Skip to main content

Why did you pick algorithm X?

Author: @mkobetic

First of all, we have purposely designed the protocol with algorithm agility in mind with the expectation that we will be replacing our initial choices along the way as we learn more and the field itself advances.

Our initial choice of algorithms was driven by fairly pragmatic criteria:

  1. Tried and true: Use what's reasonably standard or in widespread use.

  2. Good Javascript support: Since all cryptography happens in the client we needed algorithms that are well supported in Javascript.

  3. Minimize dependencies: Prefer what's available in the standard browser API (i.e. https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto), rather than bringing in 3P dependency. @noble/secp256k1 is the only 3P library that we brought in so far, the rest is relying solely on the browser APIs.

  4. Minimize number of algorithms: This is why we stuck with secp256k1 for all EC, because we have to use it to work with many of the wallets.

  5. Signal's X3DH: Signal is the gold standard of secure offline communication, we tried to apply as much of X3DH as we could.

AES-256-GCM seemed like the best choice from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt#supported_algorithms. It's probably also the most widely used AEAD out there.

HKDF came out of Signal's X3DH and is also supported by SubtleCrypto.