Jesse-V
commented
9 years ago IRC:
"Curve25519 public keys can be easily converted into Ed25519 public keys and vice versa (the equation is in the Ed25519 paper), and the private scalar will stay the same. But people will yell at you if you even consider doing such things. It's not necessarily insecure, but it's a weird scenario that might result in something bad. There are sometimes weird interactions when the same key is used for different algorithms. One classic example is using the same key for CBC and CBC-MAC"
"If you can establish a secure connection with Curve25519, you could use that to share a new Ed25519 public key, and people probably wouldn't yell at you for that."
"There actually is some work and common wisdom that says that DH and Schnorr sigs with the same key is not insecure, and Ed25519 is basically Schnorr, but whether that's true in the real world is less clear. Cryptographic security proofs have not always worked as expected."
Curve25519-Ed25519 public keys can be easily converted bidirectionally, private key stays the same, unknown if using Curve25519 for Ed25510-style signatures is a strong idea. Crypto guys might be unhappy with my usage of that. Peers might reject me.
Solution: propose that Tor use Ed25519 keys (which they will anyway) and suggest RSA as a fallback.