Since Curve 25519 was published in 2006, few outside of academia seemed to be interested. However, after Edward Snowden revealed the NSA’s PRISM programme in 2013 the algorithm started gaining attention. A large amount of software, such as OpenSSH, began adding support for Ed25519 as a public key. As result, the once popular NIST curve of elliptic-curve cryptography began to lose out in favour of Ed25519.
So what exactly is Ed25519 you might be asking? Allow us to explain.
Curve 25519 has the following characteristics:
- The selection of the parameters and its algorithm are clear and straightforward, without any suspicion. In contrast to the current widely used elliptic curve, which is in accordance with the NIST series of standards, its equation coefficient is generated by the unknown random seed c49d3608 86e70493 6a6678e1 139d26b7 819f7e90. This has led many to view NIST suspicious, with many suspecting it to have built-in backdoors.
- Just because an elliptic-curve encryption approach is safe mathematically speaking, does not mean that it is safe during practical use. There is a great possibility that security will be infringed by caching, time and malicious input. Curve 25519 as a specially designed elliptic curve encryption can lower the possibility of error to a minimum. It can be said to be the most secure encryption algorithm in practice. Any 32-bit random number, for example, is a legitimate X25519 public key, hence malicious numerical attack is not feasible. The algorithm was also designed to avoid some branch operations, so that “if” will not be used while programming. Thus it lowers the possibility of time step attack due to “if” branch codes being executed at different timing. In contrast, NIST approach has greater possibility of error during practical use, and it is not highly immune to some theoretical attacks. Bernstein studied all 12 standards on the market used by encryption algorithms, and concluded that Ed25519 is almost the only one which meets all these standards.
- Curve 25519 is currently the fastest elliptic-curve encryption algorithm, also it has far better performance than the NIST, and higher security than p-256. Ed25519 is a public-key signature system with extremely high performance in both signature and verification. A 4-core 2.4GHz Westmere CPU can verify 71000 signatures per second and is highly secured, it is equivalent to RSA 3000-bit. The signing process does not rely on random number generator nor hash function’s collision resistance, it has no timing attacks. Also, the signature is small with only 64 bytes, same as the public key with a mere 32 bytes.
Curve25519 is an elliptic curve offering designed by renowned cryptographer Daniel J. Bernstein in 2006, it consists of elliptic curve algorithms for signature/ encryption/ key. Curve 25519 is used for encryption and x25519 for key exchange. Ed25519 will be used as an elliptic curve signing algorithm based on Curve 25519 .
Why use ed25519 instead of secp256k1?
Since currently Bitcoin uses secp256k1 with the ECDSA algorithm, gradually it becomes the default signature mechanism for blockchain projects. However, many engineering projects used an elliptic curve signature mechanism called secp256r1 ECDSA during the period that Bitcoin was born. We are not so sure about the reason why Bitcoin adopted secp256k1, we can only speculate. It may be because of the embedded algorithm of backdoor introduced by the NSA, or a feature which is well suited to the endomorphism mapping, supported by secp256k1 to speed up the signature verification process.
Using ECDSA based on secp256k1, has brought many challenges in blockchain applications. It may lead to safety issues in the blockchain network or digital currency assets loss if one is not being careful enough. We summarise the seven deadly sins of secp256k1 ECDSA while reviewing the development of blockchain as follows:
- If the random number is leaked while signing, anyone who knows the random number can make use of it to generate a signature and recover the private key.
- If same user signs two different messages with the same random number, anyone can recover the private key using the two signature.
- If two users execute the ECDSA signature with the same random number, either of them can deduce the private key of the other.
- If the same private key and random number was used for ECDSA signature and Schnorr signature at the same time, anyone can then recover the private key.
- Forge signature value of ECDSA brings hidden security risks.
- The non-uniqueness of DER code of ECDSA value brings hidden security risks
- Anyone can forge a signature if the signed message is not required during verification
It is worth mentioning that Craig Wright once forged Satoshi Nakamoto’s signature with the seventh problem mentioned above, and then claimed to be Satoshi Nakamoto.
Besides various security issues, the ECDSA signature mechanism indeed has features that are well suited to blockchain application scenarios, such as the ability to recover public keys from signatures.This can be used to reduce the size of each transaction, as it was used in ethereum network.
In order to avoid the above mentioned problems and achieve higher performance, SmartX decided to abandon secp256k1 and adopts Ed25519 with higher security and better performance.
SmartX’s further use of 25519
Curve 25519 is used by many well-known open source software, such as the famous encrypted communication software, signals, and the famous anonymous currency, monero. Furthermore, many anonymous networks such as i2p, are developed based on the Curve 25519.
The positioning of SmartX is to be a social entertaining platform, and for communication wise, SmartX will use encrypted and anonymous communication. From the long-term development prospect, we will use Ed25519 instead of secp256k1 to build a high-performance SmartX communication network. Moreover it can be flexibly adjusted to suit different needs and application scenarios such as encryption and anonymous scenes.