[Standards] OMEMO Key Agreement
remko at el-tramo.be
Mon May 29 05:53:58 UTC 2017
I may have a solution to our OMEMO key agreement discussion that satisfies
all of us.
- We change the Identity keys to be Ed25519 keys instead of Curve25519.
Current client deployments are by default libsignal-based, and therefore
have access to Curve25519-to-Ed25519 conversion methods to convert already
authenticated keys, so they don't have to lose their keys.
- We change X3DH such that
- Sig(PK, M) is EdDSA(PK, M) instead of XEdDSA(PK, M) (PK is now an
Ed25519 key). Libsignal already comes with an Ed25519 implementation.
- DH(IK, ...) becomes DH(Ed2Curve(IK), ...). Ed25519-to-Curve25519 is a
conversion that is simpler than the other way round, and there are
liberally licensed implementations. Libsodium has a ref10-based one, so it
can be dropped in directly into libsignal:
This drops the dependency on XEdDSA, and has a minimal impact on existing
libsignal-based implementations. It *does* make the key agreement more
complicated than the one in Olm (which does simple 3DH), but maybe that's a
price we're willing to pay?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards