[noise] 0RTT with signatures / using Ed25519 as static DH key

Arvid Picciani aep at exys.org
Mon Aug 6 05:28:46 PDT 2018


After much experimentation with signatures in noise, i am circling
back to trying to reduce the amount of roundtrips.

Specifically 0RTT is not possible with signature based authentication
if only the ed25519 public is known to the initiator.

A possible solution is to convert the ed25519 to edwards form and just
directly use that as static key. However, the security of doesnt seem
to be well established.

this is the only paper i could find, and its not even talking about
the bernstein curves.
https://eprint.iacr.org/2011/615.pdf

Trevor suggested an x25519 to ed conversion here:
https://moderncrypto.org/mail-archive/curves/2014/000293.html

but others have suggested the opposite is safer:
https://github.com/dalek-cryptography/ed25519-dalek/issues/25

are there any new discoveries on the safety of doing that?


More information about the Noise mailing list