Score:3

Crypto

Digital Signatures with Curve25519 key-pair

Steffen Vogel

11/27/22, 10:10 AM

I have a public/private key pair of Curve25519 keys used by Wireguard.

How can I use this keypair to generate/verify digital signatures?

Preferrably, I would like to use EdDSA/Ed25519 but I struggle to derive a Ed25519 keypair from the Curve25519 keys used by Wireguard.

226

1 + 3

elliptic-curves

ed25519

wireguard

eddsa

Maarten Bodewes

11/27/22, 1:22 PM

You should be able to simply perform the public key derivation using the given private key value for EdDSA. The private key is just a single vector after all, and multiplying it with the base point of the right curve should give you the public key. I don't think that there are any differences w.r.t. the private key (it's not just a random in a range, there are some tricks in there) between Curve25519 and Ed25519, but anybody please correct me if I got that wrong.

Steffen Vogel

12/3/22, 4:23 PM

Thanks for the suggestion. Unfortunately that would not allow me to use previously exchanged Curve25519 public-keys.

Maarten Bodewes

12/3/22, 4:40 PM

I've offered a bounty. Please note that negative answers should also be accepted when conclusive (enough).

Score:1

Crypto

Eric D

12/8/22, 11:58 PM

I don't think it's possible to do what you are asking because of the way keys are generated for use in ECDH versus Ed25519.

Consider a Wireguard key pair (sk1, pk1). Note that sk1 is just 32 random bytes with the appropriate bits set/cleared (source) and that pk1 is derived from sk1 in the typical ECDH manner (source).

For Ed25519 signatures, you need to hash the 32 random bytes to produce 64 bytes, half of which are used to derive the public key the other half of which are used when creating signatures.

So you could derive a private key sk2 from sk1 and use sk2 to create Ed25519 signatures. But based on the discussion in the comments, it sounds like you want to verify these signatures without access to sk1 (presumably at the other end of the Wireguard tunnel, which only has pk1). And since you can't derive sk1 from pk1, you can't calculate SHA512(sk1) from pk1. Therefore you can't derive pk2 from pk1 alone.

0 + 4

Steffen Vogel

12/9/22, 4:45 PM

Thanks Eric D!. That answers my question :) Do you know of any DSA which could use my existing key material?

Eric D

12/10/22, 1:13 AM

Unfortunately, I don't know of any way to safely use your existing keys for digital signatures given those constraints, but I'm fairly new to this stuff, so there might be techniques I'm unaware of.

Eric D

12/16/22, 12:12 AM

@SteffenVogel, I just came across this and haven't fully digested it, but I thought it might be of interest to you. If I understand the article correctly, Signal is using X25519/Curve25519 keys for signatures in its "XEdDSA" signature scheme: https://signal.org/docs/specifications/xeddsa/

Steffen Vogel

12/23/22, 9:48 AM

Thanks, XEdDSA seems to be what I am looking for :)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Digital Signatures with Curve25519 key-pair

TH: ลายเซ็นดิจิทัลพร้อมคู่คีย์ Curve25519

RO: Semnături digitale cu perechea de chei Curve25519

RU: Цифровые подписи с помощью пары ключей Curve25519

VI: Chữ ký số với cặp khóa Curve25519

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.