4 releases
new 0.0.4 | Mar 28, 2025 |
---|---|
0.0.3 | Mar 27, 2025 |
0.0.2 | Mar 27, 2025 |
0.0.1 | Mar 27, 2025 |
#718 in Cryptography
88 downloads per month
15KB
178 lines
ed25519-dalek-hpke
Convenient HPKE encryption and decryption using ed25519-dalek
keys.
This crate provides a simple API to encrypt data for an ed25519-dalek
public key and decrypt it using the corresponding secret key. It handles the necessary key conversions (Ed25519 <-> X25519) internally, allowing you to work directly with your existing Ed25519 key types.
Features
- Simple API: Provides straightforward
encrypt
anddecrypt
functions. ed25519-dalek
Compatibility: Acceptsed25519_dalek::VerifyingKey
for encryption anded25519_dalek::SigningKey
for decryption.- Automatic Key Conversion: Converts Ed25519 keys to their X25519 counterparts as required by HPKE.
- Underlying Primitives: Uses
x25519-dalek
for key conversion and thehpke
crate for the HPKE implementation (using X25519, HKDF-SHA256, and ChaCha20Poly1305).
Security Warning
- EXPERIMENTAL: This library is experimental and has not undergone a formal security audit. Use it at your own risk.
- Ed25519 vs. X25519: Ed25519 is primarily a signature scheme. While the underlying curve allows for key exchange via conversion to X25519 (Montgomery form), using the same key pair for both signing and encryption can have security implications depending on your protocol. Consider using separate key pairs for signing and encryption if your security model allows it.
- Review the Code: Users are encouraged to review the source code and the dependencies (
hpke
,x25519-dalek
,ed25519-dalek
).
How it Works
-
Encryption (
encrypt
):- Takes an
ed25519_dalek::VerifyingKey
. - Converts the Ed25519 public key (Edwards curve point) to its corresponding X25519 public key (Montgomery u-coordinate) using
x25519-dalek
. - Uses the resulting X25519 public key with HPKE in base mode, which performs:
- Ephemeral key generation
- Key encapsulation (KEM) using X25519
- Key derivation (KDF) using HKDF-SHA256
- AEAD encryption using ChaCha20Poly1305
- Takes an
-
Decryption (
decrypt
):- Takes an
ed25519_dalek::SigningKey
. - Derives the X25519 static secret scalar from the Ed25519 secret key material using
x25519-dalek
. - Uses the resulting X25519 secret key with HPKE in base mode, which performs:
- Key decapsulation using the encapsulated key
- Key derivation (KDF) using HKDF-SHA256
- AEAD decryption using ChaCha20Poly1305
- Takes an
Security Considerations
- Key Management: Securely managing your
ed25519_dalek::SigningKey
is paramount. If the signing key is compromised, both signatures and encrypted messages can be compromised. - HPKE Implementation: The implementation follows RFC 9180 (HPKE) using the
hpke
crate with the following ciphersuites:- KEM: X25519_HKDF_SHA256
- KDF: HKDF_SHA256
- AEAD: ChaCha20Poly1305
- Key Separation Principle: As mentioned in the warning, cryptographic best practice often recommends using distinct keys for distinct cryptographic operations (signing vs. encryption). This library makes it possible to use Ed25519 keys for HPKE, but evaluate if it's appropriate for your security requirements.
Contributing
Contributions are welcome! Please feel free to submit issues and pull requests.
License
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Dependencies
~9.5MB
~154K SLoC