Data Integrity EdDSA Cryptosuites v1.0

This specification describes Data Integrity cryptographic suites for use when creating or verifying a digital signature using the the Ed25519 instantiation of the Edwards-Curve Digital Signature Algorithm (EdDSA).

Data Model

The following sections outline the data model that is used by this specification to express verification methods, such as cryptographic public keys, and data integrity proofs, such as digital signatures.

Verification Methods

This cryptographic suite is used to verify Data Integrity Proofs [[VC-DATA-INTEGRITY]] produced using Edwards Curve cryptographic key material. The encoding formats for those key types are provided in this section. Lossless cryptographic key transformation processes that result in equivalent cryptographic key material MAY be used for the processing of digital signatures.

Multikey

The Multikey format, defined in [[[CID]]], is used to express public keys for the cryptographic suites defined in this specification.

The `publicKeyMultibase` value of the verification method MUST start with the base-58-btc prefix (`z`), as defined in the Multibase section of [[[CID]]]. A Multibase-encoded Ed25519 256-bit public key value follows, as defined in the Multikey section of [[[CID]]]. Any other encoding MUST NOT be allowed.

Developers are advised to not accidentally publish a representation of a private key. Implementations of this specification will raise errors if they encounter a Multikey prefix value other than `0xed01` in a `publicKeyMultibase` value.

{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
}

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/multikey/v1"
  ],
  "id": "did:example:123",
  "verificationMethod": [{
    "id": "did:example:123#key-0",
    "type": "Multikey",
    "controller": "did:example:123",
    "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
  }],
  "authentication": [
    "did:example:123#key-0"
  ],
  "assertionMethod": [
    "did:example:123#key-0"
  ],
  "capabilityDelegation": [
    "did:example:123#key-0"
  ],
  "capabilityInvocation": [
    "did:example:123#key-0"
  ]
}

The `secretKeyMultibase` value of the verification method MUST start with the base-58-btc prefix (`z`), as defined in the Multibase section of [[[CID]]]. A Multibase-encoded Ed25519 256-bit secret key value follows, as defined in the Multikey section of [[[CID]]]. Any other encoding MUST NOT be allowed.

Developers are advised to prevent accidental publication of a representation of a secret key, and to not export the `secretKeyMultibase` property by default, when serializing key pairs to Multikey.

Proof Representations

This section details the proof representation formats that are defined by this specification.

DataIntegrityProof

A proof contains the attributes specified in the Proofs section of [[VC-DATA-INTEGRITY]] with the following restrictions.

The `type` property MUST be `DataIntegrityProof`.

The `cryptosuite` property of the proof MUST be `eddsa-rdfc-2022` or `eddsa-jcs-2022`.

The `proofValue` property of the proof MUST be a detached EdDSA signature produced according to [[RFC8032]], encoded using the base-58-btc header and alphabet as described in the Multibase section of [[[CID]]].

{
  "@context": [
    {"myWebsite": "https://vocabulary.example/myWebsite"},
    "https://www.w3.org/ns/credentials/v2"
  ],
  "myWebsite": "https://hello.world.example/",
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "eddsa-rdfc-2022",
    "created": "2023-02-24T23:36:38Z",
    "verificationMethod": "https://vc.example/issuers/5678#z6MkrJVnaZkeFzdQyMZu1
      cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    "proofPurpose": "assertionMethod",
    "proofValue": "z5C5b1uzYJN6pDR3aWgAqUMoSB1JY29epA74qyjaie9qh4okm9DZP6y77eTNq
      5NfYyMwNu9bpQQWUHKH5zAmEtszK"
  }
}

Algorithms

The following section describes multiple Data Integrity cryptographic suites that use the Edwards-Curve Digital Signature Algorithm.

Instantiate Cryptosuite

This algorithm is used to configure a cryptographic suite to be used by the Add Proof and Verify Proof functions in [[[VC-DATA-INTEGRITY]]]. The algorithm takes an options object ([=map=] |options|) as input and returns a [=data integrity cryptographic suite instance|cryptosuite instance=] ([=struct=] |cryptosuite|).

Initialize |cryptosuite| to an empty [=struct=].
If |options|.|type| does not equal `DataIntegrityProof`, return |cryptosuite|.
If |options|.|cryptosuite| is `eddsa-rdfc-2022`:
1. Set |cryptosuite|.|createProof| to the algorithm in Section [[[#create-proof-eddsa-rdfc-2022]]].
2. Set |cryptosuite|.|verifyProof| to the algorithm in Section [[[#verify-proof-eddsa-rdfc-2022]]].
If |options|.|cryptosuite| is `eddsa-jcs-2022`:
1. Set |cryptosuite|.|createProof| to the algorithm in Section [[[#create-proof-eddsa-jcs-2022]]].
2. Set |cryptosuite|.|verifyProof| to the algorithm in Section [[[#verify-proof-eddsa-jcs-2022]]].
Return |cryptosuite|.

eddsa-rdfc-2022

The `eddsa-rdfc-2022` cryptographic suite takes an input document, canonicalizes the document using the RDF Dataset Canonicalization algorithm [[RDF-CANON]], and then cryptographically hashes and signs the output resulting in the production of a data integrity proof. The algorithms in this section also include the verification of such a data integrity proof.

When the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] is used, implementations will detect dataset poisoning by default, and abort processing upon such detection.

Create Proof (eddsa-rdfc-2022)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an unsecured data document ([=map=] |unsecuredDocument|), and a set of proof options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, is produced as output.

Let |proof| be a clone of the proof options, |options|.
Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-eddsa-rdfc-2022]]] with |options| passed as a parameter.
Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument|, |proofConfig|, and |options| passed as parameters.
Let |hashData| be the result of running the algorithm in Section [[[#hashing-eddsa-rdfc-2022]]] with |transformedData| and |proofConfig| passed as a parameters.
Let |proofBytes| be the result of running the algorithm in Section [[[#proof-serialization-eddsa-rdfc-2022]]] with |hashData| and |options| passed as parameters.
Let |proof|.|proofValue| be a base58-btc-encoded Multibase value of the |proofBytes|.
Return |proof| as the [=data integrity proof=].

Verify Proof (eddsa-rdfc-2022)

The following algorithm specifies how to verify a [=data integrity proof=] given an secured data document. Required inputs are an secured data document ([=map=] |securedDocument|). This algorithm returns a verification result, which is a [=struct=] whose [=struct/items=] are:

verified: `true` or `false`
verifiedDocument: if [=verification result/verified=] is `false`, Null; otherwise, an [=unsecured data document=]

Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value removed.
Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with `proofValue` removed.
Let |proofBytes| be the Multibase decoded base58-btc value in |securedDocument|.|proof|.|proofValue|.
Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument| and |proofOptions| passed as parameters.
Let |proofConfig| be the result of running the algorithm in Section with |unsecuredDocument| and |proofOptions| passed as parameters.
Let |hashData| be the result of running the algorithm in Section [[[#hashing-eddsa-rdfc-2022]]] with |transformedData| and |proofConfig| passed as a parameters.
Let |verified:boolean| be the result of running the algorithm in Section [[[#proof-verification-eddsa-rdfc-2022]]] algorithm on |hashData|, |proofBytes|, and |proofConfig|.
Return a [=verification result=] with [=struct/items=]:

[=verified=]

|verified|

[=verifiedDocument=]

if |verified| is `true`, |unsecuredDocument|; otherwise, Null

Transformation (eddsa-rdfc-2022)

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section [[[#hashing-eddsa-rdfc-2022]]].

Required inputs to this algorithm are an unsecured data document (`unsecuredDocument`) and transformation options (`options`). The transformation options MUST contain a type identifier for the cryptographic suite (`type`) and a cryptosuite identifier (`cryptosuite`). A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

If `options`.`type` is not set to the string `DataIntegrityProof` and `options`.`cryptosuite` is not set to the string `eddsa-rdfc-2022`, an error MUST be raised that SHOULD convey an error type of PROOF_TRANSFORMATION_ERROR.
Let |canonicalDocument| be the result of converting |unsecuredDocument| to RDF statements, applying the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] to the result, and then serializing the result to a serialized canonical form [[RDF-CANON]].
Return `canonicalDocument` as the transformed data document.

Hashing (eddsa-rdfc-2022)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-eddsa-rdfc-2022]]] or Section [[[#proof-verification-eddsa-rdfc-2022]]].

The required inputs to this algorithm are a transformed data document (`transformedDocument`) and canonical proof configuration (`canonicalProofConfig`). A single hash data value represented as series of bytes is produced as output.

Let `proofConfigHash` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `canonicalProofConfig`. `proofConfigHash` will be exactly 32 bytes in size.
Let `transformedDocumentHash` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `transformedDocument`. `transformedDocumentHash` will be exactly 32 bytes in size.
Let `hashData` be the result of concatenating `proofConfigHash` (the first hash produced above) followed by `transformedDocumentHash` (the second hash produced above).
Return `hashData` as the hash data.

Proof Configuration (eddsa-rdfc-2022)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are the document (|unsecuredDocument|) and the proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MUST contain a cryptosuite identifier (`cryptosuite`). A proof configuration object is produced as output.

Let |proofConfig| be a clone of the |options| object.
If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or |proofConfig|.|cryptosuite| is not set to `eddsa-rdfc-2022`, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
If |proofConfig|.|created| is present and set to a value that is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
Set |proofConfig|.`@context `to |unsecuredDocument|.@context.
Let |canonicalProofConfig| be the result of applying the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] to the |proofConfig|.
Return |canonicalProofConfig|.

Proof Serialization (eddsa-rdfc-2022)

The following algorithm specifies how to serialize a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (`hashData`) and proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MAY contain a cryptosuite identifier (`cryptosuite`). A single digital proof value represented as series of bytes is produced as output.

Let |privateKeyBytes| be the result of retrieving the private key bytes (or a signing interface enabling the use of the private key bytes) associated with the verification method identified by the |options|.|verificationMethod| value.
Let `proofBytes` be the result of applying the Edwards-Curve Digital Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant (Pure EdDSA), with `hashData` as the data to be signed using the private key specified by `privateKeyBytes`. `proofBytes` will be exactly 64 bytes in size.
Return `proofBytes` as the digital proof.

Proof Verification (eddsa-rdfc-2022)

The following algorithm specifies how to verify a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (`hashData`), a digital signature (`proofBytes`) and proof options (`options`). A verification result represented as a boolean value is produced as output.

Let `publicKeyBytes` be the result of retrieving the public key bytes associated with the `options`.`verificationMethod` value as described in the Retrieve Verification Method section of the [[[CID]]] specification.
Let `verificationResult` be the result of applying the verification algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant (Pure EdDSA), with `hashData` as the data to be verified against the `proofBytes` using the public key specified by `publicKeyBytes`.
Return `verificationResult` as the verification result.

eddsa-jcs-2022

The `eddsa-jcs-2022` cryptographic suite takes an input document, canonicalizes the document using the JSON Canonicalization Scheme [[RFC8785]], and then cryptographically hashes and signs the output resulting in the production of a data integrity proof.

Create Proof (eddsa-jcs-2022)

Let |proof| be a clone of the proof options, |options|.
If `unsecuredDocument`.@context is present, set `proof`.@context to `unsecuredDocument`.@context.
Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-eddsa-jcs-2022]]] with |proof| passed as the proof options parameter.
Let |transformedData| be the result of running the algorithm in Section [[[#transformation-eddsa-jcs-2022]]] with |unsecuredDocument| and |options| passed as parameters.
Let |hashData| be the result of running the algorithm in Section [[[#hashing-eddsa-jcs-2022]]] with |transformedData| and |proofConfig| passed as a parameters.
Let |proofBytes| be the result of running the algorithm in Section [[[#proof-serialization-eddsa-jcs-2022]]] with |hashData| and |options| passed as parameters.
Let |proof|.|proofValue| be a base58-btc-encoded Multibase value of the |proofBytes|.
Return |proof| as the [=data integrity proof=].

Implementers are warned that while step 2 is not strictly necessary when generating proofs that will not be included in a proof set or a proof chain, that it is not always possible to be certain of where generated proofs will be used, or how they might be combined with other proofs at the application layer. It is strongly advised to always implement step 2, though some implementers have signaled that their software might not always implement step 2.

Verify Proof (eddsa-jcs-2022)

The following algorithm specifies how to verify a [=data integrity proof=] given an secured data document. Required inputs are an secured data document ([=map=] |securedDocument|). This algorithm returns a [=verification result=], which is a [=struct=] whose [=struct/items=] are:

[=verification result/verified=]: `true` or `false`
[=verification result/verifiedDocument=]: if [=verification result/verified=] is `true`, an [=unsecured data document=]; otherwise Null

Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value removed.
Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with `proofValue` removed.
Let |proofBytes| be the Multibase decoded base58-btc value in |securedDocument|.|proof|.|proofValue|.
If |proofOptions|.@context exists:
1. Check that the |securedDocument|.@context starts with all values contained in the |proofOptions|.@context in the same order. Otherwise, set |verified| to `false` and skip to the last step.
2. Set |unsecuredDocument|.@context equal to |proofOptions|.@context.
Let |transformedData| be the result of running the algorithm in Section [[[#transformation-eddsa-jcs-2022]]] with |unsecuredDocument| and |proofOptions| passed as parameters.
Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-eddsa-jcs-2022]]] with |proofOptions| passed as the parameter.
Let |hashData| be the result of running the algorithm in Section [[[#hashing-eddsa-jcs-2022]]] with |transformedData| and |proofConfig| passed as a parameters.
Let |verified:boolean| be the result of running the algorithm in Section [[[#proof-verification-eddsa-jcs-2022]]] on |hashData|, |proofBytes|, and |proofConfig|.
Return a [=verification result=] with [=struct/items=]:

[=verified=]

|verified|

[=verifiedDocument=]

if |verified| is `true`, |unsecuredDocument|; otherwise, Null

Transformation (eddsa-jcs-2022)

If `options`.`type` is not set to the string `DataIntegrityProof` and `options`.`cryptosuite` is not set to the string `eddsa-jcs-2022`, an error MUST be raised that SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
Let `canonicalDocument` be the result of applying the JSON Canonicalization Scheme [[RFC8785]] to a JSON serialization of the `unsecuredDocument`.
Return `canonicalDocument` as the transformed data document.

Hashing (eddsa-jcs-2022)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-eddsa-jcs-2022]]] or Section [[[#proof-verification-eddsa-jcs-2022]]].

Let `transformedDocumentHash` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `transformedDocument`. `transformedDocumentHash` will be exactly 32 bytes in size.
Let `proofConfigHash` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `canonicalProofConfig`. `proofConfigHash` will be exactly 32 bytes in size.
Let `hashData` be the result of joining `proofConfigHash` (the first hash) with `transformedDocumentHash` (the second hash).
Return `hashData` as the hash data.

Proof Configuration (eddsa-jcs-2022)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MUST contain a cryptosuite identifier (`cryptosuite`). A proof configuration object is produced as output.

Let `proofConfig` be a clone of the `options` object.
If `proofConfig`.`type` is not set to `DataIntegrityProof` or `proofConfig`.`cryptosuite` is not set to `eddsa-jcs-2022`, an error MUST be raised that SHOULD convey an error type of PROOF_GENERATION_ERROR.
If |proofConfig|.|created| is set to a value that is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
Let `canonicalProofConfig` be the result of applying the JSON Canonicalization Scheme [[RFC8785]] to the `proofConfig`.
Return `canonicalProofConfig`.

Proof Serialization (eddsa-jcs-2022)

Let |privateKeyBytes| be the result of retrieving the private key bytes (or a signing interface enabling the use of the private key bytes) associated with the verification method identified by the |options|.|verificationMethod| value.
Let `proofBytes` be the result of applying the Edwards-Curve Digital Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant (Pure EdDSA), with `hashData` as the data to be signed using the private key specified by `privateKeyBytes`. `proofBytes` will be exactly 64 bytes in size.
Return `proofBytes` as the digital proof.

Proof Verification (eddsa-jcs-2022)

Let `publicKeyBytes` be the result of retrieving the public key bytes associated with the `options`.`verificationMethod` value as described in the Retrieve Verification Method section of the [[[CID]]] specification.
Let `verificationResult` be the result of applying the verification algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant (Pure EdDSA), with `hashData` as the data to be verified against the `proofBytes` using the public key specified by `publicKeyBytes`.
Return `verificationResult` as the verification result.

Security Considerations

Before reading this section, readers are urged to familiarize themselves with general security advice provided in the Security Considerations section of the Data Integrity specification.

The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.

Security Properties of Ed25519 Implementations

Ed25519 signatures (EdDSA algorithm with edwards25519 curve) have been widely adopted, due both to the compact size of the keys and signatures and to the speed at which signatures can be produced and verified. Many libraries exist that can create and verify Ed25519 signatures. Since the publication of [[RFC8032]], security properties of Ed25519 signatures have been rigorously proven (see [[Provable_Ed25519]] and [[Taming_EdDSAs]]). However, it has been observed that a significant number of libraries do not achieve these security levels, due to missing input validity checks during the signature verification process. In this section, we summarize the security levels achievable with Ed25519 signatures, and indicate how one can determine whether a library will support those levels.

Signature Security Properties

Digital signatures might exhibit a number of desirable cryptographic properties [[Taming_EdDSAs]] among these are:

EUF-CMA (existential unforgeability under chosen message attacks) is usually the minimal security property required of a signature scheme. It guarantees that any efficient adversary who has the public key $\begin{matrix} p k \end{matrix}$ of the signer and received an arbitrary number of signatures on messages of its choice (in an adaptive manner): $\begin{matrix} {m_{i}, σ_{i}}_{i = 1}^{N} \end{matrix}$ , cannot output a valid signature $\begin{matrix} σ^{*} \end{matrix}$ for a new message $\begin{matrix} m^{*} \notin {m_{i}}_{i = 1}^{N} \end{matrix}$ (except with negligible probability). If the attacker outputs a valid signature on a new message: $\begin{matrix} (m^{*}, σ^{*}) \end{matrix}$ , it is called an existential forgery.

SUF-CMA (strong unforgeability under chosen message attacks) is a stronger notion than EUF-CMA. It guarantees that for any efficient adversary who has the public key $\begin{matrix} p k \end{matrix}$ of the signer and received an arbitrary number of signatures on messages of its choice: $\begin{matrix} {m_{i}, σ_{i}}_{i = 1}^{N} \end{matrix}$ , it cannot output a new valid signature pair $\begin{matrix} (m^{*}, σ^{*}) \end{matrix}$ , such that $\begin{matrix} (m^{*}, σ^{*}) \notin {m^{i}, σ^{i}}_{i = 1}^{N} \end{matrix}$ (except with negligible probability). Strong unforgeability implies that an adversary not only cannot sign new messages, but also cannot find a new signature on an old message. See [[Provable_Ed25519]] for a real world attack that would have been circumvented with SUF-CMA security over EUF-CMA security.

Binding signature (BS) We say that a signature scheme is binding if no efficient signer can output a tuple $\begin{matrix} [p k, m, m^{'}, σ] \end{matrix}$ , where both $\begin{matrix} (m, σ) \end{matrix}$ and $\begin{matrix} (m^{'}, σ) \end{matrix}$ are valid message signature pairs under the public key $\begin{matrix} p k \end{matrix}$ and $\begin{matrix} m \neq m^{'} \end{matrix}$ (except with negligible probability). A binding signature makes it impossible for the signer to claim later that it has signed a different message; the signature binds the signer to the message.

Strongly Binding signature (SBS) Certain applications may require a signature to not only be binding to the message but also be binding to the public key. We say that a signature scheme is strongly-binding if any efficient signer cannot output a tuple $\begin{matrix} [p k, m, p k^{'}, m^{'}, σ] \end{matrix}$ , where $\begin{matrix} (m, σ) \end{matrix}$ is a valid signature for the public key $\begin{matrix} p k \end{matrix}$ and $\begin{matrix} (m^{'}, σ) \end{matrix}$ is a valid signature for the public key $\begin{matrix} p k^{'} \end{matrix}$ and either $\begin{matrix} m^{'} \neq m \end{matrix}$ or $\begin{matrix} p k \neq p k^{'} \end{matrix}$ , or both (except with negligible probability). See [[Provable_Ed25519]] for real world attacks that would have been circumvented with the SBS property.

Note that the BS and SBS properties are forms of non-repudiation.

Achieving Ed25519 Security Properties

As pointed out in [[Taming_EdDSAs]], flaws in Ed25519 libraries primarily occur on the signature verification side, where edge cases are sometimes not properly checked. An Ed25519 signature library that is in conformance with [[RFC8032]] or [[FIPS-186-5]], i.e., one that performs all specified validation checks, will have the SUF-CMA property in addition to EUF-CMA.

Reference [[Taming_EdDSAs]] achieves the BS and SBS properties along with SUF-CMA in their "signature verification algorithm 2" where an additional check is performed against the public key A to make sure that it is not one of eight "small order points". These additional checks incur minimal processing overhead.

Reference [[Taming_EdDSAs]] included a set of twelve test vectors to test various Ed25519 libraries available at the time of publication. They found that a significant portion missed edge cases and hence did not achieve SUF-CMA (just EUF-CMA), and only two libraries out of sixteen achieved all the security properties. Since the time of publication, more Ed25519 libraries have been created, and some of the libraries have been updated to include all verification checks. Implementers are recommended to test the Ed25519 library they are using against the test vectors of [[Taming_EdDSAs]].

The Ed25519Signature2020 Suite

`Ed25519Signature2020` is an earlier version of a cryptographic suite for use of the EdDSA algorithm and Curve25519. While it has been used in production systems, new implementations should instead use `eddsa-rdfc-2022`. `Ed25519Signature2020` has been kept in this specification to provide a stable reference.

Data Model

Verification Methods

Ed25519VerificationKey2020

The key format described in this section is provided to document a legacy mechanism that has been deployed to production. The key format described in section [[[#multikey]]] supercedes the one described in this section. New applications are strongly urged to use the newer key format.

The `type` of the verification method MUST be Ed25519VerificationKey2020.

The `controller` of the verification method MUST be a URL.

The `publicKeyMultibase` value of the verification method MUST start with the base-58-btc prefix (`z`), as defined in the Multibase section of [[VC-DATA-INTEGRITY]]. A Multibase-encoded Multikey value follows, which MUST consist of a binary value that starts with the two-byte prefix `0xed01`, which is the Multikey header for an Ed25519 public key, followed by the 32-byte public key data, all of which is then encoded using base-58-btc. Any other encoding MUST NOT be allowed.

Developers are advised to not accidentally publish a representation of a private key. Implementations of this specification will raise errors in the event of a Multikey header value other than `0xed01` being used in a `publicKeyMultibase` value.

  {
    "id": "https://example.com/issuer/123#key-0",
    "type": "Ed25519VerificationKey2020",
    "controller": "https://example.com/issuer/123",
    "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
  }

  {
    "@context": [
      "https://www.w3.org/ns/did/v1",
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "id": "did:example:123",
    "verificationMethod": [{
      "id": "did:example:123#key-0",
      "type": "Ed25519VerificationKey2020",
      "controller": "did:example:123",
      "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
    }],
    "authentication": [
      "did:example:123#key-0"
    ],
    "assertionMethod": [
      "did:example:123#key-0"
    ],
    "capabilityDelegation": [
      "did:example:123#key-0"
    ],
    "capabilityInvocation": [
      "did:example:123#key-0"
    ]
  }

Proof representations

Ed25519Signature2020

The proof format described in this section is provided to document a legacy mechanism that has been deployed to production. The `DataIntegrityProof` formats described in section [[[#dataintegrityproof]]] supercede the one described in this section. New applications are strongly urged to use the newer proof format.

The `verificationMethod` property of the proof MUST be a URL. Dereferencing the `verificationMethod` MUST result in an object containing a `type` property with the value set to `Ed25519VerificationKey2020`.

The `type` property of the proof MUST be `Ed25519Signature2020`.

The `created` property of the proof MUST be an [[XMLSCHEMA11-2]] formatted date string.

The `proofPurpose` property of the proof MUST be a string, and MUST match the verification relationship expressed by the verification method `controller`.

The `proofValue` property of the proof MUST be a detached EdDSA produced according to [[RFC8032]], encoded using the base-58-btc header and alphabet as described in the Multibase section of [[CID]].

  {
    "@context": [
      {"myWebsite": "https://vocabulary.example/myWebsite"},
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "myWebsite": "https://hello.world.example/",
    "proof": {
      "type": "Ed25519Signature2020",
      "created": "2020-11-05T19:23:24Z",
      "verificationMethod": "https://di.example/issuer#z6MkjLrk3gKS2nnkeWcmcxiZPGskmesDpuwRBorgHxUXfxnG",
      "proofPurpose": "assertionMethod",
      "proofValue": "z4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYVQeVbY8nQAVHMrXFkXJpmEcqdoDwLWxaqA3Q1geV6"
    }
  }

Algorithms

Ed25519Signature2020

The `Ed25519Signature2020` cryptographic suite takes an input document, canonicalizes the document using the RDF Dataset Canonicalization algorithm [[RDF-CANON]], and then cryptographically hashes and signs the output resulting in the production of a data integrity proof. The algorithms in this section also include the verification of such a data integrity proof.

Add Proof (Ed25519Signature2020)

To generate a proof, the algorithm in Section 4.1: Add Proof in the Data Integrity [[VC-DATA-INTEGRITY]] specification MUST be executed. For that algorithm, the cryptographic suite specific transformation algorithm is defined in Section [[[#transformation-ed25519signature2020]]], the hashing algorithm is defined in Section [[[#hashing-ed25519signature2020]]], and the proof serialization algorithm is defined in Section [[[#proof-serialization-ed25519signature2020]]].

Verify Proof (Ed25519Signature2020)

To verify a proof, the algorithm in Section 4.2: Verify Proof in the Data Integrity [[VC-DATA-INTEGRITY]] specification MUST be executed. For that algorithm, the cryptographic suite specific transformation algorithm is defined in Section [[[#transformation-ed25519signature2020]]], the hashing algorithm is defined in Section [[[#hashing-ed25519signature2020]]], and the proof verification algorithm is defined in Section [[[#proof-verification-ed25519signature2020]]].

Transformation (Ed25519Signature2020)

If `options`.`type` is not set to the string `Ed25519Signature2020`, an error MUST be raised that SHOULD convey an error type of PROOF_TRANSFORMATION_ERROR.
Let |canonicalDocument| be the result of converting |unsecuredDocument| to JSON-LD expanded form and then to RDF statements, applying the Universal RDF Dataset Canonicalization Algorithm, and then serializing the result to a serialized canonical form.
Return `canonicalDocument` as the transformed data document.

Hashing (Ed25519Signature2020)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-ed25519signature2020]]] or Section [[[#proof-verification-ed25519signature2020]]].

The required inputs to this algorithm are a transformed data document (`transformedDocument`) and proof configuration (`proofConfig`). The proof configuration MUST contain a type identifier for the cryptographic suite (`type`) and MAY contain a cryptosuite identifier (`cryptosuite`). A single hash data value represented as series of bytes is produced as output.

Let `transformedDocumentHash` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `transformedDocument`. `transformedDocumentHash` will be exactly 32 bytes in size.
Let `proofConfigHash` be the result of applying the SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]] to the `canonicalProofConfig`. `proofConfigHash` will be exactly 32 bytes in size.
Let `hashData` be the result of joining `proofConfigHash` (the first hash) with `transformedDocumentHash` (the second hash).
Return `hashData` as the hash data.

Proof Configuration (Ed25519Signature2020)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are proof options (`options`). The proof options MUST contain a type identifier for the cryptographic suite (`type`) and MAY contain a cryptosuite identifier (`cryptosuite`). A proof configuration object is produced as output.

Let |proofConfig| be a clone of the |options| object.
If `proofConfig`.`type` is not set to `Ed25519Signature2020`, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
If |proofConfig|.|created| is present and set to a value that is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
Set `proofConfig`.@context to `unsecuredDocument`.@context
Let `canonicalProofConfig` be the result of applying the RDF Dataset Canonicalization algorithm [[RDF-CANON]] to the `proofConfig`.
Return `canonicalProofConfig`.

Proof Serialization (Ed25519Signature2020)

Let |privateKeyBytes| be the result of retrieving the private key bytes (or a signing interface enabling the use of the private key bytes) associated with the verification method identified by the |options|.|verificationMethod| value.
Let `proofBytes` be the result of applying the Edwards-Curve Digital Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant (Pure EdDSA), with `hashData` as the data to be signed using the private key specified by `privateKeyBytes`. `proofBytes` will be exactly 64 bytes in size.
Return `proofBytes` as the digital proof.

Proof Verification (Ed25519Signature2020)

Let |publicKeyBytes| be the result of retrieving the public key bytes associated with the |options|.|verificationMethod| value as described in the Retrieve Verification Method section of the [[[CID]]] specification.
Let `verificationResult` be the result of applying the verification algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant (Pure EdDSA), with `hashData` as the data to be verified against the `proofBytes` using the public key specified by `publicKeyBytes`.
Return `verificationResult` as the verification result.

Test Vectors

Representation: eddsa-rdfc-2022

The signer needs to generate a private/public key pair with the private key used for signing and the public key made available for verification. The representation of the public key and the representation of the private key are shown below.

{
    publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}

Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.

The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.

Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to compute the Ed25519 signature, and then base58-btc encode the signature.

Assemble the signed credential with the following two steps:

Add the proofValue field with the previously computed base58-btc value to the proof options document.
Set the proof field of the credential to the augmented proof option document.

Enhanced Example for Representation: eddsa-rdfc-2022

Here we again go through the steps of creating a credential signed with `eddsa-rdfc-2022`, but with a more complicated input document. The representation of the public key and the representation of the private key are shown below.

{
    publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}

Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.

The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.

Assemble the signed credential with the following two steps:

Add the proofValue field with the previously computed base58-btc value to the proof options document.
Set the proof field of the credential to the augmented proof option document.

Representation: eddsa-jcs-2022

The signer needs to generate a private/public key pair with the private key used for signing and the public key made available for verification. The representation of the public key, and the representation of the private key are shown below.

{
  publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
  secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}

Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.

The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.

Assemble the signed credential with the following two steps:

Add the proofValue field with the previously computed base58-btc value to the proof options document.
Set the proof field of the credential to the augmented proof option document.

Representation: Ed25519Signature2020

The signer needs to generate a private/public key pair with the private key used for signing and the public key made available for verification. The representation of the public key, and the representation of the private key, are shown below.

{
    publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}

Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.

The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.

Assemble the signed credential with the following two steps:

Add the proofValue field with the previously computed base58-btc value to the proof options document.
Set the proof field of the credential to the augmented proof option document.

Proof Sets and Chains

Proof sets and chains are defined in the [[VC-DATA-INTEGRITY]]. We provide test vectors showing the creation of proof sets and chains with the `eddsa-rdfc-2022` cryptosuite. Multiple signers can be involved in the generation of proof sets and chains so multiple public/private key pairs are needed. These are shown below.

The original unsigned credential is shown below:

Proof Set

To demonstrate creating a proof set, we start with a document containing a single proof and add another proof to it. The starting document is shown below and contains a proof signed with `keyPair1`.

The `options` input to Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]] is shown below. Note that it does not include a `previousProof` attribute since we are constructing a proof set and not a chain. In addition, we will be using `keyPair2` for signing.

Per the algorithm of Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]], we create an array variable, `allProofs`, and add the proof from the starting document to it. Since there is no `previousProof` attribute, no modification of `unsignedDocument` is needed prior to computing the signed proof in step 6 of Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]]. The signed proof configuration is shown below.

The signed proof `options` above gets appended to the `allProofs` variable, which then gets set as the `proof` attribute of the unsigned document to produce the final signed document as shown below.

Proof Chain with Multiple Dependencies

This collection of test vectors demonstrates the construction a proof chain. We start with a document containing a proof set, i.e., our previous example, and then add a new proof to the credential that has a dependency on the existing proofs. This example also demonstrates the case where the `previousProofs` attribute is an array. This example uses `keyPair3` and the starting document is given below.

The `options` input to Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]] is shown below. Note that it includes a `previousProof` attribute since we are constructing a proof chain.

Per the algorithm of Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]], we create an array variable, `allProofs`, and add the proofs from the starting document to it. Since the options contains the `previousProof` attribute, we compute the `matchingProofs` variable per step 4 of Section 4.4: Add Proof Set/Chain, and we set the `unsecuredDocument.proof` equal to the `matchingProofs`. This produces the document shown below.

In step 6, we use the previous document (unsecured document with previous proofs added to it) to compute the `proofValue` attribute. This gives the signed configuration options (proof) shown below:

The signed proof `options` above gets appended to the `allProofs` variable, which then gets set as the `proof` attribute of the unsigned document to produce the final signed document as shown below.

Extended Proof Chain

This collection of test vectors demonstrates construction of an extended proof chain. We start with the output of the previous section and add an additional proof that is dependent on one of the existing proofs. This example uses `keyPair4`, and the starting document is given below.

The `options` input to Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]] is shown below. Note that it includes a `previousProof` attribute since we are constructing a proof chain, however this time it is a single value.

Per the algorithm of Section 4.4: Add Proof Set/Chain in [[VC-DATA-INTEGRITY]], we create an array variable, `allProofs`, and add the proofs from the starting document to it. Since the `options` contains the `previousProof` attribute, we compute the `matchingProofs` variable per step 4 of Section 4.4: Add Proof Set/Chain, and we set the `unsecuredDocument.proof` equal to the `matchingProofs`. This produces the document shown below.

In step 6, we use the previous document (unsecured document with previous proofs added to it) to compute the `proofValue` attribute. This gives the signed configuration options (proof) shown below:

The signed proof `options` above gets appended to the `allProofs` variable, which then gets set as the `proof` attribute of the unsigned document to produce the final signed document as shown below.

Introduction

Terminology

Data Model

Verification Methods

Multikey

Proof Representations

DataIntegrityProof

Algorithms

Instantiate Cryptosuite

eddsa-rdfc-2022

Create Proof (eddsa-rdfc-2022)

Verify Proof (eddsa-rdfc-2022)

Transformation (eddsa-rdfc-2022)

Hashing (eddsa-rdfc-2022)

Proof Configuration (eddsa-rdfc-2022)

Proof Serialization (eddsa-rdfc-2022)

Proof Verification (eddsa-rdfc-2022)

eddsa-jcs-2022

Create Proof (eddsa-jcs-2022)

Verify Proof (eddsa-jcs-2022)

Transformation (eddsa-jcs-2022)

Hashing (eddsa-jcs-2022)

Proof Configuration (eddsa-jcs-2022)

Proof Serialization (eddsa-jcs-2022)

Proof Verification (eddsa-jcs-2022)

Security Considerations

Security Properties of Ed25519 Implementations

Signature Security Properties

Achieving Ed25519 Security Properties

Privacy Considerations

Selective and Unlinkable Disclosure

The Ed25519Signature2020 Suite

Data Model

Verification Methods

Ed25519VerificationKey2020

Proof representations

Ed25519Signature2020

Algorithms

Ed25519Signature2020

Add Proof (Ed25519Signature2020)

Verify Proof (Ed25519Signature2020)

Transformation (Ed25519Signature2020)

Hashing (Ed25519Signature2020)

Proof Configuration (Ed25519Signature2020)

Proof Serialization (Ed25519Signature2020)

Proof Verification (Ed25519Signature2020)

Test Vectors

Representation: eddsa-rdfc-2022

Enhanced Example for Representation: eddsa-rdfc-2022

Representation: eddsa-jcs-2022

Representation: Ed25519Signature2020

Proof Sets and Chains

Proof Set

Proof Chain with Multiple Dependencies

Extended Proof Chain

Revision History

Acknowledgements