Ed25519 Quirks

As with other digital signature schemes, Ed25519 consists of three protocols: key generation, signing and verification. They are similar, but distinct, from the generic Schnorr scheme.

Key Generation

Ed25519 does not match secret keys to scalars. Instead, a secret scalar is generated from a seed, a 32-byte string, which should be filled at random from a cryptographically secure RNG.

Loading interactive parts
This can take come time…

Signing

Signing in Ed25519 is deterministic: it doesn't require an RNG during signing. A faulty RNG during signing can leak the secret key, so this is an understandable design choice.

Loading interactive parts
This can take come time…

Verification

Verification uses the equation following from Schnorr and the modified signing procedure:

[s]B == R + [H(R ‖ A ‖ M)]A.
Loading interactive parts
This can take come time…