StormyCloud StormyCloud's XMR node is now online for those interested - xmr.stormycloud.i2p
RTP Awesome StormyCloud! I'll definitely be trying it.
RN *** says just a test folks ***
cancername i2p-projekt.i2p/spec/ssu2#header-encryption-kdf , aren't "tmp = 0; chacha20(k_header_1, iv, tmp); data ^= tmp" and "data = chacha20(k_header_1, iv, data)" equivalent?
cancername since chacha20 is a stream cipher and encrypting with a stream cipher is xoring with the keystream and "x xor 0 = x", "(x xor 0) xor y = x xor y"?
cancername but both the "keystream xor 0 xor plaintext" and "keystream xor plaintext" forms are used here, so, is this an implementation detail / optimization that made it into the spec, or am I totally off trac?
dr|z3d good question, cancername, zzz will be with you shortly to answer if he's around :)
zzz reading specs for fun, or implementing something?
cancername zzz: doing the latter to do the former
zzz that sounds backwards...
zzz but in any case I don't see that code you quoted in the spec
zzz there is no xor with zero
cancername zzz: isn't that in the ChaCha20.encrypt? the pseudocode goes data = {0, 0, 0, 0, 0, 0, 0, 0}, then mask = Chacha20.encrypt(k_header_1, iv, data) and since data is all zeroes mask should now be the keystream, right? since anything xor 0 is itself?
zzz huh? you think encrypt(hdr, iv, zeros) should result in zeros?
cancername no it should give the keystream right? Isn't chacha20.encrypt just xoring the keystream with the zeros or am I completely bonkers
zzz please define "keystream"
cancername the bytes chacha20 shits out to xor with the data to encrypt and decrypt it? I'm not crazy chacha20 is a stream cipher right
cancername I'll just try hold on
zzz yes its a stream cipher
onon_ zzz, Quick question, do you have byte count or packet count in your java implementation of SSU2 congestion control?
onon_ In i2pd implementation SSU2 congestion control is not good enough I think.
zzz onon mostly bytes, with a couple of packet count checks also, as recommended in the spec
onon_ thx, zzz
cancername zzz: sorry to take some of your time :) heres some bad python demoing what I mean, encrypting zeroes then xoring is equivalent to encrypting because anything xor 0 is itself and the encryption is just a xor with the keystream, the ssu2 header obfuscation does both, and I'm asking if the first 16 bytes being encrypted by generating the keystream separately is an optimization that got into the spec or if
cancername there's a different intent
zzz the spec is not an optimization, the header encryption was adapted from RFC 9001 which you may reference.
zzz yes chacha20 has an xor in it
cancername ah thanks
zzz if you think _you_ have an optimization, great, but I'm not going to do the work to prove it for you
zzz we defined it similar to the way rfc 9001 did, see sec. 5.4.4
zzz what are you working on? ssu2 is not where most people would start something
cancername zzz: I don't have an optimization, I just noticed that the first 16 bytes were encrypted by encrypting zeroes then xoring, the rest was encrypted "directly" and I wondered why that might be. I'm just trying to understand ssu2 for now because I think it's interesting and I haven't read much beyond the intro yet, but if you have a recommendation for curious nerds I'd love to hear it
zzz ok. so the 'why' is that that's the way QUIC spec'ed it
cancername I see ^_^
zzz ssu2 is indeed interesting
zzz it's also possibly our most complex protocol and has an enormous 20 year history behind it so it's not the easiest place to start
