[bawolff]

> Also of note, is Ed25519 does not harden itself with additional "bits" in the normal RSA sense, it relies on "rounds" of KDF to apply more brute-force protection to the passphrase

That doesn't make sense. Key stretching your pass phrase, and the number of bits your key pair is, is totally separate. The reason people dont talk about number of bits in Ed25519, is that the security margins are higher and many of the more efficient algos for cryptoanalyzing this stuff dont work on elliptic curves, so you dont have to be constantly changing the key strength to keep up with better computers, its just always 256 bits.

[genr8]

Exactly, I was trying to point this out, that they were seperate. I only mention increasing the rounds of your passphrase in the same sentence because you do this when generating the key to increase security, and if you don't specify it, it gets overlooked. You don't have to specify any additional bits in the key strength, but you should specify additional rounds in the passphrase. Agreed they are unrelated reasons internally, but its a good way to add an additional level of protection.

[wizeman]

Except Ed25519 only has 128 bits of security, not 256

[bawolff]

I was under the impression the key size was 256 bits but the security level was 128 bits.

But IANA cryptographer.