[kbaker]

> Also of note, is Ed25519 does not harden itself with additional "bits" in the normal RSA sense

Yes, it does, it is just not Ed25519 anymore, check out Curve448 and EdDSA-Ed448, same Edwards curve construction, more bits, more security. It's just that Ed25519 is plenty strong for many use cases.

Also, don't confuse the strength of the KDF with the strength of the curve itself as others have noted - Ed25519 is the same strength whether you hash your passphrase 1 or 50000 times. But with the 1 round your key might be easier to brute force if you have a weak passphrase.

[genr8]

I havent confused them. Its phrased like that to alert people they can't change the key strength by bit-ness, but they can change the KDF password-strength, on GENERATION, which is peoples first gateway into Ed25519. And X448 opens another can of worms, ssh-keygen still does not support that algo. OpenSSL 1.1.1 does, with: openssl genpkey -algorithm Ed448 but that doesn't relate to this discussion of use for SSH public keys. The support is very bare bones and only allows C code access meant for use in TLS servers, not SSH command line tools. They recently added EVP_PKEY_get_raw_public_key() relating to Ed25519/Ed448 but that doesnt help in actually running a command to generate these X448 algo Curve keys yourself for use in SSH keys.

So if you know how to use X448/Ed448 public/private keypairs with SSH, do tell.