Under the covers

Wherever possible the Mesh uses cryptographic algorithms that meet the following criteria.

- Are not encumbered by credible patent or other IPR claims.
- Offer a work factor of 2^256 operations or higher using conventional computers.
- Have been subjected to intensive peer review over a period of many years.
- There is a strong consensus among cryptographers and cryptographic protocol designers working in the principal Internet standards organizations (IETF, WE3C and OASIS) preferring their use.

For each cryptographic function, there is a preferred algorithm. Wherever possible there is also a backup algorithm whose design is based on a different principle for use in the case that the preferred algorithm is compromised or breached.

Since the Mesh is a new protocol specification and the IRTF has recently completed a consensus based process for specifying new public key algorithms using Elliptic Curves, these are the natural choice for the preferred algorithms. Unfortunately, these algorithms are so new that implementations are not yet widely available, a situation that is expected to change over the coming months. As a result, the reference code currently uses a set of 'legacy' algorithms whose use it is hoped to deprecate in the very near future.

- Cryptographic Digest
- SHA-2-512
- Message Authentication
- HMAC-SHA-2-512
- Encryption (symmetric)
- AES-256-CBC
- Authenticated Encryption
- AES-256-GCM
- Digital Signature
- ED-DSA-X448
- Key Agreement
- ECDH-X448

The purpose of the backup algorithms is to provide an alternative in the case that the preferred algorithm is compromised. At present, the only alternative to the elliptic curve algorithms that meets the principal selection criteria is RSA. While RSA does not meet the Work Factor requirement using practical key sizes, it is widely reviewed and would require a larger machine to be built to perform quantum cryptanalysis.

Thus the RSA-4096 algorithms have been selected as backup algorithms until it is possible to replace these selections with widely reviewed algorithms that are believe to be resistant to quantum cryptanalysis.

In anticipation of quantum cryptanalysis being demonstrated to be a practical attack before quantum resistant algorithms are developed, the use of Lamport Hash Signatures is proposed.

- Cryptographic Digest
- SHA-3-512
- Message Authentication
- HMAC-SHA-3-512
- Encryption (symmetric)
- ChaCha20
- Authenticated Encryption
- ChaCha20-Poly1305
- Key Agreement
- RSA-4048(*)
- Digital Signature
- RSA-4048(*)
- Quantum Safe Digital Signature
- XMSS (in development, see)

Consensus in the standards field clearly supports use of the new x25519 and x448 algorithms. But these are not yet widely implemented. Rather than spend time implementing algorithms that are almost certainly going to be supported in production cryptographic libraries in the near future, the reference code currently makes use of the earlier generation finite field cryptography.

- Digital Signature
- RSA-2048
- Key Agreement
- RSA-2048 (Two party)
- DH-2048 (Proxy Re-Encryption)