Yes, Ed25519 is still secure. The paper describes an attack against hardware processing Ed25519 signatures. It is not a cryptographic attack against the algorithm itself. As explained here, a fault attack (also called a glitching attack) involves trying to confuse a processor while it is processing cryptographic material to cause it to glitch in a way that leaks internal information sufficient to reconstruct the private key. Unless someone is hooking up electrical probes to your CPU, the attack does not affect you at all.
The attack involves hooking up a device to the CPU and "glitching" it, for example by feeding it too much or too little voltage at specific times. If the glitch occurs while cryptographic material is being processed, it is possible to discover information about the key by observing the results of the glitching. It is a very invasive procedure, as you can see in this photo of the attack being performed:
From the text describing this picture:
We demonstrated it on an Arduino Nano, using the Arduino Libs’ Crypto Ed25519 implementation and simple voltage glitches. We were able to cause single byte random errors at the end of the computation of H(R,A,M), allowing us to efficiently brute-force the error location and value, thus recovering half of the secret key.
So why is this attack newsworthy? The answer is simply that not every use of Ed25519 occurs on a machine that you have full control over. For example, secure embedded devices, such as smart cards, might fall into adversarial hands. These devices are designed to be secure and not reveal their private key even if you have physical access to them, so it would be bad if you could steal the private key just by monitoring the device while you feed it an incorrect voltage! This attack does not mean that every use of Ed25519 is doomed to be vulnerable to a fault attack, just that each implementation must apply mitigations to avoid this issue in situations where it is relevant.
You seem confused about a few things. Bear with me, this is a very common confusion!
Encryption is defined with the intent of confidentially transporting information: if you encrypt information, it is meant to be hidden until decrypted by the receiving party. Note that in your pseudo code
hash = doHash(message)
signature = doAsymetricEncrypt(hash, privateKey)
hash == doAsymetricDecrypt(signature, publicKey) //true
... it is impossible to retrieve messagesignaturehashpublicKey
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents (wikipedia). Note that this is never defined in terms of encryption. Let me stress this: if you have a teacher that claims that "a signature is an encryption with a private key", they are wrong. If you have a book that claims this, throw it out, burn it -- don't give it away, because it clearly causes confusion -- and get a better book. Encryption is for confidentiality, signatures are for authenticity.
That said: the source of this confusion is in the mathematics of RSA. In RSA (and not in ECC!), the operator for text-book signatures is the same operator as for encryption, with the key material swapped. Note that the mathematical operation is the same thing, not that signatures "are encryption with the key swapped", although they look like they do. Also note that this is for text-book RSA, which is never deployed as-is, but requires padding and randomization that is different between signatures and encryption.
So, while your pseudo-code might or might not work with RSA (depending on the library you use), it will not be secure at all, and will simply not work with ECC because the key material cannot be swapped, because the mathematics behind it simply do not support it.
Now, to finally answer your question, encryption with elliptic curves exists, is widely used, and is called ECIES. It indeed boils down to a Diffie-Hellman exchange and using a symmetric algorithm afterwards. There is also ElGamal encryption, if you have very short messages.
It is another question whether it is secure to reuse the same key for ECIES and EdDSA signatures at the same time though.
Yes, Ed25519 provides the existential unforgeability property. There is a nice work that studies the different variants of Ed25519 signatures
https://eprint.iacr.org/2020/823.pdf
As specified in that document, the different variants of ed25519 provide different security properties, but all are existentially unforgeable under chosen message attacks.
Indeed, as you point out, if an adversary could forge valid signatures to messages not signed by the key owner, the security of the blockchain could be compromised.
"Which is more secure" is not the best question to ask. All of them are sufficiently secure as long as:
ECDSA and Ed25519 are based on elliptic curves. Their advantage is that they can achieve the same security target with shorter keys than RSA requires, which translates to better performance. 256-bit elliptic curve keys are generally understood to provide similar security to 128-bit symmetric ciphers like AES-128. With RSA, 2,048-bit keys are considered the current minimum safe key size, providing something like 112-bit security (which no less secure in practice than 128-bit security).
The KeyLength site has various recommendations for key size for these algorithms.
Ed25519 is newer than ECDSA. Its main advantages are speed, simplicity and foolproofing: both are secure if used correctly, but ECDSA is harder to use correctly. The most famous ECDSA failure is the Sony PS3 signature bug, which was caused because Sony's programmers implemented ECDSA incorrectly. Ed25519 is not vulnerable to the mistake Sony's programmers made, nor to some other "gotchas" that ECDSA implementations are.
So Ed25519 is widely held to be the best of the three, because it provides:
...but none of these factors should stop you from using ECDSA or RSA if, for example, you're using a system where one of these is available but Ed25519 isn't. Likewise if you have a system that uses RSA or ECDSA, it probably doesn't make sense to upgrade it to Ed25519. Also RSA and ECDSA has NIST and NSA approval and Ed25519 doesn't, so if that matters to you then Ed25519 is out.
The cipher/algorithm used for ssh keys is independent of the algorithm/ciphers used for encrypting the session/connection.
So a faster key algorithm will only speed up operations relating to key generation and validation, i.e. authenticating and establishing a session.
For faster or more secure transfer speeds, you can tune the preferred Cipherssshd_config-c cipher_spec
You can test on your own machine how for example how RSA 1024, 2048 and 4096 compare in that regard with ed25519 using openssl speed rsa1024 rsa2048 rsa4096 ecdsap256 ed25519
sign verify sign/s verify/s
rsa 1024 bits 0.000078s 0.000006s 12852.6 175638.7
rsa 2048 bits 0.000519s 0.000016s 1926.4 62959.0
rsa 3072 bits 0.001570s 0.000033s 636.8 30670.3
rsa 4096 bits 0.003496s 0.000055s 286.1 18200.7
256 bits ecdsa (nistp256) 0.0000s 0.0001s 41044.8 16044.8
253 bits EdDSA (Ed25519) 0.0000s 0.0001s 21079.9 9383.2
