Can curve25519 keys be used with ed25519 keys?

Question

Can curve25519 keys be used with ed25519?

I'd prefer to use ed25519, but there isn't a fast java version. For my application, I'd like to use curve25519 until I can get a faster ed25519 for java.

At the very least can the curve25519 keys be restricted if some can be converted ed25519?

The problem is that you don't get the y part of the coordinate when using a montgomery ladder to compute the public key. — CodesInChaos, Jan 22 '14 at 20:26
This question appears to be off-topic since it turns out it’s more about asking for reference recommendations regarding Java libraries/implementations, instead of cryptography as defined in the help center. The fact that answers point to different libraries underlines this. Note: asking for reference recommendations related to libraries (including crypto-libs) are on-topic at SoftwareRecommendations.SE — e-sushi, Aug 04 '14 at 04:02

score 13 · Accepted Answer · edited Aug 04 '14 at 11:35

Trevor Perrin wrote a library doing exactly that. Explanation can be found on in the curves mailing list archives.

To convert a Curve25519 public key $x_C$ into an Ed25519 public key $y_E$, with a Ed25519 sign bit of $0$: $$y_E = \frac{x_C - 1}{x_C + 1} \mod 2^{255}-19$$ The Ed25519 private key may need to be adjusted to match the sign bit of $0$: if multiplying the Curve25519 private key by the Ed25519 base point yields a “negative” Ed25519 x-coordinate, then the private key must be negated modulo the order of the base point: $a_E = q - a_C$.

See Trevor Perrin's email and the ensuing thread for a security analysis.

score 5 · Answer 2 · edited Apr 13 '17 at 12:48

5

AFAIK, no. However, Ed25519 keys can be converted to Curve25519 keys. My Ed25519 library supports this (or well, it supports DH with Ed25519 keys).

Whether it is secure to use the same key for both signing and Diffie-Hellman, I don't exactly know. This answer suggests that it is very likely, but it still needs more study.

edited Apr 13 '17 at 12:48

Community

1

answered Jan 22 '14 at 20:34

orlp

4,230
20
29

Thank you nightcracker! I think I either have to use Curve25519 at this point or another digital signature algorithm unless if you can help with this. Thank you so very very much in advance! http://crypto.stackexchange.com/questions/12949/how-can-k3d3-ed25519-javas-performance-be-improved – Jan 22 '14 at 20:42
1

@Gracchus I think you should look into using a C library from Java - there are almost no cryptographers writing libraries in Java. – orlp Jan 22 '14 at 21:08
Thank you nightcracker! I've noticed. ;)) I do appreciate your help! – Jan 22 '14 at 21:33
2

@nightcracker Come again? Sun JCE, PKCS11 & JSSE + ECC. Then there are Bouncy Castle, IAIK libraries, BSAFE... If you want support for a specific curve, ask on the Bouncy mailing list! Or add it yourself of course! – Maarten Bodewes Jan 23 '14 at 15:21
@owlstead Sorry, I meant the cryptographers that develop the primitives themselves - they almost never release a Java library. There are a few "cryptography suites" as you've cited, that implement many primitives, but outside of those big suites there isn't much high-quality Java cryptography software available. This means that if you want to use modern cryptography, like Ed/Curve25519, ChaCha, Keccak, BLAKE, Poly1305, that you'll either have to implement it yourself or trust an often badly performing non-scrutinized third-party implementation. – orlp Jan 24 '14 at 08:06
E.g. I agree that I would have liked it more if those kind of primitives would be made available in Java. Keccak & Skein are inside the Bouncy libs. To be honest, I think Java is only behind C/C++ in this regard, and the default Java SE API contains a pretty good - if somewhat peculiar- interface and a lot of standardized algorithms. Writing in Java is a bit tricky because the signed bytes, immutable BigInteger class and lack of operator overloading makes it tricky to implement cryptographic algorithms compared to C/C++. – Maarten Bodewes Jan 24 '14 at 10:04
@nightcracker: With "Ed/Curve22519, Chacha, Keccak, Blake, Poly1305" you named examples of cryptographic primitives that actually seem to come with well-optimized implementations in C & ASM. :) – sellibitze Jan 25 '14 at 21:10
@sellibitze Eehm maybe you misunderstood me, that was exactly my point. – orlp Jan 26 '14 at 00:13
@nightcracker: It seems I did. Your last sentence "This means that if you want to use modern cryptography, like Ed/Curve25519, ChaCha, Keccak, BLAKE, Poly1305, that you'll either have to implement it yourself or trust an often badly performing non-scrutinized third-party implementation." sounds to me as if you were saying that there are no well-optimized implementations. But I guess you are talking about Java implementations only. – sellibitze Jan 26 '14 at 03:46

Can curve25519 keys be used with ed25519 keys?

2 Answers2

Linked