Skip to main content

Module dm

huddle_protocol::crypto

Module dm 

Source
Expand description

huddle 0.7.1: End-to-end DM key derivation via Ed25519→X25519 ECDH.

Both peers in a 1-1 DM derive the same 32-byte room key from their long-term Ed25519 identity keys — no shared passphrase, no central key agreement, no extra round-trip beyond MemberAnnounce for the partner’s pubkey.

Steps:

  1. Ed25519 seed → X25519 secret. We hash the seed with SHA-512 and take the first 32 bytes; StaticSecret::from(bytes) performs the canonical X25519 clamping. This is the same conversion libsodium uses in crypto_sign_ed25519_sk_to_curve25519.
  2. Ed25519 pubkey → X25519 pubkey via the birational Edwards-to-Montgomery map (VerifyingKey::to_montgomery). Matches crypto_sign_ed25519_pk_to_curve25519.
  3. X25519 Diffie-Hellman gives a 32-byte shared secret.
  4. HKDF-SHA256 expands it to the room key, binding the result to the canonical DM room_id via the info parameter so this DM’s key can never collide with any other context.

The output replaces the Argon2id-derived passphrase_key in the existing encrypted-room flow. The wrap / unwrap helpers in crypto::passphrase accept any [u8; 32], so no other changes are needed downstream — DMs and group rooms share the Megolm path.

Functions§

derive_dm_key
Derive the symmetric DM room key from one side’s Ed25519 secret seed and the other side’s Ed25519 public key, plus the canonical DM room_id (which binds the key to this specific 1-1 channel).
derive_dm_key_hybrid_initiator
huddle 1.3: initiator side of the hybrid (X25519 + ML-KEM-768) DM key agreement. The initiator — by convention the peer whose fingerprint sorts lower — encapsulates a fresh ML-KEM secret to the partner’s published encapsulation key, mixes it with the classical X25519 secret, and gets the DM wrap key plus the KEM ciphertext to transmit to the partner.
derive_dm_key_hybrid_responder
huddle 1.3: responder side of the hybrid DM key agreement. The responder — the higher-fingerprint peer — decapsulates the initiator’s KEM ciphertext with its own ML-KEM keypair, mixes the recovered secret with the same classical X25519 secret, and arrives at the identical DM wrap key.
must_refuse_classical_fallback
huddle 2.0: downgrade guard for the DM classical (X25519-only) fallback.