Encryption
Not logged in

To protect privacy, everything is encrypted with the strongest encryption available. The reasons for selecting the algorithms were:

Key Exchange and Signatures

The selection therefore was Ed25519, a Edwards form variant of Dan Bernstein's curve25519. Edwards form is notationally simpler and regular than other curves, allowing more optimizations. The parameters of this curve are known-good, following the "nothing up my sleeve" principle.

Key Exchange Procedure

The first phase of a key exchange uses ephemeral (one-time) keys. Let's call the initiator Alice, and the connected device Bob:

  1. Alice generates a key pair, and sends Bob the public key, together with a connection request.
  2. Bob creates a key pair and sends Alice the public key. Using this public and secret key, he generates a shared secret1, and uses that to encrypt his permanent public key (used for authentication). An attacker can see the ephemeral key, but not the permanent pubkey. Bob puts his state in an encrypted string where only Bob knows the key, and sends this "ticket" back to Alice. Receiving the ticket will actually open up the connection.
  3. Alice receives both keys and can now create two shared secrets: secret1 is the ephemeral secret, secret2 is the authentication secret. She sends her authentication pubkey back to Bob encrypted with secret1. This allows Bob to compute secret2. Furthermore, Alice sends back Bob's ticket and a random per-connection seed for the symmetric keys; the ticket can be (in theory) used to open several connections to Bob with a single packet (no reply required).

The general formula for ECC Diffie-Hellman key exchange is secret = pk1*(sk2) = pk2*(sk1). For secret2, I modify this to avoid side-channel attacks in the lengthy curve point computation, and use secret2 = pka*(skb*secret1) = pkb*(ska*secret1). The scalar multiplication in mod l (the number of curve points) is much faster than the curve point computation, and is much less likely to leak information.

Symmetric Crypto

The requirement is AEAD: Authenticate and encrypt/decrypt together. Candidates were: