Audit codebase for "unescorted" ed25519 secret keys
@nickm points out that it may be a good idea to make sure our APIs always work with ed25519 keypair objects rather separate PublicKey/SecretKey arguments:
I'd like to avoid taking "unescorted" ed25519 secret keys anywhere; IMO they should always be attached to a public key as a single keypair object.
The issue here is that, due to the way that ed25519 generates nonces, if we ever ever use a mismatched public key, we're at risk of a nonce reuse attack. (See for example https://moderncrypto.org/mail-archive/curves/2020/001012.html .)
Maybe this implies that we should audit our ed25519 APIs and make it so that nothing that does signing takes
SecretKeyon its own?
When we do this we should, also, search the code for TODO #798. The first one of these is being added in !1153 (merged)