ed2curve

ed2curve.js

Convert Ed25519 signing key pair into Curve25519 key pair suitable for Diffie-Hellman key exchange. This means that by exchanging only 32-byte Ed25519 public keys users can both sign and encrypt with NaCl.

Note that there's currently no proof that this is safe to do. It is safer to share both Ed25519 and Curve25519 public keys (their concatenation is 64 bytes long).

Written by Dmitry Chestnykh in 2014-2016, using public domain code from TweetNaCl.js. Public domain. No warranty.

Thanks to @CodesInChaos and @nightcracker for showing how to convert Edwards coordinates to Montgomery coordinates.

Installation

Via NPM:

$ npm install ed2curve

or just download ed2curve.js or ed2curve.min.js and include it after TweetNaCl.js:

<script src="nacl.min.js"></script>
<script src="ed2curve.min.js"></script>

Usage

ed2curve.convertKeyPair(keyPair) -> convertedKeyPair | null

Converts the given key pair as generated by TweetNaCl.js's nacl.sign.keyPair into a key pair suitable for operations which accept key pairs generated by nacl.box.keyPair. This function is a combination of convertPublicKey and convertSecretKey.

Returns null if the public key in the given key pair is not a valid Ed25519 public key.

ed2curve.convertPublicKey(edPublicKey) -> curvePublicKey | null

Converts a 32-byte Ed25519 public key into a 32-byte Curve25519 public key and returns it.

Returns null if the given public key in not a valid Ed25519 public key.

ed2curve.convertSecretKey(edSecretKey) -> curveSecretKey

Converts a 64-byte Ed25519 secret key (or just the first 32-byte part of it, which is the secret value) into a 32-byte Curve25519 secret key and returns it.

Example

(Note: example uses tweetnacl-util to convert bytes)

// Generate new sign key pair.
var myKeyPair = nacl.sign.keyPair();

// Share public key with a peer.
console.log(myKeyPair.publicKey);

// Receive peer's public key.
var theirPublicKey = // ... receive

// Sign a message.
var message = nacl.util.decodeUTF8('Hello!');
var signedMessage = nacl.sign(message, myKeyPair.secretKey);

// Send message to peer. They can now verify it using
// the previously shared public key (myKeyPair.publicKey).
// ...

// Receive a signed message from peer and verify it using their public key.
var theirSignedMessage = // ... receive
var theirMessage = nacl.sign.open(theirSignedMessage, theirPublicKey);
if (theirMessage) {
  // ... we got the message ...
}

// Encrypt a message to their public key.
// But first, we need to convert our secret key and their public key
// from Ed25519 into the format accepted by Curve25519.
//
// Note that peers are not involved in this conversion -- all they need
// to know is the signing public key that we already shared with them.

var theirDHPublicKey = ed2curve.convertPublicKey(theirPublicKey);
var myDHSecretKey = ed2curve.convertSecretKey(myKeyPair.secretKey);

var anotherMessage = nacl.util.decodeUTF8('Keep silence');
var encryptedMessage = nacl.box(anotherMessage, nonce, theirDHPublicKey, myDHSecretKey);

// When we receive encrypted messages from peers,
// we need to use converted keys to open them.

var theirEncryptedMessage = // ... receive
var decryptedMessage = nacl.box.open(theirEncryptedMessage, nonce, theirDHPublicKey, myDHSecretKey);

Requirements

• Requires TweetNaCl.js
• Works in the same enviroments as it.

Other libraries

Some other libraries that can use a single Ed/Curve25519 key:

• agl/../extra25519 - Go (compatible with ed2curve)
• CodesInChaos/../MontgomeryCurve25519 - C# (compatible with ed2curve)
• nightcracker/ed25519 - C (compatible with ed2curve)
• libsodium - C (compatible with ed2curve)
• trevp/../curve_sigs - C (incompatible, as it converts the opposite way, and stores a sign bit of signing public key in a signature)