[Standards] OMEMO Key Agreement

Remko Tronçon remko at el-tramo.be
Mon May 29 05:53:58 UTC 2017


Hi,

I may have a solution to our OMEMO key agreement discussion that satisfies
all of us.

- We change the Identity keys to be Ed25519 keys instead of Curve25519.
Current client deployments are by default libsignal-based, and therefore
have access to Curve25519-to-Ed25519 conversion methods to convert already
authenticated keys, so they don't have to lose their keys.
- We change X3DH such that
   - Sig(PK, M) is EdDSA(PK, M) instead of XEdDSA(PK, M) (PK is now an
Ed25519 key). Libsignal already comes with an Ed25519 implementation.
   - DH(IK, ...) becomes DH(Ed2Curve(IK), ...). Ed25519-to-Curve25519 is a
conversion that is simpler than the other way round, and there are
liberally licensed implementations. Libsodium has a ref10-based one, so it
can be dropped in directly into libsignal:
https://download.libsodium.org/doc/advanced/ed25519-curve25519.html

This drops the dependency on XEdDSA, and has a minimal impact on existing
libsignal-based implementations. It *does* make the key agreement more
complicated than the one in Olm (which does simple 3DH), but maybe that's a
price we're willing to pay?

Remko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170529/162b96e7/attachment-0001.html>


More information about the Standards mailing list