4

I'm writing an application where the users communicating know each others' ED25519 public keys, but are using ECDH to do the encryption handshake, and therefore are receiving an X25519 public key as part of the handshake (my application code is in Rust).

I thought it would make sense for the sender to use their Ed25519 private key as the private key for the handshake, and then, on the other end, we could validate the public key presented by taking their (known) Ed25519 public key, converting it to an X25519 public key, and compare them. This doesn't seem to be the case, however.

What I'm seeing is that, when I generate an X25519 public key from the Ed25519 private key bytes using the x25519 function from RFC7748 (I'm using the implementation in x25519_dalek in this case), I get a completely different value than if I convert the Ed25519 public key directly to an X25519 public key, which...is confusing me (clearly I'm missing something crucial here).

I've tried using the conversion functions from sodiumoxide and ed25519_to_curve25519, both of which give the same answer, which is completely different than if I do x25519(public_key_bytes).

Any help would be greatly appreciated!

Jack Lund
  • 81
  • 3

1 Answers1

4

Samuel Lucas's comment is the correct answer. I was assuming that you can use an ed25519 private key to derive the x25519 public key, but you can't (which should have been obvious, but wasn't, for some reason). The way it works is roughly this:

ed25519 private key ----> x25519 private key
      |                          |
      |                          |
      v                          v
ed25519 public key  ----> x25519 public key

I just didn't think that top step was necessary.

Anyway, thanks Samuel for the answer!!!

Jack Lund
  • 81
  • 3