Support conversion between X25519 and Ed25519 keypairs

[couchand]

usually you do not want to use the same keypair for both key agreement and signing, and ring enforces this by having separate types for agreement keys and signing keys. However, I know some people have tried to define protocols that use the same key for both. If you are implementing one of those then file a new issue describing (with a link) the protocol you are trying to implement.

While Double Ratchet per se doesn't use signatures, the X3DH key exchange algorithm does, and it is indeed described as using the same key for signing and agreement. See, for example, sections 3.2 and 3.3.

The details of the keys are more fully specified in another document, where this observation is made:

Key reuse: It is safe to use the same key pair to produce XEdDSA and VXEdDSA signatures.

In theory, under some circumstances it is safe to use a key pair to produce signatures and also use the same key pair within certain Diffie-Hellman based protocols [15]. In practice this is a complicated topic requiring careful analysis, and is outside the scope of the current document.

As far as I can tell (I'm certainly no expert), their XEdDSA signatures are just regular Ed25519 signatures. My Signal implementation (which uses quite the hodgepodge of crypto libraries) currently depends on the Dalek crates for this specific reason: the conversion is easy with them.

Signatures are relatively rare compared to key agreement and none of the keys except the identity key need to be used for signatures, so it would be preferred to store the X25519 keys and just convert to the signing format as needed.

I haven't had a chance to try it out yet, but it looks like this PR has what I'd need to update my example to ring, assuming the above discussion is resolved.

Originally posted by @couchand in https://github.com/briansmith/ring/pull/739/comment#issuecomment-454277978

[briansmith]

In theory, under some circumstances it is safe to use a key pair to produce signatures and also use the same key pair within certain Diffie-Hellman based protocols [15]. In practice this is a complicated topic requiring careful analysis, and is outside the scope of the current document.

Do you know which document describes the safety of using the same key for X25519 and XEd25519 signatures?

As far as I can tell (I'm certainly no expert), their XEdDSA signatures are just regular Ed25519 signatures.

See https://crypto.stackexchange.com/questions/62879/verifying-eddsa-signatures-using-xeddsa-verify-function for a succinct description of the difference.

My understanding is that you want to produce and verify XEd25519 signatures and use the same key for X25519 like Signal does. Assuming it is safe to use the same key for XEd25519 and X25519, we'd need to make a new XEd25519 signing algorithm (that shares ~99% of its code with Ed25519).

See also https://moderncrypto.org/mail-archive/curves/2016/000823.html and related messages.

One further complication is that there is no OID assigned for serializing such a dual-use (X25519+XEd25519) key in PKCS#8, so we'd need to make one up.

[couchand]

Do you know which document describes the safety of using the same key for X25519 and XEd25519 signatures?

I haven't seen mention of one on that site. I'm not sure if the analysis for this protocol has been done elsewhere that I haven't seen.

See https://crypto.stackexchange.com/questions/62879/verifying-eddsa-signatures-using-xeddsa-verify-function for a succinct description of the difference.

Thanks for that reference, that is a great answer.