# EdDSA sign

The **EdDSA signing** algorithm ([RFC 8032](https://tools.ietf.org/html/rfc8032#page-13)) takes as input a text message ***msg*** + the signer's EdDSA **private key** ***privKey*** and produces as output a pair of integers {***R***, ***s***}. EdDSA signing works as follows (with minor simplifications):

`EdDSA_sign(msg, privKey) --> { R, s }`

1. Calculate ***pubKey*** = ***privKey*** \* **G**
2. Deterministically generate a secret integer ***r*** = hash(hash(***privKey***) + ***msg***) mod ***q*** (this is a bit simplified)
3. Calculate the public key point behind ***r*** by multiplying it by the curve generator: ***R*** = ***r*** \* **G**
4. Calculate ***h*** = hash(***R*** + ***pubKey*** + ***msg***) mod ***q***
5. Calculate ***s*** = (***r*** + ***h*** \* ***privKey***) mod ***q***
6. Return the **signature** { ***R***, ***s*** }

The produced **digital signature** is 64 bytes (32 + 32 bytes) for **Ed25519** and 114 bytes (57 + 57 bytes) for **Ed448**. It holds a compressed point ***R*** + the integer ***s*** (confirming that the signer knows the ***msg*** and the ***privKey***).

[Source](https://cryptobook.nakov.com/digital-signatures/eddsa-and-ed25519)