Thank you for filing this request @ston1th!

You say

NewKeyFromPlain for the crypto/ed25519 package as there seems no way to generate a public key from only a private key.

However, from the godoc for x/crypto/ed25519 https://godoc.org/golang.org/x/crypto/ed25519 there is a method on PrivateKey that retrieves the corresponding PublicKey as per https://godoc.org/golang.org/x/crypto/ed25519#PrivateKey.Public

and here is a playground link https://play.golang.org/p/ImukvRBYlH_p or inlined below

package main

import (
	"crypto/rand"
	"fmt"
	"io"
	"io/ioutil"

	"golang.org/x/crypto/ed25519"
)

func main() {
	seed, _ := ioutil.ReadAll(io.LimitReader(rand.Reader, 32))
	privKey := ed25519.NewKeyFromSeed(seed)

	pubKey := privKey.Public()
	fmt.Printf("PrivateKey: %#v\nPublicKey: %#v\n", privKey, pubKey)
}

Could you please clarify that? Do you mean generate an entirely new public key or did you have trouble getting the corresponding public key? If the latter, perhaps this just might be a documentation discovery problem? I am totally not a crypto expert but my responses are just based off my experience using these packages in applications.

It would also be nice to perhaps provide a preview of what your proposed signature would look like, this can help expedite and make proposal review easy.

Kindly looping in @FiloSottile @agl

Yes, I know about privKey.Public() but looking in the implementation this just returns the last 32 bytes of the privKey slice instead of generating the public key based on the private key (I assume for performance reasons): https://github.com/golang/crypto/blob/master/ed25519/ed25519.go#L53

So let's say I already have a 32 byte private key but not the corresponding public key.
Since the privKey.Public() does no calculation based on the private key its not possible to generate the public key.

A example (may be not cryptographically correct) would look like this:

func NewKeyFromPlain(key []byte) ed25519.PrivateKey {
	if l := len(key); l != ed25519.SeedSize {
		panic("ed25519: bad key length: " + strconv.Itoa(l))
	}
	key[0] &= 248
	key[31] &= 127
	key[31] |= 64

	var A edwards25519.ExtendedGroupElement
	var hBytes [32]byte
	copy(hBytes[:], key[:])
	edwards25519.GeScalarMultBase(&A, &hBytes)
	var publicKeyBytes [32]byte
	A.ToBytes(&publicKeyBytes)

	privateKey := make([]byte, ed25519.PrivateKeySize)
	copy(privateKey, key)
	copy(privateKey[32:], publicKeyBytes[:])

	return privateKey
}

So basically the same as ed25519.NewKeyFromSeed but without sha512-hashing the input: https://github.com/golang/crypto/blob/master/ed25519/ed25519.go#L104

The Seed vs PrivateKey situation in that API is already too confused. Let's stick to RFC 8032, which does not even acknowledge the existence of the intermediate private key, and just calls the seed private key.