Convert Ed25519 signing key pair into Curve25519 key pair suitable for Diffie-Hellman key exchange. This means that by exchanging only 32-byte Ed25519 public keys users can both sign and encrypt with NaCl.
Note that there's currently no proof that this is safe to do. It is safer to share both Ed25519 and Curve25519 public keys (their concatenation is 64 bytes long).
Written by Dmitry Chestnykh in 2014-2016, using public domain code from TweetNaCl.js. Public domain. No warranty.
Thanks to @CodesInChaos and @nightcracker for showing how to convert Edwards coordinates to Montgomery coordinates.
Via NPM:
$ npm install ed2curve
or just download ed2curve.js
or ed2curve.min.js
and include it after
TweetNaCl.js:
<script src="nacl.min.js"></script>
<script src="ed2curve.min.js"></script>
Converts the given key pair as generated by
TweetNaCl.js's nacl.sign.keyPair
into a key pair suitable for operations which accept key pairs generated by
nacl.box.keyPair
. This function is a combination of convertPublicKey
and convertSecretKey
.
Returns null
if the public key in the given key pair is not a valid
Ed25519 public key.
Converts a 32-byte Ed25519 public key into a 32-byte Curve25519 public key and returns it.
Returns null
if the given public key in not a valid Ed25519 public key.
Converts a 64-byte Ed25519 secret key (or just the first 32-byte part of it, which is the secret value) into a 32-byte Curve25519 secret key and returns it.
(Note: example uses tweetnacl-util to convert bytes)
// Generate new sign key pair.
var myKeyPair = nacl.sign.keyPair();
// Share public key with a peer.
console.log(myKeyPair.publicKey);
// Receive peer's public key.
var theirPublicKey = // ... receive
// Sign a message.
var message = nacl.util.decodeUTF8('Hello!');
var signedMessage = nacl.sign(message, myKeyPair.secretKey);
// Send message to peer. They can now verify it using
// the previously shared public key (myKeyPair.publicKey).
// ...
// Receive a signed message from peer and verify it using their public key.
var theirSignedMessage = // ... receive
var theirMessage = nacl.sign.open(theirSignedMessage, theirPublicKey);
if (theirMessage) {
// ... we got the message ...
}
// Encrypt a message to their public key.
// But first, we need to convert our secret key and their public key
// from Ed25519 into the format accepted by Curve25519.
//
// Note that peers are not involved in this conversion -- all they need
// to know is the signing public key that we already shared with them.
var theirDHPublicKey = ed2curve.convertPublicKey(theirPublicKey);
var myDHSecretKey = ed2curve.convertSecretKey(myKeyPair.secretKey);
var anotherMessage = nacl.util.decodeUTF8('Keep silence');
var encryptedMessage = nacl.box(anotherMessage, nonce, theirDHPublicKey, myDHSecretKey);
// When we receive encrypted messages from peers,
// we need to use converted keys to open them.
var theirEncryptedMessage = // ... receive
var decryptedMessage = nacl.box.open(theirEncryptedMessage, nonce, theirDHPublicKey, myDHSecretKey);
- Requires TweetNaCl.js
- Works in the same enviroments as it.
Some other libraries that can use a single Ed/Curve25519 key:
- agl/../extra25519 - Go (compatible with ed2curve)
- CodesInChaos/../MontgomeryCurve25519 - C# (compatible with ed2curve)
- nightcracker/ed25519 - C (compatible with ed2curve)
- libsodium - C (compatible with ed2curve)
- trevp/../curve_sigs - C (incompatible, as it converts the opposite way, and stores a sign bit of signing public key in a signature)