Likelihood of signature collision with EdDSA

Can we provably state that for a given payload and given private key, there is only one valid signature in the 512-bit signature space?

No. If you consider EdDSA verification a legitimate signer can generate more than one signature of a given message, and all will pass EdDSA verification. However, only the signature generated with the EdDSA signing procedure will pass cofactorless verification.

More details about how to generate alternative valid signatures are provided in this answer.

Regarding the more broader question:

Taking EdDSA as an example, given the length of a signature is 512-bits for a given data payload, what is the probability of a collision where there is another 512-bit value that is also a valid signature?

Requiring specifically to pass cofactorless verification only (to avoid the other valid signatures generated by the above technique), there should be a valid $S$ for each possible value of $r$. Since $R$ depends fully on $r$, and $0 \le r < L$, there are at least $L$ possible valid signatures, where $L$ is the order of the large prime subgroup. For ed25519, $L = 2^{252}+27742317777372353535851937790883648493$

Solved by user15312 (6,319 )
Jul 06, 2020 at 12:48