Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi Matthew, On 31 March 2017 at 23:21, Matthew Hodgson wrote: > http://matrix.org/docs/olm_signing.html attempts to describe this > trade-off. > Thanks for sharing your insights. I didn't know about that document, and the tradeoffs and decisions you described make sense.

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

> On 31 Mar 2017, at 22:21, Matthew Hodgson wrote: > I'm a bit confused as to why the OMEMO community has moved away from Olm in > favour of creating a new ODR, to be honest - I assumed that by releasing Olm > under the Apache license and getting it publicly audited NCC

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

[summoned by https://twitter.com/DwdDave/status/847908152561602561] On 30/03/2017 09:09, remko wrote: Hi, The upcoming version of the OMEMO XEP relies on X3DH for establishing an initial shared secret. In my extremely limited understanding of it, I'm wondering whether this is the best approach

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 31 March 2017 at 15:40, wrote: > It just skips the conversion part altogether, which seems to be the > central point of discussion and is not widely implemented in any direction Interesting! I believe there *is* the open question whether using the same key for signing and

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

This seems to confirm my understanding so far. I did have the impression you have a good understanding of this based on your previous messages, but I think your wording was misleading and wanted to make clear for everyone else too that X3DH is not based on XEdDSA as a primitive - it's just

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi Riba, > The attack is described in [1] and boils down to the following: > While I think that because of the noticability the possible damage is very limited, I kind of agree that it is not acceptable by design. One argument for 3DH might be its full deniability, which X3DH does not provide,

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 31 March 2017 at 12:46, Dave Cridland wrote: > Surely this is trivial to fully mitigate by having Bob "ping" Alice > over an encrypted message to ensure Alice can decrypt, prior to > sending actual message data? > This assumes Alice is online when Bob wants to talk to her,

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 31 March 2017 at 11:17, wrote: > Hi Remko, > > I have some comments. > >> 1. We go back to Olm's protocol of establishing an initial shared >> secret, using regular 3DH instead of X3DH. >> >> + Moves us back to an audited, implementable algorithm >> >> + No need to

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi Remko, I have some comments. 1. We go back to Olm's protocol of establishing an initial shared secret, using regular 3DH instead of X3DH. + Moves us back to an audited, implementable algorithm + No need to change existing identity keys - This weakens the forward secrecy. I

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 31 March 2017 at 11:37, Daniel Gultsch wrote: > I think it is relatively fair to assume that a company or individual who > is able to create a Non-GPL implementation of the Double Ratchet will not > fail to do so just because of a missing XEdDSA implementation. I

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

> This requires huge changes in all OMEMO implementations, and there are > quite few already: https://omemo.top > I count 4 implementations in an incomplete list of 40 clients. As far as I understand, clients already need to fork and patch libsignal to be compliant with OMEMO anyway. 3DH takes 4

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi, 2017-03-31 11:04 GMT+02:00 Remko Tronçon : > > 3. We stay with XEdDSA (the primitive on which X3DH relies) > > - Currently, no permissible implementation exists (or I couldn't find > one at least). It's not clear when or if this will ever happen, and whether > it will

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Am 31.03.2017 um 11:21 schrieb Vanitas Vitae: > > Am 31.03.2017 um 11:04 schrieb Remko Tronçon: >> 1. We go back to Olm's protocol of establishing an initial shared >> secret, using regular 3DH instead of X3DH. >> >> + Moves us back to an audited, implementable algorithm >> + No need to

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Am 31.03.2017 um 11:04 schrieb Remko Tronçon: > 1. We go back to Olm's protocol of establishing an initial shared > secret, using regular 3DH instead of X3DH. > > + Moves us back to an audited, implementable algorithm > + No need to change existing identity keys > - This weakens the

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

> On 30 Mar 2017, at 17:30, Florian Schmaus wrote: > > On 30.03.2017 18:24, Kevin Smith wrote: >> OMEMO’s initial publication was delayed for some time, in large part because >> of the need to move away from a situation where it can only be practically >> implemented by

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 30.03.2017 18:24, Kevin Smith wrote: > OMEMO’s initial publication was delayed for some time, in large part because > of the need to move away from a situation where it can only be practically > implemented by using a single library. It’s a shame if we’ve still not > resolved that

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 30 Mar 2017, at 17:13, Florian Schmaus wrote: > > On 30.03.2017 18:02, Dave Cridland wrote: >> On 30 March 2017 at 16:00, Florian Schmaus wrote: >>> On 30.03.2017 15:54, Remko Tronçon wrote: On 30 March 2017 at 15:10, Andreas Straub

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 30.03.2017 18:02, Dave Cridland wrote: > On 30 March 2017 at 16:00, Florian Schmaus wrote: >> On 30.03.2017 15:54, Remko Tronçon wrote: >>> On 30 March 2017 at 15:10, Andreas Straub >> > wrote: >>> You raise a valid point. I agree

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 30 March 2017 at 16:00, Florian Schmaus wrote: > On 30.03.2017 15:54, Remko Tronçon wrote: >> On 30 March 2017 at 15:10, Andreas Straub > > wrote: >> You raise a valid point. I agree that this construction seems >> cleaner from a

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 30.03.2017 15:54, Remko Tronçon wrote: > On 30 March 2017 at 15:10, Andreas Straub > wrote: > You raise a valid point. I agree that this construction seems > cleaner from a purely theoretical standpoint. > > Permissible implementations of XEdDSA

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi Andy, Thanks for responding! On 30 March 2017 at 15:10, Andreas Straub wrote: > You raise a valid point. I agree that this construction seems cleaner from > a purely theoretical standpoint. > Actually, it's the practical standpoint that worries me most, in that this is not

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

On 30 Mar 2017, at 14:10, Andreas Straub wrote: >> So, I'm wondering whether it wouldn't make more sense to not carry the >> Signal legacy around in OMEMO, use Ed25519 keys as identity keys, and >> adapt X3DH to use these for creating an initial shared secret (with the >> same

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi Remko, So, I'm wondering whether it wouldn't make more sense to not carry the Signal legacy around in OMEMO, use Ed25519 keys as identity keys, and adapt X3DH to use these for creating an initial shared secret (with the same properties). The rest of the protocol can stay the same, since

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi Daniel, On 30 March 2017 at 10:31, Daniel Gultsch wrote: > Are you looking for this: https://whispersystems.org/ > docs/specifications/xeddsa/ > No, I've seen the spec, thanks. I'm looking for implementations of it. This is low-level crypto, I would think you don't want

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi, 2017-03-30 10:09 GMT+02:00 Remko Tronçon : > X3DH relies on XEdDSA to be able to use Curve25519 keys to create > EdDSA-signatures. As far as I can tell, this solved a problem where all > long-standing identity keys in Signal were X25519, and they needed them to > create

[Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

Hi, The upcoming version of the OMEMO XEP relies on X3DH for establishing an initial shared secret. In my extremely limited understanding of it, I'm wondering whether this is the best approach for OMEMO. X3DH relies on XEdDSA to be able to use Curve25519 keys to create EdDSA-signatures. As far