Consider Crystals Kyber and Crystals Dilithium, Upgrade to AES-256, upgrade to SHA3-512 #181
Replies: 6 comments 15 replies
-
|
Thanks for your comments and critiques. I am of course very well aware of all of the primitives that you mention. TL;DRI really don't mean this as a personal insult, but I will have to say it clearly from the start: Your recommendation makes no sense, and your understanding about cryptographic systems seem shallow at best. I hope you will follow your interest in the field, and work to deepen your understanding. I've written a more in-depth answer below that can maybe be a small help in that direction :) There are specific, and very well-considered reasons for the choice of cryptographic primitives in Reticulum, with the goal of bringing the highest degree of real-world security and functionality to the people using the stack. The composition of a cryptographic primitive suite has far wider consequences than just the Ultra-Security-Hype-Factor-Buzzword-Score™ that it can generate, but that seems to be what you are mostly interested in here. I am concerned with real security and reliability, for real-world applications. Understanding Post-Quantum-CryptographyIt seems like there is a tendency for people to read about the Crystals project and think that we now have "the solution to quantum-resistant cryptography", and that we should all move to this immediately to be safe. This is complete a misconception. The Cryptographic Suite for Algebraic Lattices, also known as "Crystals", is currently a research project, intended as a contender in a standardised suite of cryptographic primitives, that will let us continue to deploy secure cryptographic systems, in a hypothetical world, where highly efficient quantum computers have become a reality. It is not a well-audited, thouroughly proven set of cryptographic tools. The NIST PQC project has not even completed selecting candidates for standardization into a PQC suite of cryptographic primitives. If I had to place my bets, they would be that at least some of the primitives you mention will get selected as final candidates in the NIST PQC project. After that should then come years of scrutiny, review and testing by competent cryptographers and mathematicians other than the authors, before any serious use is considered. People are working seriously on these projects already, because there is a potential risk of them being necessary in the future, and because it will take a significant number of years to complete the task. Should this potential risk turn into reality, we want to be prepared, and therefore it is something we need to work on now. Does that mean that everyone should quickly jump boat to random subsets of contenders for PCQ standard primitives? No, absolutely not. Do Unicorns Haunt You?You have probably read a lot of alarmist "articles" from various "news" outlets about the impeding quantum-computer-cryptography-armageddon. Such "articles" are fantastic attention-grabbers. They are pretty far off from reality, though. As far as we currently know, it might be possible to build a quantum computer of the required complexity and speed needed to, amongst other things, efficiently break elliptic curve cryptography, and to significantly weaken symmetric ciphers like AES. There is a lot of ifs here though:
Said in another way, we think that we might, at some indeterminate point in the future, possibly possess a device that, in theory, has a hypothetical way of breaking some parts of our current cryptography systems. That is enough to get cryptographers working on potential solutions, and is the most reasonable course of action. But anything much more than that is much closer to magical thinking, than rational risk asessment. For most people, actually worrying about this is akin to being afraid that a unicorn might suddenly, and in broad daylight, materialise out of thin air, and proceed to violently mow you down with it's glittering horn, in a shower of rainbow-coloured sparkles. Literally every person working in the field of cryptographic systems are perfectly well aware of developments in both quantum computing and quantum-resistant cryptography. I can assure you that nobody will be taken by surprise here, and that if the time comes, we will all be ready, collectively. This is of course also true for Reticulum, which is designed to be completely modular in terms of primitive suites, and can have all parts changed with just a few lines of code. But implementing any of your suggestions right now would literally and directly harm the reliability, functionality, usability over low-bandwidth mediums, universality, ease of use, and not least the actual security of Reticulum. If you think you know otherwise, please outline the physical bounds for a quantum-compute capable system that can efficiently break X.25519, Ed25519, AES-128 and SHA-256 as used in Reticulum, in a time frame that is just marginally useful, let's say 100 years. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
And just another note to @Destroyinator69420 specifically; since you seem fond enough of Kyber to recommend it for actual use in projects, you'd probably be interested in noting this: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/0dBVXOcSCAAJ Parts such as this one might be of specific interest to you:
|
Beta Was this translation helpful? Give feedback.
-
|
Now it's 2025 and there are 3 PQC (Post-Quantum Cryptography) NIST standards (FIPS 203, 204 and 205) along with a newly accpected algorithm (HQC) which has not got a finalised standard yet. There are some famous projects implementing PQC. OpenSSH has got the PQC implemented. (See the first point of "New features"). GnuPG is currently in a testing phase with Kyber.. NIST even has a recommended deadline for the encryption (i.e. by 2035). Even if it's still in draft stage, the public comments seem not concerned about the timeline. However, we also need to consider the constraints in this project. According to the section 2.2.2 in this document, the key pair and cipher text size is way too large compared to the classical encryption schemes. It appears unrealistic for bandwidth-constraint protocols to do anything meaningful or the performance is just unacceptable (consider spend a few hours or even days to receive and send a message or raw data like voice and image). Someone did the performance comparison for TLS connection with different cryptography algorithms and PQC is not as great as the classical ones. Additionally, those PQC schemes are just secure in terms of mathematics but need to be tested with a real hardware like a quantum computer with enough effective qubits. We still do not know how long it would come. Maybe 5 years, 10 years or 50 years. But it's really hard to tell given how long the modern binary-based computer system took from the bulky machine occupying the entire room with poorer performance than a Raspberry Pi. I personally do not know whether those selected PQC schemes are secure enough as claim by the Security Level. I can see a general trend here. Even if the hype does not necessarily imply the fact, it worth considering for the future roadmap at least. What's your thought on this @markqvist today? |
Beta Was this translation helpful? Give feedback.
-
|
I was looking for information about post-quantum encryption support in Reticulum or plans for its implementation and found this thread. Very interesting discussion! Personally, I think that implementing quantum-resistant encryption and hashing according to the new accepted standards could increase resistance to “harvest now, decrypt later” attacks (since they cannot be ruled out at the moment) and would also attract people who are interested in long-term and secure storage of their messages. This would be an impressive and significant advantage for the Reticulum network. |
Beta Was this translation helpful? Give feedback.
-
|
Layers of encryption are your bestest friendo.
…On Mon, Oct 20, 2025, 4:17 PM Linux in a Bit ***@***.***> wrote:
Odds seem pretty high your chosen PQC algorithm will be broken before
'harvest now, decrypt later' becomes a problem for what Reticulum uses ;)
—
Reply to this email directly, view it on GitHub
<#181 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALE3POBFI6ATKUKUSVGBKM33YU7PPAVCNFSM6AAAAAB45S3OQCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINZTGM2DKOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
You are not using the strongest version of the encryption algorithms available. For instance, you are using AES-128, which can be weakened using a quantum computer. The simplest method to combat this would be to use AES-256. You are using SHA-256, although I do not know whether you are using SHA2 or SHA3. If you are using SHA2, then you should be using SHA3, which is more recent and widely regarded as more secure. SHA3 supports an option for a 512 bit hash, this is widely regarded as more secure than SHA256 in regards to collision attacks. I would also recommend integrating Crystals Kyber into the asymmetrical cryptography, as doing so will make your network quantum resistant, but the Crystals developers recommend using Crystals Kyber with an already established algorithm. Irregardless of whether you encrypt with Elliptic Curve Diffie Helman or Crystals Kyber first is of no consequence so long as the keys used to encrypt them are generated separately. You should also consider using Crystals Dilithium as a hashing algorithm in addition to SHA3-512. This will provide two layers of security in terms of message authentication. I would recommend Dilithium5, although there is a faster version that uses AES in counter mode instead of shake to expand the polynomials, it is called dilithium5-AES. It uses AES to take advantage of hardware accelerated AES when possible, although I would stick with Dilithium5 becuase SHAKE is an irreversible function, unlike AES. There is an open source library called liboqs created by the Open Quantum Safe project. It has a python wrapper and is written in C. All of the algorithms I have mentioned in this issue ticket are available in OpenSSL if not in liboqs.
Other than my crituqe of your cryptography choices I would like to congratulate you for fighting the good fight and proving that a more decentralized and secure internet is possible. I would also like to congratulate you on not selling out to the Web3 craze. Hopefully reticulum gets the attention it deserves.
Beta Was this translation helpful? Give feedback.
All reactions