0

Given an Ed25519 key pair, can you think of any way to get to the same X25519 public key from the Ed25519 secret as from the non-clamped(!) Ed25519 public key?

Ed25519 secret
    \=> Ed25519 non-clamped public
            \=> X25519 public (transported)

            v^ should match 

        /=> X25519 public (generated)
/=> X25519 secret (transported)



Ed25519 secret

My Stackoverflow question has some libsodium calls for further illustration.

What about the inverse:

X25519 secret
    \=> X25519 public (generated)
            \=> Ed25519 non-clamped public (transported)

            v^ should match 

        /=> Ed25519 non-clamped public (generated)
/=> Ed25519 secret (transported)



X25519 secret
user569825
  • 1
  • 3
  • Using the same key for different purposes is not recommended!. Besides the there is no isomorphism between the twisted Edward curve and Curve25519, they are bi-rationally equivalent means that some finite points are not mapped in forward and backward mappings. – kelalaka Nov 02 '23 at 10:03
  • Also, the Clamping removes the small orders and sets the higher bits to eliminate a possible side-channel attack. Now how can you map $n$ elements to $8n$ elements? The best is to keep it Clamped, and still not advised or you need to use exact rules https://crypto.stackexchange.com/a/42536/18298 – kelalaka Nov 02 '23 at 10:07
  • @kelalaka If you handle $\infty$ in Curve25519, Ed25519 and Curve25519 are isomorphic, I thought. The birational equivalence works for all Curve25519 points except $\infty$, and to complete the isomorphism you can set $\infty_{\text{Curve25519}} = {(0,1)}_{\text{Ed25519}}$. – Myria Nov 02 '23 at 21:56
  • @Myria if you are talking about the clamped yes, otherwise $(0,0)$ and $(0,1)$ – kelalaka Nov 03 '23 at 06:18
  • 1
    Every public key of X25519 constitutes 2 public keys for Ed25519. How are you gonna solve this in your implementation? – kelalaka Nov 07 '23 at 07:21

0 Answers0