One of the counter-intuitive feats of Ed25519 is that there are signatures matching any given message (or at least, a non-trivial fraction of messages, say, 1/8).

This result doesn’t break Ed25519: the signatures are valid under a specifically generated public key,
which cannot be obtained with valid key generation. Still, it looks *fascinating*.

To obtain “wildcard” signatures, let’s first take the identity point as the public key: `A = O`

.
The verification equation

[s]B = R + [H(R ‖ A ‖ M)]A

loses the second term on the right-hand side; no matter the value of the hash scalar `H(R ‖ A ‖ M)`

,
when multiplied by the identity, it yields `O`

. The equation transforms into `[s]B = R`

;
thus, signature `([s]B, s)`

for any possible scalar `s`

is a valid signature
for *any* message under public key `O`

.

The identity point has conspicuous serialization `0x0100…00`

. Not to fear; there are other public keys
that lead to almost the same result. These 8 points form the *torsion subgroup*
on the Ed25519 elliptic curve `G`

;
for any such point _{tors}`E`

, `[8]E = O`

. The torsion group is isomorphic to integers modulo 8,
i.e., we can select a group generator `E`

, such that the group is_{1}

G_{tors} = {
O, E_{1}, E_{2} ≡ [2]E_{1}, …, E_{7} ≡ [7]E_{1}
}.

For any public key `A`

in `G`

, with probability
at least 1/8 over message space, the hash scalar _{tors}`H([s]B ‖ A ‖ M)`

is divisible
by the point order (1, 2, 4 or 8). In this case, signature `([s]B, s)`

will still be valid.

This may take some time.