wiki:Crypto/CurrentSpecs

Version 64 (modified by zzz, 6 years ago) (diff)

ElG fixes, add DH, add comments, add link to how_cryptography

This page summarizes the current state of the I2P cryptography.

Currently used ciphers

Symmetric

Cipher Used lengths Security Comments
AES-CBC [8] 256 Good [5] A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag? [8]

Asymmetric

Cipher Used lengths Security Comments
ElGamal [8] 2048 >Poor [5]??? We use "short exponent" [8]

Hashes

Cipher Used lengths Security Comments
SHA256 [8] 256 Good [5] Slow compared to SHA-3

Key Exchange

Cipher Used lengths Security Comments
DH [8] 2048

Signatures

Cipher Used lengths Security Comments
DSA [8] 1024 Poor [5] We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing.

Cipher usage

Router aspect Cipher used Security timescale Usage details Comments
NTCP handshake DSA ???
SSU handshake DSA ???
RouterInfo signing DSA ???
LeaseSet signing? DSA Years 75% verif.? (guesstimation)
LeaseSet revocation (unused) DSA ???
I2CP Session Config signing DSA ???
Datagram signing DSA ???
Streaming message signing DSA ???
SUD signing DSA Years and years 99% verif.
Tunnel Build Messages ElG
NetDB Lookups / Stores [8] ElG/AES+SessionTag? Only some are encrypted [8]

Potential new ciphers

Asymmetric ciphers

Cipher Suggested length Speed [6] Security Implementability Comments
EC-DSA 256 Sign.: 9203/s
Verif.: 4658/s
Good [5] Java7 BouncyCastle
EC-DSA 384 Sign.: 4791/s
Verif.: 1085/s
>Good [5]??? Java7 BouncyCastle
RSA-PKCS#1 v1.5 2048 Sign.: 770/s
Verif.: 25184/s
Poor [5]
RSA-PKCS#1 v1.5 3072 Decent [5]
RSA-PKCS#1 v1.5 4096 Sign.: 108/s
Verif.: 6757/s
>Decent [5]???
RSA-PSS 2048 Sign.: 770/s
Verif.: 25184/s
Decent [5]
RSA-PSS 3072 Good [5]
RSA-PSS 4096 Sign.: 108/s
Verif.: 6757/s
>Good [5]???
DSA 160/1024 Sign.: 8176/s
Verif.: 7500/s
Poor [5]
DSA 224/2048
256/2048
Sign.: 2548/s
Verif.: 2089/s
>Poor [5]???
DSA 256/3072 Decent [5]
ElGamal 256/2048 About the same as DSA-2048 as
DSA is based on ElGamal?
I2P

Symmetric ciphers

Cipher Suggested length Speed Security Implementability Comments
Twofish 256 Bits 256-Bit Twofish is faster than 256-bit Rijndael(AES) on the same hardware

Hashes

Cipher Security Implementability Comments
SHA3(Keccak) Good enough to be recommended by NIST Faster than the SHA-2 family
RIPEMD-160 Decent [5]
RIPEMD-320 ~RIPEMD-160 [7]

MAC

Cipher Security Implementability Comments
HMAC Good [5]
CMAC Good [5]
CBC-MAC-X9.19 Good [5]
CBC-MAC-EMAC Good [5]



[1] http://www.cryptopp.com/benchmarks.html
[2] http://tools.ietf.org/html/rfc4492
[3] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
[4] http://www.keylength.com/en/compare/
[5] ECRYPT II 2011 http://www.ecrypt.eu.org/documents/D.SPA.17.pdf
[6] OpenSSL Benchmark
[7] http://en.wikipedia.org/wiki/RIPEMD - Citation needed
[8] http://www.i2p2.i2p/how_cryptography