Lib.rs

Cryptography
#key-exchange #ed25519 #ed25519-key #curve25519 #derived-key

no-std edx

ECDH key exchange using Ed25519 derived keys

Owned by Blair Noctis.

1 unstable release

new 0.1.0 Nov 17, 2024

#1720 in Cryptography

BSD-3-Clause

13KB
144 lines

edx: ECDH key exchange using ECDH derived keys

[crates.io(https://img.shields.io/crates/v/edx?style=for-the-badge&logo=rust)] [docs.rs(https://img.shields.io/docsrs/edx?style=for-the-badge)]

This is a toy project, it has NOT been subject to any cryptographic analysis or audit.

DO NOT USE IT IN ACTUAL COMMUNICATIONS YET!

What

Derive from Ed25519 keys and use these derived keys for ECDH key exchange.

See docs and an link:./examples/simple.rs[example] for its usage; and its link:./edx.en.adoc[specification].

Currently only key types from ed25519-dalek are supported. More could be added.

Why

Before Alice and Bob can begin encrypted communication, they must exchange encryption keys. They could do it in advance, giving each other a pre-generated key; or they could do it "just in time", just before the message(s) to be encrypted. Traditionally, non-interactive communications go with the former, and interactive ones go with the latter.

Interactive cases can get away with that; Alice and Bob are going to talk for many rounds, so one more round beforehand doesn't matter. On the other hand, non-interactive cases are annoyed by the the pre-generated keys: there is one more key to manage (in addition to the signing key), which has to be signed, so that's three pieces of data in one "key distribution"; their static nature means all communications are encrypted with the same shared key, which is frowned upon.

We attempt to solve this problem by introducing derived, "ephemeral" keys: instead of being pre-generated, encryption keys are derived from the signing key "just in time". There's only one key to distribute, and encryption keys are different every time.

How

Details are laid out in the link:./edx.en.adoc[spec]. Basically, first derive Alice's secret key, by adding the derive factor, as a clamped and reduced scalar, and derive Bob's public key, by adding the corresponding point of that scalar; then it's just plain old ECDH.

Acknowledgements

Thanks to the authors of the {curve25519,ed25519,x25519}-dalek crates, the first of which does all the heavy lifting. Without them this project would not exist.

Dependencies

~2–3.5MB
~77K SLoC