Can curve25519 keys be used with ed25519?
I'd prefer to use ed25519, but there isn't a fast java version. For my application, I'd like to use curve25519 until I can get a faster ed25519 for java.
At the very least can the curve25519 keys be restricted if some can be converted ed25519?
Trevor Perrin wrote a library doing exactly that. Explanation can be found on in the curves mailing list archives.
To convert a Curve25519 public key $x_C$ into an Ed25519 public key $y_E$, with a Ed25519 sign bit of $0$: $$y_E = \frac{x_C - 1}{x_C + 1} \mod 2^{255}-19$$ The Ed25519 private key may need to be adjusted to match the sign bit of $0$: if multiplying the Curve25519 private key by the Ed25519 base point yields a “negative” Ed25519 x-coordinate, then the private key must be negated modulo the order of the base point: $a_E = q - a_C$.
See Trevor Perrin's email and the ensuing thread for a security analysis.
AFAIK, no. However, Ed25519 keys can be converted to Curve25519 keys. My Ed25519 library supports this (or well, it supports DH with Ed25519 keys).
Whether it is secure to use the same key for both signing and Diffie-Hellman, I don't exactly know. This answer suggests that it is very likely, but it still needs more study.
