← Back to context

Comment by some_furry

12 days ago

What do you need Ed448 for? I've not seen much real world deployments of this algorithm, so I'm very curious about this.

2 comments

some_furry

Reply
adrian_b  12 days ago

Presumably one would want to use Ed448 in order to achieve for session key establishment or for digital signing a level of security comparable to using for encryption AES with a 256-bit key.

ED25519 has a level of security only comparable with AES with an 128-bit key.

Nowadays many prefer to use for encryption AES or similar ciphers with a 256-bit key, to guard against possible future advances, like the development of quantum computers. In such cases, ED25519 remains the component with the lowest resistance against brute force, but it is less common to use something better than it because of the increase in computational cost for session establishment.

  • some_furry  11 days ago

    > Presumably one would want to use Ed448 in order to achieve for session key establishment or for digital signing a level of security comparable to using for encryption AES with a 256-bit key.

    Ed448 is an instantiation of EdDSA (the Edwards curve digital signature algorithm) over the Edwards448 curve (a Goldilocks curve), as defined in RFC 7748 and RFC 8032.

    Key establishment would use X448 (formerly "Curve448") for Diffie-Hellman, although ECDH over Edwards448 is also (strictly speaking) possible.

    Using Ed448 for key exchange is a TypeError.

    But that's neither here nor there. I was asking about real world applications that need Ed448 specifically, not a vague question of how cryptography works.

    Check my blog if you need a temperature check for my familiarity with the subject: https://soatok.blog/tag/security-guidance/

    > ED25519 has a level of security only comparable with AES with an 128-bit key.

    No. The whole notion of "security levels" is a military meme that doesn't actually meaningfully matter the way people talk about it.

    There are about 2^252 possible Ed25519 public keys. Recovering a secret key from Pollard's rho takes about 2^126 or so computations (where each computation requires a scalar multiplication), and that's why people pair it with an equivalent "security level" as AES-128, but the only meaningful difference between the algorithms (besides their performance footprint) is security against multi-user attacks.

    With a 256-bit AES key, you can have 2^40 users each choose 2^50 keys and still have a probability of key reuse below 2^-32.

    With 128-bit AES keys, you don't have that guarantee. 2^90 keys is well beyond the birthday bound of a 128-bit function, which means the probability of two users choosing the same key is higher than 2^32. (It's actually higher than 50% at 2^90 out of 2^128.)

    See also: https://soatok.blog/2024/07/01/blowing-out-the-candles-on-th...

    However, despite the "security level" claims, Ed25519 has 2^252 keys. The multi-user security of Ed25519 (and X25519) is meaningfully on par with AES-256.

    As things stand today, the 128-bit symmetric cryptography "security level" is unbreakable. You would need to run the entire Bitcoin mining network for on the order of a billion years to brute force an AES-128 key.

    > Nowadays many prefer to use for encryption AES or similar ciphers with a 256-bit key, to guard against possible future advances, like the development of quantum computers.

    This is a common misunderstanding. So common that I once made the same mistake.

    128 bits are enough. https://words.filippo.io/post-quantum-age/#128-bits-are-enou...

    Grover's attack requires a quantum circuit size of 2^106.

    > In such cases, ED25519 remains the component with the lowest resistance against brute force, but it is less common to use something better than it because of the increase in computational cost for session establishment.

    I do not understand what this sentence is trying to say.