Low-level Cryptography

Summary of the symmetric, asymmetric, and signature primitives used across I2P

Updated: 2025-10 Accurate for: 2.10.0

Status: This page condenses the legacy “Low-level Cryptography Specification”. Modern I2P releases (2.10.0, October 2025) have completed the migration to new cryptographic primitives. Use specialized specs such as ECIES, Encrypted LeaseSets, NTCP2, Red25519, SSU2, and Tunnel Creation (ECIES) for implementation details.

Evolution Snapshot

Functional AreaLegacy PrimitiveCurrent / Planned PrimitiveMigration Status
Transport key exchangeDiffie–Hellman over 2048-bit prime (NTCP / SSU)X25519 (NTCP2 / SSU2)Completed (NTCP2 and SSU2 fully deployed)
End-to-end encryptionElGamal/AES+SessionTagsECIES-X25519-AEAD-RatchetCompleted (2.4.0+)
Symmetric cipherAES-256/CBC + HMAC-MD5ChaCha20/Poly1305 (AEAD)Active (tunnel layer remains AES-256)
Default signaturesDSA-SHA1 (1024-bit)EdDSA/RedDSA on Ed25519Fully migrated
Experimental / futureHybrid post-quantum encryption (opt-in)In testing (2.10.0)

Asymmetric Encryption

X25519

  • Used for NTCP2, ECIES-X25519-AEAD-Ratchet, SSU2, and X25519-based tunnel creation.
  • Provides compact keys, constant-time operations, and forward secrecy via the Noise protocol framework.
  • Offers 128-bit security with 32-byte keys and efficient key exchange.

ElGamal (Legacy)

  • Retained for backward compatibility with older routers.
  • Operates over the 2048-bit Oakley Group 14 prime (RFC 3526) with generator 2.
  • Encrypts AES session keys plus IVs in 514-byte ciphertexts.
  • Lacks authenticated encryption and forward secrecy; all modern endpoints have migrated to ECIES.

Symmetric Encryption

ChaCha20/Poly1305

  • Default authenticated encryption primitive across NTCP2, SSU2, and ECIES.
  • Provides AEAD security and high performance without AES hardware support.
  • Implemented per RFC 7539 (256‑bit key, 96‑bit nonce, 128‑bit tag).

AES‑256/CBC (Legacy)

  • Still used for tunnel layer encryption, where its block‑cipher structure fits I2P’s layered encryption model.
  • Uses PKCS#5 padding and per‑hop IV transformations.
  • Scheduled for long‑term review but remains cryptographically sound.

Signatures

Signature TypeUsage NotesStatus
DSA‑SHA1 (1024‑bit)Original default; still accepted for legacy Destinations.Deprecated
ECDSA‑SHA256/384/512Used during 2014–2015 transition.Supported
EdDSA‑SHA512‑Ed25519Default for Router and Destination identities (since 0.9.15).Default
RedDSA‑SHA512‑Ed25519Used for encrypted LeaseSet signatures (0.9.39+).Specialized
RSA‑SHA512‑4096For out‑of‑band signing (su3 updates, reseeds, plugins).Application‑layer

Hash and Key Derivation

  • SHA‑256: Used for DHT keys, HKDF, and legacy signatures.
  • SHA‑512: Used by EdDSA/RedDSA and in Noise HKDF derivations.
  • HKDF‑SHA256: Derives session keys in ECIES, NTCP2, and SSU2.
  • Daily‑rotating SHA‑256 derivations secure RouterInfo and LeaseSet storage locations in the netDb.

Transport Layer Summary

TransportKey ExchangeEncryptionAuthenticationStatus
NTCP2X25519ChaCha20/Poly1305AEADDefault TCP transport
SSU2X25519ChaCha20/Poly1305AEADDefault UDP transport
SSU (Legacy)DH‑2048AES‑256/CBC + HMAC‑MD5LegacyRemoved (2.4.0)

Both transports provide link‑level forward secrecy and replay protection, using the Noise_XK handshake pattern.

Tunnel Layer Encryption

  • Continues to use AES‑256/CBC for per‑hop layered encryption.
  • Outbound gateways perform iterative AES decryption; each hop re‑encrypts using its layer key and IV key.
  • Double‑IV encryption mitigates correlation and confirmation attacks.
  • Migration to AEAD is under study but not currently planned.

Post‑Quantum Cryptography

  • I2P 2.10.0 introduces experimental hybrid post‑quantum encryption.
  • Enabled manually via Hidden Service Manager for testing.
  • Combines X25519 with a quantum‑resistant KEM (hybrid mode).
  • Not default; intended for research and performance evaluation.

Extensibility Framework

  • Encryption and signature type identifiers allow parallel support for multiple primitives.
  • Current mappings include:
    • Encryption types: 0 = ElGamal/AES+SessionTags, 4 = ECIES‑X25519‑AEAD‑Ratchet.
    • Signature types: 0 = DSA‑SHA1, 7 = EdDSA‑SHA512‑Ed25519, 11 = RedDSA‑SHA512‑Ed25519.
  • This framework enables future upgrades, including post‑quantum schemes, without network splits.

Cryptographic Composition

  • Transport layer: X25519 + ChaCha20/Poly1305 (Noise framework).
  • Tunnel layer: AES‑256/CBC layered encryption for anonymity.
  • End‑to‑end: ECIES‑X25519‑AEAD‑Ratchet for confidentiality and forward secrecy.
  • Database layer: EdDSA/RedDSA signatures for authenticity.

These layers combine to provide defense‑in‑depth: even if one layer is compromised, others maintain confidentiality and unlinkability.

Summary

I2P 2.10.0’s cryptographic stack centers on:

  • Curve25519 (X25519) for key exchange
  • ChaCha20/Poly1305 for symmetric encryption
  • EdDSA / RedDSA for signatures
  • SHA‑256 / SHA‑512 for hashing and derivation
  • Experimental post‑quantum hybrid modes for forward compatibility

Legacy ElGamal, AES‑CBC, and DSA remain for backward compatibility but are no longer used in active transports or encryption paths.

Was this page helpful?