Know this workshop and you can answer "why can't a signature be forged?" in your own words. To merely use it, Web Crypto does the work in one line—which is exactly why the underfloor is a pleasure reserved for those who want to look.
The core of the mechanism is "point addition" on a curve. From the result of repeating that addition hundreds of millions of times, working back to the original number of steps is, in today's mathematics, effectively impossible. The private key is how many times you added; the public key is the resulting point. Because you can't work backward, the seal can't be forged—a beautiful contrivance, and that's all it is.
Highlights
- The key is just 32 bytes long. Far shorter than an RSA key (hundreds of bytes), yet it holds equal or greater strength.
- All of the security rests on a single point: that the discrete logarithm problem is hard.
- Ed25519 is a deterministic signature—the same document yields the same signature every time. The classic accident, where a bad random draw leaks the secret, cannot happen by construction.
A passage from the sutra
const proofCanon = serialize(proofConfig);
const proofBytes = encoder.encode(proofCanon);
const proofDigest = await crypto.subtle.digest("SHA-256", proofBytes);
const digest = new Uint8Array(proofDigest.byteLength + msgDigest.byteLength);
digest.set(new Uint8Array(proofDigest), 0);
digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
const sig = await crypto.subtle.sign("Ed25519", privateKey, digest); Try it yourself
Each press of "Add G" draws a line through your point and G, finds the third place it meets the curve, and reflects across the x-axis — that is one addition. After k presses you stand at "kG": a public key. Your footprints (2G, 3G…) stay on the curve. Sometimes a hop leaps off the screen — still on the curve.