKey = privKey * G

  2. Deterministically generate a secret integer r = hash(hash(privKey) + msg) mod q (this is a bit simplified)

  3. Calculate the public key point behind r by multiplying it by the curve generator: R = r * G

  4. Calculate h = hash(R + pubKey + msg) mod q

  5. Calculate s = (r + h * privKey) mod q

  6. Return the signature { R, s }

The produced digital signature is 64 bytes (32 + 32 bytes) for Ed25519 and 114 bytes (57 + 57 bytes) for Ed448. It holds a compressed point R + the integer s (confirming that the signer knows the msg and the privKey).

Source

PreviousEdDSA key generationNextEdDSA verify signature

Last updated