Support for seeding Ed25519 Private Keys

[foxxtrot]

I have a use case where it would be useful to be able to seed the Ed25519 Private Key and having WebCrypto calculate the Public Key. The use case is a recovery code, where the user will have a means to provide a string that would be decoded into the 32-byte Ed25519 Private Key, which they would be able to sign a challenge proposed by our server with which could be verified by the associated Public Key which would be stored on our backend.

While RFC 8032 § 5.1.5 does state that the Private Key should be fully random, and this is definitely more secure for typical use cases, being able to use the WebCrypto API for Public Key derivation, instead of needing recreate the Public Key Derivation in JavaScript would be useful for cases such as this where the Private Key may need to be easily re-derived.

[twiss]

Hi 👋 I agree that being able to derive a public key from a private key could potentially be useful, however, this would require a new method in SubtleCrypto, and should probably be designed to work for all algorithms that support it, including the existing ones in Web Crypto. So, it might be better to discuss this in https://github.com/w3c/webcrypto/.

[twiss]

P.S. For your specific use case, though, there are other more appropriate ways to achieve it, e.g. either just hashing the password and sending that to the server, or alternatively a PAKE (such as OPAQUE or SRP) can be used to prove that the user knows the password without revealing it to the server (if that's important for your use case).

[Frosne]

Hi all,
According to me, we already kinda have this functionality hidden. As when we generate a public/private key pair, I expect that we first generate a private key and then use a derive function to compute the public key. So, the question would be just whether it's complicated to expose this derivation function or not.

[twiss]

I think for Ed25519 you're right, but for the existing algorithms in Web Crypto it might be a bit more work, right? E.g. let's say that we define something like crypto.subtle.derivePublicKey(privateKey), and then you pass an RSA key object, it would be nice if it'd work as well. Of course it is also possible to implement that, but you might not have a function lying around for it, or do you?

In any case that is kind of why I think we should discuss it in https://github.com/w3c/webcrypto/, if we want to add a function for it 😊

[Frosne]

I think it should be like this for all EC algorithms.

But I agree with you. And we indeed should discuss in w3c if/when we have a good reason why to add the derivation function.

P.s. I think MLS needs it, but I am not sure that they gonna use WebCrypto though

[twiss]

I'll close this in favor of a discussion in https://github.com/w3c/webcrypto (please open an issue there if there's still interest!)

As an aside, @steveluscher indirectly points out in anza-xyz/solana-web3.js#47 that it's already possible to do this with:

// Export the private key as a JWK
const jwk = await crypto.subtle.exportKey('jwk', privateKey);

// Import the JWK as a public key
const publicKey = await crypto.subtle.importKey(
    'jwk',
    {
        crv /* curve */: 'Ed25519',
        ext /* extractable */: true,
        key_ops /* key operations */: ['verify'],
        kty /* key type */: 'OKP' /* octet key pair */,
        x /* public key x-coordinate */: jwk.x,
    },
    'Ed25519', /* algorithm */
    true, /* extractable */
    ['verify'], /* keyUsages */
);

although of course this only works for extractable keys. Nevertheless, this could solve most of the use case here, perhaps.

[steveluscher]

Indirectly sorry, @foxxtrot. I didn’t mean for my inefficient hack to become a reason why public key derivation might not be implemented at the platform level 😊