IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#ls2
/2025/06/10
@eyedeekay
+R4SAS
+RN
+RN_
+T3s|4
+Xeha
+acetone
+dr|z3d
+hk
+orignal
+weko
FreeRider
Irc2PGuest56179__
Irc2PGuest73758
Irc2PGuest92548
Leopold_
Onn4l7h
SlippyJoe_
T3s|4__
ardu
cumlord
eyedeekay_bnc
mareki2p_
not_bob_afk
profetikla
qend-irc2p
shiver_
u5657
x74a6
zzz Reminder: Proposal 169 3rd review today 7 PM UTC here
zzz If you're here for the meeting, please say hi, even if you're just planning to lurk ))
Leopold HI ><
orignal glory to ukraine ))
zzz slava, etc. etc.
orignal he should answer "heroyam slava"
zzz 0) Hi
zzz we are here for the 3rd review of proposal 169
orignal Bandera's slogan
orignal PQ, right?
zzz I'll give a brief summary of where we are at, and what I'd like to accomplish today
zzz our last review was April 22
zzz we took some time off for trips to Bora Bora )) and hash research
zzz I'd like to come to a decision on the hash function, and if possible approve the ratchet part of the proposal today
zzz so with that, I'll turn it over to eyedeekay to tell us what he's found out, and hopefully the rest of you spent May researching hash functions also
zzz go ahead eyedeekay
eyedeekay I put together some notes in advance of the meeting
eyedeekay going to post them directly if you don't mind
eyedeekay Regarding hashes: I researched several algorithms and tried to evaluate the current state-of-the-art in attacks against them leveraging quantum computers.
eyedeekay The results are mostly "good news" in that attacks on SHA2 and other hashing algorithms are not expected to become practical in the event of a cryptographically-relevant quantum computer.
eyedeekay There are quantum algorithms(Grover's), and combinations of quantum algorithms(Broussard's and some others) that promise speedups.
eyedeekay However the speedups that the quantum algorithms are capable of, even hypothetically, do not improve the possibility that a collision could be found in a practical timeframe.
eyedeekay The popular opinion seems to be that SHA2 will remain secure for a very long time.
eyedeekay The concerns about it in general seem to be things that are very well understood which we handle correctly, like length-extension attacks which are dealt with using HMAC.
eyedeekay I did also look at other hash algorithms however.
eyedeekay Maybe interestingly, the BLAKE family of hash functions seems to be in exactly the same situation as SHA2, as in, CRQC will be able to use Grover's algorithm for it, but it won't lead to finding a collision in a *practical* timeframe. The BLAKE2 family also shares some underlying constructions with SHA2, I think that is why it's the case.
eyedeekay I also looked at SHA3, which is interesting for the opposite reason, it uses a completely different underlying construction, "sponge" which is part of why it was chosen by NIST.
eyedeekay Last time spoke on this I was unsure of our agility and/or our ability to support multiple hashes.
eyedeekay I think my answer to this is changed, because at the very least SHA3 and BLAKE support variable-lengths so we could simply differentiate them by length.
eyedeekay SHA2 | SHA3 | BLAKE2b
eyedeekay ------------------------------------------------------------
eyedeekay Requires HMAC | Length-ext resistant | Length-ext resistant
eyedeekay HW Accel(Intel)| Generally slower | Generally Faster
eyedeekay Slow(ARM) | NIST Approved | No NIST approved
eyedeekay NIST Approved | S.O.T.A.(Sponge) | Similar to SHA2
eyedeekay Grover's | No PQ Attacks | Grover's
eyedeekay Broussard's | Variable-length | Broussard's
eyedeekay The short answer is that I don't think we need to change away from SHA256 at all, but we can if we want to.
eyedeekay Hypothetically, BLAKE2b might be faster on Android devices for instance, but taking out all the HMAC stuff and/or switching between SHA2 and BLAKE2b hash-handlers might be complicated.
eyedeekay Ultimately, it does not seem like development of a cryptographically-relevant quantum computer will affect the security of SHA2.
zzz give us an EOT when you're done and then a couple minutes to read
eyedeekay EOT, take your time
orignal what do we use hashes explicitly in PQ?
dr|z3d delayed "hi" from me.
zzz this is in the Noise handshake, mixHash()
orignal got it. thanks
zzz my source is the PQ SSH RFC datatracker.ietf.org/doc/draft-ietf-sshm-mlkem-hybrid-kex which basically says SHA-2 is fine in this application
Leopold Hi Dr.
dr|z3d *** waves. ***
zzz I think the normal concerns about collisions don't apply very well to using a hash for a running integrity check in noise handshakes. Is that right eyedeekay ?
eyedeekay No I don't really see how they would
zzz and ditto length extension?
eyedeekay I really thought hard about how the heck I could make that matter, but I really don't think I can for the way we use it
zzz SSH proposes SHA384 to be used with MLKEM-1024 (our type 7), but without a lot of justification
zzz I don't think we're really going to use type 7 so I'd rather not go through a whole bunch of work to change the hash on it
zzz orignal, what are your thoughts?
orignal leave it as is
orignal e.g. HMAC with sha256
zzz I think I agree
orignal also mind about sha-ni
orignal on modern x64 cpus
zzz if we need to change later, we have 64K - 8 enc type numbers still available
eyedeekay I couldn't find anything that looked like *serious* justification to move from one modern hash to another outside of A) they think one is easier to use than another or B) running into people's compliance issues. People moving from BLAKE2 to SHA3 because they needed to be using a NIST-approved cipher, or from SHA2 to BLAKE2b because they don't want to HMAC. Very little on PQ.
zzz if SHA-2 is broken all of I2P netdb is broken, we have worse problems than hybrid ratchet
zzz sounds like we're happy with SHA-256 for 5/6/7. Any more discussion about hashes?
orignal not from my side
zzz thanks eyedeekay for the good research and summary
eyedeekay no problem, nothing to add from me
zzz ok, if not, next I'd like to talk about the ratchet part of the spec in general. Is there anything else we need to review or change or discuss, or are we ready to approve that part of it?
zzz I made very minor changes to the proposal shortly after the last review, but haven't touched it since April 24th
dr|z3d mareki2p: you're welcome to contribute to the discussion here.
mareki2p SHA-512/256 and SHA-384 (both variants of 64 bit SHA-512) do not suffer from length extension attacks. SHA-512 is HW accelerated on latest Zen5 and ArrowLake/LunarLake processors.
mareki2p SHA-256 (and SHA-224 and SHA-1) are HW accelerated for a long time already.
mareki2p Sorry, I thought I have no permission to speak here.
zzz all are welcome
zzz thanks mareki2p
zzz ok, hearing no more comments about ratchet, would you all please state your approval or thumbs up or something about the ratchet part of proposal 169?
zzz me: ++
orignal what''s that?
orignal is there something new vs. we have now?
zzz do you approve the ratchet part of proposal 169?
zzz nothing new since last meeting really
dr|z3d *** throws a ++ into the ring. ***
orignal so you are asking me if I approve current implemntation?
zzz the current spec, which matches the current implementation for i2pd and java, which we have tested, yes
mareki2p What is the idea of Blake2b vs Blake3?
zzz super I think we're all happy then
zzz mareki2p, let's defer blake talk until after the meeting, we're on a little bit of a roll here...
zzz ok next topic: preferred choice out of 5/6/7
zzz I recommend that we use 6 and 6,4 as the preferred choices
zzz 5 is too weak and 7 is too big
zzz so for compatibility, we should highlight 6 and 6,4 as the preferred choices in our docs and UI
orignal what's the LS size for 6?
orignal usual
orignal for 5 tunnels
orignal that's my concern
zzz no change in LS size, remember these are ephemeral keys only
orignal fine then
orignal let's do 6
zzz so a 6,4 LS is what, 36 bytes more than a type 4-only LS
eyedeekay 6,4 is fine with me
zzz NIST security categories [FIPS203] :
zzz Algorithm Security Category
zzz MLKEM512 1
zzz MLKEM768 3
zzz MLKEM1024 5
zzz 'security category 1' is basically crap
zzz and the noise handshake size increase for ratchet:
zzz Size increase (bytes):
zzz Type Pubkey (Msg 1) Cipertext (Msg 2)
zzz MLKEM512_X25519 +816 +784
zzz MLKEM768_X25519 +1200 +1104
zzz MLKEM1024_X25519 +1584 +1584
zzz ok, everybody happy with 6,4 as the recommendation?
orignal yes, I'm fine
orignal will swith 333 to 6,4
zzz ok, lets talk about schedule for a moment
zzz I think we can probably roll it out as a beta for 0.9.67 (August 2025) and official in 0.9.68 (November 2025), how does that sound?
orignal my problem is that openssl 3.5 is not everywhere
orignal fine for me
orignal if nov
dr|z3d can you bundle 3.5 as a fallback?
orignal I would prefer after ubuntu 25.10 relese
orignal not sure
zzz I don't know when we would make it a default. Right now our http client proxy is still 4,0 by default
orignal what it depends on
zzz And I don't want to do 6,4,0
orignal forget about 0
orignal Elg is dead
zzz right, just haven't forgotten about it yet, I guess now is the time
dr|z3d we'd love to forget about it, but there are still ElG only websites out there.
orignal my servers are 4 by default
orignal going to remove 0 from the code
orignal for example?
dr|z3d have a look on notbob.i2p
dr|z3d in the diamond column, anything that has a bottom half red segment is ElG only.
zzz bitcoin is still 4,0 thru SAM
zzz bigly is changing from 4,0 to 4 this release
zzz I don't know if somebody asks for 4,0 thru SAM and you don't support 0, would you error out or just ignore the 0
zzz anyway, I think for the August release I'd like to hide PQ behind an advanced-config flag
dr|z3d or, technically speaking, dsa_sha1.
orignal I thought it's DSA
orignal nothjing to do wit Elg
dr|z3d we drop 0, we lose all the dsa_sha1 servers, no?
orignal august release?
orignal ofc no
orignal look at animal.i2p ))
orignal it's DSA with 4 only
zzz next release is probably around late august, early sept., 3 months from last week
orignal than it's fine
dr|z3d I'd rather not.
dr|z3d ok, well about time dsa_sha1 was gone for good, too.
zzz any other discussions on schedule/rollout of ratchet?
orignal let me think about fallback implemntation
orignal what's our next step in PQ?
zzz good question, that's my final topic
zzz I propose that next we work on NTCP2 and SSU2 hybrid XK handshakes
orignal ratchets work fine in my opiunion
zzz with flags in the RouterAddress saying we support hybrid
orignal DSA_SHA1 is more complicated thing
orignal becuse old addresses
zzz like v=2,3 or something
zzz I still think MLDSA sigs is last on the priority list, maybe next year or even later
zzz opinions on doing hybrid NTCP2/SSU2 next?
orignal let's do it
orignal NTCP2 is easier
zzz should be pretty easy for both
zzz SSU2 is easier, we have flag bits to support both on the same port
orignal how about SSU2 to fix that issue with ident
orignal maybe we can do it together with PQ?
zzz for NTCP2, I have an idea: we have ONE spare bit (the MSB of the eph. key)
orignal then maybe we can satrt with SSU2 to solve both problems
orignal because this is still outstanding issue
zzz for the SSU2 cloning issue, we're standing by since last year, whenever you'd like to update your proposal and schedule a review
orignal if we pass encapsulation for PQ we can also pass ident or apply one more MixHash before PQ
orignal without additional flag for this
zzz maybe, but it would be nice to fix it for non-PQ also
orignal e.g. if you use PQ you must aplly this MixHash
orignal it works now, later on we will require PQ only
zzz maybe, but I don't know when, we haven't talked about it
orignal in few years
zzz that could be 2-3 years away
orignal no rush anyway
orignal right now the only drawback is that NTCP2 is being chosen more often that SSU2
zzz if you want to fix the cloning issue soon, we need two flag bits. We have 8 flag bits now in Session Request, all unused
zzz chosen by whom?
orignal as I said no rush
orignal i2pd chooses NTCP2 to connect to uknnown routers
orignal for me no rush to fix this issue
orignal because the workaround works well
zzz well, until you're in a rush, I guess we're not going to do anything about it
zzz anything else on next steps?
orignal that's why I suggest to fix it as part of PQ
zzz it's either important or not, independent of PQ
zzz anthing else for the meeting?
eyedeekay Hybrid transports seem like the next logical step to me, nothing to add really
orignal imporatnt but not critical
mareki2p Can I talk about Blake?
zzz one sec mareki2p
zzz our next review will be in two weeks, the 3 1/2 year old proposal 160, UDP bittorrent announces
zzz if nobody shows but Bigly, that's fine, but hopefully we can get R4SAS here too
orignal I doubt you will see R4SAS
orignal he is too busy
zzz anything else before the baffer?
zzz thanks everybody
zzz go ahead mareki2p
mareki2p Three quick points: Blake2b - up to 512 bit digest, no parallelism, for longer digest you need Blake2x, for parallelism you need BLAKE2bp/Blake2sp.
mareki2p Blake3 - arbitrary digest length, parallel computation (each 1kB block could be computed in parallel independently, later combined together).
mareki2p Blake3 is faster than Blake2b.
zzz good to know, thanks for your comments and your patience ))
Leopold Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation. Many of the cryptographic products, protocols, and services used today that rely on public key algorithms (e.g., Rivest-Shamir-Adleman [RSA], Elliptic Curve Diffie-Hellman [ECDH], and Elliptic Curve Digital
Leopold Signature Algorithm [ECDSA]) will need to be updated, replaced, or significantly altered to employ quantum-resistant PQC algorithms, to protect against this future threat.
Leopold nsa recommendations refer to nist