[curves] XEdDSA specification

[Trevor Perrin]

On Fri, Oct 21, 2016 at 4:27 PM, Ron Garret <ron at flownet.com> wrote:
>
> I think both of you misinterpreted my question.  I understand why you would want to use one form for DH and the other for DSA.  What I didn’t understand was why you would want to make the DH form primary and derive the DSA from from it rather than the other way around.

If you want to support X25519 and Ed25519 with a single key pair
format (or key pair), then there's room for debate, but I'm advocating
X25519.

One reason is that converting public keys from X->Ed or Ed->X uses an
inversion, but since Ed25519 uses point decompression anyways, X->Ed
can combine the inversion with decompression at very little
computation cost [1].

Another reason is that a signature-only system can already be easily
extended with encryption/DH by signing subkeys.  However, a DH-based
system (like Ntor, Noise[1], or earlier versions of TextSecure) cannot
be extended to signatures without having an X->Ed conversion like
this.

If you just want DH and signatures rather than X25519 and Ed25519
specifically, then the design space is larger and I guess you could
consider DH with Edwards curves or signatures with Montgomery curves,
or anything else.  But then you're diverging from the existing
algorithms, which means more design and analysis is needed, more new
code, and less potential for interop, so I'd be less excited about
that.

Trevor

[1] https://moderncrypto.org/mail-archive/curves/2015/000376.html
[2] https://noiseprotocol.org/