Deriving a common secret from two sr25519 keypairs (static Diffie–Hellman)

[ERussel]

Hello! We have a setting with two peers who each know the other’s sr25519 public key (as a Polkadot account ID).

What we’d like to do is derive a shared secret between them, i.e. perform a static Diffie–Hellman based on their sr25519 keypairs.

Questions:
1. Does schnorrkel currently provide an out-of-the-box function to derive such a common secret?
2. If not, would it be safe to use an external crate such as ristretto255-dh for the actual key derivation?

We want to make sure we’re handling the scalars and points correctly and not missing any subtleties in schnorrkel’s key structure.

[burdges]

Avoid purely static-static key exchanges unless you really know what you're doing. It's way too likely one since gets compromised eventually.

It kinda exists in https://github.com/w3f/schnorrkel/blob/master/src/aead.rs but..

It's not done particularly well: I claim 2DH there but it only uses an ephemeral from one side: static reciever vs ephemeral+static sender should be the minimum. I need some mechanism for the reply that obtains obtain ephemeral+static vs ephemeral+static, but then one quickly winds up in Noise land.

It's not using merlin too well either and should be cleaned up: https://github.com/w3f/schnorrkel/blob/master/src/aead.rs#L50 https://github.com/w3f/schnorrkel/blob/master/src/aead.rs#L145. We should fix those before deploying anything.

I think ristretto255-dh looks lower level, but does little. It makes you invoke the AEAD correctly, which historically includes many if not most fuck ups, but the aead crate seems reasonable miss-use resistant.

What is it you wish to do? Feel free to contact me on element.