crypto_sign_seed_keypair + crypto_scalarmult_ed25519

[dylanetaft]

How would one get the ed25519 public key from the key returned by crypto_sign_seed_keypair ?
I want to do DH over ED25519.

If I you generate a "normal" ed25519 key without signing...,
randombytes_buf(sk, sizeof(sk)
crypto_scalarmult_ed25519_base(pk, sk) (this seems to clamp and do bit twiddling similar to crypto_sign_seed_keypair )

And then to derive a shared secret
crypto_scalarmult_ed25519(s, sk, remote_pk)
hash s with both PKs, and that's your shared secret for a symmetric cipher

Those keys are "clamped"

So the guide here shows you how to convert an ED25519 signing key to X25519
https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519

It also shows how to grab the ed25519 secret key from the key from the sign key gen function
crypto_hash_sha512(crypto_sign_ed25519_sk_to_seed(ed25510_sk))[0..32].

How do you convert a public key from crypto_sign_seed_keypair into something that would work with crypto_scalarmult_ed25519 on a remote machine for DH, or would it already work as is?

I know the ED signing keys do a bunch of bit twiddling to make signing work right, includes an SHA512 key for deterministic signatures, ie no need to generate nonce

The example at https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519 shows only the way to get the SK for use in crypto_scalarmult_ed25519, but not the PK.

The use case is offline, stateless encryption + signing, similar to PGP, with no forward secrecy.

Is the best way to do it to convert keys from ED25519 to X25519? Or can the public signing key be properly used with crypto_scalarmult_ed25519 with no changes?

I hear that some ed25519 edwards keys cannot be converted to montgomery x25519.

Internally
libsodium is doing this
ge25519_scalarmult_base is a different function than crypto_scalarmult_ed25519 so it makes me wonder if they are compatible as PKs? Different code paths, the ge one seems to use precalculations and optimizations.

int
crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
                                 const unsigned char *seed)
{
    ge25519_p3 A;

    crypto_hash_sha512(sk, seed, 32);
    sk[0] &= 248;
    sk[31] &= 127;
    sk[31] |= 64;

    ge25519_scalarmult_base(&A, sk);
    ge25519_p3_tobytes(pk, &A);

    memmove(sk, seed, 32);
    memmove(sk + 32, pk, 32);

    return 0;
}

If there's anything funny or questionable about the different codepaths and incompatible behavior, I am inclined to generate a long term signing key and long term encryption key that are separate.

Or is converting the signing keys to X25519 for libsodium well understood and supported, and the best way, vs trying to use with crypto_scalarmult_ed25519, if I want a single keyset?

Nothing says I can't use both a long term ED25519 pub key and X25519 pub key as an identity though for my purpose. 64 bytes won't kill anyone.

I think I understand the basics here, but definitely not the math.

[jedisct1]

How would one get the ed25519 public key from the key returned by crypto_sign_seed_keypair ?

The crypto_sign_ed25519_sk_to_pk() function does exactly that.

But seed is the Ed25519 seed, not the Edwards25519 secret. See https://doc.libsodium.org/public-key_cryptography/public-key_signatures#notes and https://doc.libsodium.org/advanced/ed25519-curve25519#notes if you need to recover the Edwards25159 secret.

The FAQ has an entire section on signing and encrypting with a single key pair.

[dylanetaft]

Yea, I linked to that faq a few times. If you only have the PK from crypto_sign_seed_keypair - say someone generated a key and shared their PK - can that be used with crypto_scalarmult_ed25519 directly?

The FAQ and notes show how to convert the SK\seed for the local end, but not the shared PK for the remote end. It doesn't say anything about the PK from what I can see.

Do any conversions need to happen on the PK shared out from crypto_sign_seed_keypair before passing to crypto_scalarmult_ed25519 for DH?

Or said another way, does verify_detached work with the PK from crypto_sign_ed25519_sk_to_pk()? Is it the same PK that crypto_sign_ed25519_seed_keypair returns? It's not clear to me if the PK is in the right format for both verifying sigs and for scalermult_ed25519.

A bunch of folks on reddit go back and forth - saying converting keys is unnecessary and everyone jumps to it, just do DH over ED curve. Others say you need to convert. ChatGPT 4 seems to know how to use libsodium well enough, it thinks converting is the way.

[dylanetaft]

Or, like, really a question of, is there a difference between ge25519_scalarmult_base and crypto_scalarmult_ed25519_base? Does the former have code speedups for signing curves, and the latter works with all, or something? The former looks super internal. That's what's throwing me off, I can't tell if the PKs are in the same format since they're being generated with different functions entirely.

[jedisct1]

Once you have computed the edwards25519 scalar from the ed25519 seed, the output of crypto_scalarmult_ed25519_base() should be the same as the ed25519 public key.

But wouldn't it be easier just to use 64 byte public keys?

[jedisct1]

See the example code here:
https://doc.libsodium.org/quickstart#how-can-i-sign-and-encrypt-using-the-same-key-pair

[dylanetaft]

Thank you for taking the time to explain

[dylanetaft]

I went with using composite keys, x25519 for encryption, ed25529 through the signing key gen process for signing. Each key can do it's thing - 64 bit composite pub key.

It feels like the code path for that is best tested and also keeps each key doing one thing.

[jedisct1]

Perfect!