ed25519

Edwards curves to be "safer" than secp256k1

secp256k1 has a small CM field discriminant

Slightly. Specifically, there are speedups to the rho method for some curves where |D| is very small, using fast "endomorphisms" derived from D.

This is not a complete break. The limits of these speedups are reasonably well understood, and the literature does not indicate any mechanism that could allow further speedups for small |D|. Pairing-based cryptography relies heavily on curves where |D| is small. It is conceivable that these curves are much easier to break, but it is also conceivable that curves with large |D| are much easier to break.

there is no evidence of serious problems with either small |D| or large |D|, but the security story is more complicated for small |D|. SafeCurves therefore requires large |D|.

secp256k1's parameters are not the absolute best

Incomplete addition fomulus

one formula can be used with all pairs of possible inputs and also for doubling a point.

for elliptic curves, an addition formula is called complete if it correctly computes the sum of any two points in the group.

加算可能点のバリデーション必要性がconstant timeな演算を困難に。

Implementation issues

Ed25519 malleability vs libsodium

PartialOrd and Ord for keys

Side channel attacks on implementations of Curve25519 | Yuval Yarom and Daniel Genkin | RWC 2018

https://www.youtube.com/watch?v=mcEHVvcqUzU

References

USING ED25519 SIGNING KEYS FOR ENCRYPTION

How do Ed25519 keys work?

https://gyazo.com/8a821be152eed40a023cdb180e35ce45

Verifying EdDSA signatures using xedDSA verify function.