特别地,https://slowli.github.io/ed25519-quirks/ 这个网站的内容很清晰。
1. signature in EdDSA详细的EdDSA签名和验签过程可参看 rfc8032 Edwards-Curve Digital Signature Algorithm (EdDSA) 。 
参照博客Schnorr signature (Schnorr 签名)数学原理类似,签名过程如下:
- A = k G A=kG A=kG, k k k is private, A is public key, G is a standard elliptic-curve point.
- R = r G R=rG R=rG, r r r 为 random-once随机数,每次需分别单独生成,R is public。
- h = H a s h ( R ∣ ∣ A ∣ ∣ m ) h=Hash(R||A||m) h=Hash(R∣∣A∣∣m), m m m is the message to be signed.
- s = r + k h s=r+kh s=r+kh, ( R , s ) (R,s) (R,s) is the signature for message m m m.
∵ s G = r G + k h G = R + h A \because sG=rG+khG=R+hA ∵sG=rG+khG=R+hA ∴ R = s G − h A \therefore R=sG-hA ∴R=sG−hA
验签时, ( R , s ) , A , m , G (R,s),A,m,G (R,s),A,m,G均已知,其中的 A / G / R A/G/R A/G/R均为elliptic-curve point, 且为节省空间, A / R A/R A/R已compress。 s s s为scalar值。具体的验签过程如下:
- h = H a s h ( R ∣ ∣ A ∣ ∣ m ) h=Hash(R||A||m) h=Hash(R∣∣A∣∣m)
- c o m p r e s s ( s G − h ∗ d e c o m p r e s s ( A ) ) ? = R compress(sG-h*decompress(A))\ \ ?= R compress(sG−h∗decompress(A)) ?=R
以上验签过程支持fast batch verification以及fast batch forgery identification.
For elliptic-curve signatures at a 2 b 2^b 2b security level it is standard practice to use about 2 b 2b 2b bits for hashes, scalars, and field elements, and to compress points to single coordinates. EdDSA and Schnorr’s system then have the same signature size, about 4b bits.
( R , s ) (R,s) (R,s) 为EdDSA格式的签名, ( R , h ) (R,h) (R,h)为Schnorr格式的签名。相比于ECDSA,去掉了求倒数的操作。
对于Schnorr格式的签名,当选择 b b bbits的Hash函数时,最终Schnorr格式的签名可减少至 3 b 3b 3b bits.
decompress需要有额外的求平方根运算,为节约verify的验证时间,也可传递未被压缩的public keys和未压缩的签名。decompress解压缩的细节可参看博客edwards25519 point压缩及解压缩算法,求平方根运算见博客有限域内的平方根求解原理解析及curve25519-dalek中的实现.
基于Pairing-based的签名,其长度更小,大约为
2
b
2b
2b bits,但是pairing-based的验签速度要比elliptic-verve的验签速度慢一个数量级。 
参考资料: [1] 论文《Faster batch forgery identification》 [2] 博客Schnorr signature (Schnorr 签名)数学原理 [3] Edwards-Curve Digital Signature Algorithm (EdDSA) [4] https://slowli.github.io/ed25519-quirks/ [5] https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/
