consistent pcp/pbp formats (was: Curve p25519 Replacements for GnuPG?(x2 now) ..)

Thomas von Dein tom at vondein.org
Wed Jan 15 01:34:43 PST 2014


On Wed, Jan 15, 2014 at 02:46:08AM +0400, Yuriy Kaminskiy wrote:
> > When the user generates a new key, the ed25519 secret key will be
> > generated first. The curve25519 secret will be derived from that, since
> 
> In general, reusing keys for different purposes (signing and encryption)
> considered bad idea, even through it is possible (RSA signing and RSA
> encryption, DSA signing and ElGamal/DH encryption [fwiw, this one considered
> *very* bad idea]).

Well, the libsodium developers not only told me how to do it, it was
their idea. However, it's of course very simple to generate them
separate.
 
> 1) Recipient needs to know sender public key. Bad.

That's the way curve25519 works. It would be possible to use one time
keys but for this there has to be some kind of key exchange process
before. But since pcp runs in offline mode, I'm not sure how to do this
in a user friendly way.

> 2) Message remains decipherable by sender. Very bad.

No, it doesn't. In order to decrypt a message one needs the recipient
secret key and the sender public key.

> 3) Sender public key/identity leaks with each message. Very bad.

Because?

While I don't know how stef does it in pbp, I only add the key id to the
cipher so that the recipient knows which key has to be used to decrypt.
I'm not sure how it is bad to publish a key id. That's daily business
with pgp as well.

> 4) Sender needs access to her secret key. Bad.

Again, this is how curve25519 is designed.

> Just generate single-use keypair, send public part with message, throw away
> secret part right after encryption.

The sender needs a public key from the recipient anyways. And to be able
to decrypt the message, the recipient has to retain her secret key. 
 
> Oh, well, NIH-NIH-NIH, let's invent our own square-wheel bycicle.

Funny, but neither I nor stef invented anything. DJB did. 




- Tom

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the cypherpunks mailing list