[Standards] OMEMO Key Agreement

Sam Whited sam at samwhited.com
Wed May 31 14:24:26 UTC 2017

FWIW, this all sounds reasonable to me, but it still sounds like
trying to solve a problem that doesn't exist. The existing
implementations use XEdDSA, and it's easy to get working in other
libraries (they may even have the conversion function already, the
rest is just convention and optional optimizations). Why in the world
would we ask existing implementations to change for no benefit now
that the only problem that the council raised before when accepting
OMEMO is fixed and it's easy to make new implementations use the
existing thing? If we ask existing implementations to change, all
we're going to achieve is a fragmented ecosystem where half the OMEMO
enabled clients don't work with the other half. I can imagine that
sometimes this might be necessary, but I don't think it is in this


On Mon, May 29, 2017 at 12:53 AM, Remko Tronçon <remko at el-tramo.be> wrote:
> Hi,
> I may have a solution to our OMEMO key agreement discussion that satisfies
> all of us.
> - We change the Identity keys to be Ed25519 keys instead of Curve25519.
> Current client deployments are by default libsignal-based, and therefore
> have access to Curve25519-to-Ed25519 conversion methods to convert already
> authenticated keys, so they don't have to lose their keys.
> - We change X3DH such that
>    - Sig(PK, M) is EdDSA(PK, M) instead of XEdDSA(PK, M) (PK is now an
> Ed25519 key). Libsignal already comes with an Ed25519 implementation.
>    - DH(IK, ...) becomes DH(Ed2Curve(IK), ...). Ed25519-to-Curve25519 is a
> conversion that is simpler than the other way round, and there are liberally
> licensed implementations. Libsodium has a ref10-based one, so it can be
> dropped in directly into libsignal:
> https://download.libsodium.org/doc/advanced/ed25519-curve25519.html
> This drops the dependency on XEdDSA, and has a minimal impact on existing
> libsignal-based implementations. It *does* make the key agreement more
> complicated than the one in Olm (which does simple 3DH), but maybe that's a
> price we're willing to pay?
> Remko
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________

Sam Whited
pub 4096R/54083AE104EA7AD3

More information about the Standards mailing list