Olm/Megolm V2

[richvdh]

We have some changes that we'd like to make to the Olm and Megolm protocols; starting a list here to keep track of them.

Megolm:

• Improved session-sharing format to improve security
• Extended MAC to improve security
• Use a single hash ratchet rather than the current four-part ratchet (https://gitlab.matrix.org/matrix-org/olm/-/merge_requests/64)

Olm:

• Extended MAC to improve security

[richvdh]

Another idea for the list (with credit to @bradtgmurray): use url-safe base64 encoding for megolm session ids to make them easier to use in requests like GET /_matrix/client/v3/room_keys/keys/{roomId}/{sessionId}.

[uhoreg]

Megolm:

• add client's timestamp in ciphertext to make it easier to detect replays
• message franking?

Olm:

• post-quantum encryption

Both:

• use AES-GCM instead of CBC?

[dkasak]

Matrix crypto layer:

• Dropping the Ed25519 device key in lieu of signing with the Curve25519 device key using XEdDSA.
• Mandating that the device ID equals the base64-encoding of the Curve25519 device key.

While these are not strictly Olm related in a lower level sense, it would make sense to include them as part of a switch to a hypothetical m.olm.v2.curve25519-aes-sha2 algorithm since that's going to be a breaking change anyway.

use AES-GCM instead of CBC?

We should also consider going further an abandoning AES in favour of (X)ChaCha20-Poly1305.