Expand description
huddle 0.7.1: End-to-end DM key derivation via Ed25519→X25519 ECDH.
Both peers in a 1-1 DM derive the same 32-byte room key from their
long-term Ed25519 identity keys — no shared passphrase, no central
key agreement, no extra round-trip beyond MemberAnnounce for the
partner’s pubkey.
Steps:
- Ed25519 seed → X25519 secret. We hash the seed with SHA-512 and
take the first 32 bytes;
StaticSecret::from(bytes)performs the canonical X25519 clamping. This is the same conversion libsodium uses incrypto_sign_ed25519_sk_to_curve25519. - Ed25519 pubkey → X25519 pubkey via the birational
Edwards-to-Montgomery map (
VerifyingKey::to_montgomery). Matchescrypto_sign_ed25519_pk_to_curve25519. - X25519 Diffie-Hellman gives a 32-byte shared secret.
- HKDF-SHA256 expands it to the room key, binding the result to
the canonical DM room_id via the
infoparameter so this DM’s key can never collide with any other context.
The output replaces the Argon2id-derived passphrase_key in the
existing encrypted-room flow. The wrap / unwrap helpers in
crypto::passphrase accept any [u8; 32], so no other changes are
needed downstream — DMs and group rooms share the Megolm path.
Functions§
- derive_
dm_ key - Derive the symmetric DM room key from one side’s Ed25519 secret seed and the other side’s Ed25519 public key, plus the canonical DM room_id (which binds the key to this specific 1-1 channel).