On Wed, Jan 15, 2014 at 02:46:08AM +0400, Yuriy Kaminskiy wrote:
When the user generates a new key, the ed25519 secret key will be generated first. The curve25519 secret will be derived from that, since
In general, reusing keys for different purposes (signing and encryption) considered bad idea, even through it is possible (RSA signing and RSA encryption, DSA signing and ElGamal/DH encryption [fwiw, this one considered *very* bad idea]).
Well, the libsodium developers not only told me how to do it, it was their idea. However, it's of course very simple to generate them separate.
1) Recipient needs to know sender public key. Bad.
That's the way curve25519 works. It would be possible to use one time keys but for this there has to be some kind of key exchange process before. But since pcp runs in offline mode, I'm not sure how to do this in a user friendly way.
2) Message remains decipherable by sender. Very bad.
No, it doesn't. In order to decrypt a message one needs the recipient secret key and the sender public key.
3) Sender public key/identity leaks with each message. Very bad.
Because? While I don't know how stef does it in pbp, I only add the key id to the cipher so that the recipient knows which key has to be used to decrypt. I'm not sure how it is bad to publish a key id. That's daily business with pgp as well.
4) Sender needs access to her secret key. Bad.
Again, this is how curve25519 is designed.
Just generate single-use keypair, send public part with message, throw away secret part right after encryption.
The sender needs a public key from the recipient anyways. And to be able to decrypt the message, the recipient has to retain her secret key.
Oh, well, NIH-NIH-NIH, let's invent our own square-wheel bycicle.
Funny, but neither I nor stef invented anything. DJB did. - Tom -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.