Hi, The upcoming version of the OMEMO XEP relies on X3DH for establishing an initial shared secret. In my extremely limited understanding of it, I'm wondering whether this is the best approach for OMEMO.
X3DH relies on XEdDSA to be able to use Curve25519 keys to create EdDSA-signatures. As far as I can tell, this solved a problem where all long-standing identity keys in Signal were X25519, and they needed them to create signatures (which you can't do without conversion to Ed25519). I can't seem to find any public implementation of XEdDSA yet, except in libsignal, so this sounds like it makes implementing OMEMO pretty hard at the moment. On the other hand, the other way round (creating Curve25519 keys from Ed25519 keys) is apparently a simpler thing to do, and there *are* public implementations of this (e.g. https://download.libsodium.org/doc/advanced/ed25519-curve25519.html ) So, I'm wondering whether it wouldn't make more sense to not carry the Signal legacy around in OMEMO, use Ed25519 keys as identity keys, and adapt X3DH to use these for creating an initial shared secret (with the same properties). The rest of the protocol can stay the same, since these keys can be converted to Curve25519. But i'm way out of my depth here, so I might be talking gibberish. thanks, Remko
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________