[noise] XEdDSA and Noise

Trevor Perrin trevp at trevp.net
Tue Oct 25 13:50:36 PDT 2016


I recently wrote a spec on using X25519/X448 public keys with EdDSA signatures:


This could be used in Noise pretty easily.  For example, a "sig" token
could indicate an XEdDSA signature, using the static key, over the "h"

It would be work to define pattern transformations (e.g. replace "se"
and "es" with "sig"), and also to figure out where and how signatures
add value, and to do the security analysis of why joint signature and
DH usage is safe, here.

There would also be some open questions, e.g. how far we allow signing
public keys to be of different types (e.g. combining 488 DH with 25519
signatures).  Also, XEdDSA is defined for 512-bit hash functions, so
we'd have to decide if/how it works if someone chooses a Noise 256-bit

I don't have an immediate use case for this, or plans to work on it
this year, but something to think about...


More information about the Noise mailing list