On Fri, Oct 21, 2016 at 4:27 PM, Ron Garret <r...@flownet.com> wrote: > > I think both of you misinterpreted my question. I understand why you would > want to use one form for DH and the other for DSA. What I didn’t understand > was why you would want to make the DH form primary and derive the DSA from > from it rather than the other way around.
If you want to support X25519 and Ed25519 with a single key pair format (or key pair), then there's room for debate, but I'm advocating X25519. One reason is that converting public keys from X->Ed or Ed->X uses an inversion, but since Ed25519 uses point decompression anyways, X->Ed can combine the inversion with decompression at very little computation cost [1]. Another reason is that a signature-only system can already be easily extended with encryption/DH by signing subkeys. However, a DH-based system (like Ntor, Noise[1], or earlier versions of TextSecure) cannot be extended to signatures without having an X->Ed conversion like this. If you just want DH and signatures rather than X25519 and Ed25519 specifically, then the design space is larger and I guess you could consider DH with Edwards curves or signatures with Montgomery curves, or anything else. But then you're diverging from the existing algorithms, which means more design and analysis is needed, more new code, and less potential for interop, so I'd be less excited about that. Trevor [1] https://moderncrypto.org/mail-archive/curves/2015/000376.html [2] https://noiseprotocol.org/ _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves