Hi, I may have a solution to our OMEMO key agreement discussion that satisfies all of us.
- We change the Identity keys to be Ed25519 keys instead of Curve25519. Current client deployments are by default libsignal-based, and therefore have access to Curve25519-to-Ed25519 conversion methods to convert already authenticated keys, so they don't have to lose their keys. - We change X3DH such that - Sig(PK, M) is EdDSA(PK, M) instead of XEdDSA(PK, M) (PK is now an Ed25519 key). Libsignal already comes with an Ed25519 implementation. - DH(IK, ...) becomes DH(Ed2Curve(IK), ...). Ed25519-to-Curve25519 is a conversion that is simpler than the other way round, and there are liberally licensed implementations. Libsodium has a ref10-based one, so it can be dropped in directly into libsignal: https://download.libsodium.org/doc/advanced/ed25519-curve25519.html This drops the dependency on XEdDSA, and has a minimal impact on existing libsignal-based implementations. It *does* make the key agreement more complicated than the one in Olm (which does simple 3DH), but maybe that's a price we're willing to pay? Remko
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________