The Curve25519 elliptic curve specified in [4] can be used with XEdDSA and VXEdDSA, giving XEd25519 and VXEd25519. This curve defines the following parameters.
| Name | Definition |
|---|---|
| B | convert_mont(9) |
| I | (x=0, y=1) |
| p | 2^255 - 19 |
| q | 2^252 + 27742317777372353535851937790883648493 |
| c | 8 |
| d | -121665 / 121666 (mod p) |
| A | 486662 |
| n | 2 |
| |p| | 255 |
| |q| | 253 |
| b | 256 |
The twisted Edwards curve equation is -x^2 + y^2 = 1 + dx^2y^2. The u_to_y function implements the birational map from [4] by calculating y = (u - 1) * inv(u + 1) (mod p).
XEd25519 signatures are valid Ed25519 signatures [1] and vice versa, provided the public keys are converted with the birational map.
Ed25519 allows implementations some flexibility in accepting or rejecting certain invalid signatures (e.g. with s unreduced, or checking the verification equation with or without cofactor multiplication). XEdDSA precisely specifies verification, so may differ from some Ed25519 implementations in accepting or rejecting such signatures (just as some Ed25519 implementations may differ from each other).
The particular verification steps chosen by XEdDSA include rejecting s if it has excess bits but not requiring it to be fully reduced, and checking verification without cofactor multiplication. These choices align with existing Ed25519 code, and lead to simpler implementations.