apple
Support for Ed25519 → X25519 Key Conversion
New API Proposal: Ed25519 → X25519 Key Conversion
Motivation:
This conversion is necessary for the X3DH Key Agreement Protocol, which is used to establish end-to-end encrypted sessions using the Double Ratchet algorithm.
Importance:
The current package does not appear to expose functionality for performing this conversion. I was forced to use libsodium:
crypto_sign_ed25519_pk_to_curve25519(x25519_pk, ed25519_pk);
crypto_sign_ed25519_sk_to_curve25519(x25519_sk, ed25519_skpk);
Proposed API:
Curve25519.KeyAgreement.PrivateKey {
init(unsafeFromSigningPrivateKey key: Curve25519.Signing.PrivateKey) {...}
}
Curve25519.KeyAgreement.PublicKey {
init(unsafeFromSigningPublicKey key: Curve25519.Signing.PublicKey) {...}
}
Thanks for filing this!
This is an interesting use-case. My main concern is that I'm not entirely convinced that the operation's general utility is outweighed by its general riskiness. I'm not aware of any consistent threat modelling of how safe it is to perform this transformation, nor of any RFC that relies on it. So far the X3DH protocol seems to be the only use-case for it.
To that end I'm not sure we need to put it in this library: we should only do it if we expect it to be fairly widely used. I think it would be reasonable to see if the function can be offered in a separate overlay library to get a sense of how useful it is.
Good point, such conversion functions are usually annotated with warnings. If included, API should clearly state conversion have security implications.