Ed448
Registry Context
Ed448 identifies Ed448 signature key pairs represented as OKP JWKs and used with EdDSA. It must not be used for ECDH-ES.
Technical Summary
RFC 8037 defines Ed448 as an OKP key subtype for the EdDSA signature algorithm. An Ed448 JWK follows the OKP parameter requirements, and the subtype MUST NOT be used for ECDH-ES.
When Used
When representing an Ed448 public or private key as a JWK for EdDSA signatures.
Normative Requirements
An Ed448 JWK
RFC 8037 - Section 2
set the kty parameter to "OKP".
The parameter "kty" MUST be "OKP".
RFC 8037 - Section 2
include the crv parameter with the registered key subtype.
The parameter "crv" MUST be present and contain the subtype of the key.
RFC 8037 - Section 2
include the x parameter containing the base64url-encoded public key.
The parameter "x" MUST be present and contain the public key encoded using the base64url encoding.
An Ed448 private JWK
RFC 8037 - Section 2
include the d parameter containing the base64url-encoded private key.
Condition: When the JWK contains a private key
The parameter "d" MUST be present for private keys and contain the private key encoded using the base64url encoding.
An Ed448 public JWK
RFC 8037 - Section 2
include the d parameter.
Condition: When the JWK contains only a public key
This parameter MUST NOT be present for public keys.
An implementation performing Ed448 key generation or batch signature verification
RFC 8037 - Section 4
use a well-seeded cryptographic random number generator.
Condition: When performing key generation or batch signature verification
If key generation or batch signature verification is performed, a well-seeded cryptographic random number generator is REQUIRED.
The Ed448 key subtype
RFC 8037 - Section 3.1
be used for Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES).
These subtypes MUST NOT be used for Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES).
Validation Guidance
Reject an Ed448 JWK unless kty is "OKP".
Reject an Ed448 JWK that omits crv or whose crv value does not identify its registered key subtype.
Reject an Ed448 JWK that omits x or whose x value is not a base64url-encoded public key.
Require a base64url-encoded d parameter for an Ed448 private JWK, and reject d in an Ed448 public JWK.
Reject use of the Ed448 subtype with ECDH-ES.
Use EdDSA as the signing algorithm for Ed448 keys.
Ensure a well-seeded cryptographic random number generator is used for Ed448 key generation or batch signature verification.
Security Notes
RFC 8037 - Section 4
Keep key material associated with its key subtype and verify algorithm compatibility; mixing incompatible algorithms can enable attacks.
RFC 8037 - Section 4
Ed448 signatures bind the signing key, but implementations must not assume that all signature algorithms provide this property.
Reference
Details
- Entry Id
Ed448- Curve Name
Ed448- Curve Description
Ed448 signature algorithm key pairs- Jose Implementation Requirements
Optional- Change Controller
IESG- Reference
RFC8037 - Section 3.1