crypto_sign_ed25519_pk_to_curve25519 is the opposite of travors suggestion

[aep]

I'm super confused how crypto_sign_ed25519_pk_to_curve25519 works.

trevor perrin suggested to use the exact algorithm for the exact opposite direction: x25519 to ed25519

https://www.moderncrypto.org/mail-archive/curves/2014/000293.html

does it work both ways or is either of them wrong?

[jedisct1]

Hi,

Yes, it works both ways. An Edwards25519 point has a Curve25519 equivalent and the other way round.

However, standard X25519 encodes a point just as one of the coordinates. The other coordinate is lost and cannot be calculated without having at least its sign.

Due to this, the Curve25519->Edwards25519 map requires non-standard encoding and a clunky dedicated signature API. And if all you have to start with is Curve25519, qDSA is a better alternative.

Ed25519, on the other hand, always encodes the sign of the other coordinate. The Edwards25519->Curve25519 map doesn't require non-standard encodings nor a different API.

Also take a look at the documentation, particularly Do I need to add a signature to encrypted messages to detect if they have been tampered with? and How can I sign and encrypt using the same key pair?.

[aep]

Thanks for clarification.

Unfortunately I couldn't find any maintained implementations of qdsa other than the really old reference, so i'll use the ugly signature hack or try to convert the system to ed25519 where possible.