So this is as simple as converting the Ed25519 key before ingesting into libsignal (and vice versa)? From what I understand this wouldn't require any modifications to libsignal itself, and really only some minor app changes for implementors. If that's correct, this seems like a great compromise.
On Sun, May 28, 2017 at 10:53 PM, Remko Tronçon <re...@el-tramo.be> wrote: > Hi, > > I may have a solution to our OMEMO key agreement discussion that satisfies > all of us. > > - We change the Identity keys to be Ed25519 keys instead of Curve25519. > Current client deployments are by default libsignal-based, and therefore > have access to Curve25519-to-Ed25519 conversion methods to convert already > authenticated keys, so they don't have to lose their keys. > - We change X3DH such that > - Sig(PK, M) is EdDSA(PK, M) instead of XEdDSA(PK, M) (PK is now an > Ed25519 key). Libsignal already comes with an Ed25519 implementation. > - DH(IK, ...) becomes DH(Ed2Curve(IK), ...). Ed25519-to-Curve25519 is a > conversion that is simpler than the other way round, and there are > liberally licensed implementations. Libsodium has a ref10-based one, so it > can be dropped in directly into libsignal: https://download. > libsodium.org/doc/advanced/ed25519-curve25519.html > > This drops the dependency on XEdDSA, and has a minimal impact on existing > libsignal-based implementations. It *does* make the key agreement more > complicated than the one in Olm (which does simple 3DH), but maybe that's a > price we're willing to pay? > > Remko > > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > _______________________________________________ > >
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
