Post-Quantum Noise handshake for py-libp2p (XXhfs + X-Wing KEM) #1306
Replies: 3 comments 4 replies
-
Hi @paschal533 @seetadev @pacrob some thoughts about Noise-quantum Post-Quantum Noise for py-libp2p: Answers to the Python Design QuestionsContextThis document answers the three design questions raised in the py-libp2p discussion about adding a post-quantum hybrid Noise handshake (
The JS reference implementation introduces two new tokens ( What the current py-libp2p implementation impliesCurrent architecture summary (local codebase):
This means py-libp2p currently acts as an orchestrator around 1) Can
|
Beta Was this translation helpful? Give feedback.
-
|
@paschal533 Hold on on the traking issue, let's discuss more and wait for specs, so don't go right on just yet |
Beta Was this translation helpful? Give feedback.
-
|
Quick update for anyone following this thread. I have opened a draft PR with everything built so far so people can look at the code, run the tests, and give feedback without waiting for the spec discussion to fully resolve. PR: #1310 What is in it:
One thing worth flagging for the broader discussion: the spec debate around libp2p/specs#710 and libp2p/specs#711 is about post-quantum peer identity keys and PeerID encoding. That is a separate concern from what this PR implements. The XXhfs handshake is about forward secrecy at the key exchange layer and keeps Ed25519 for identity exactly as it is today. When ML-DSA identity eventually lands it will be absorbed transparently because the signature step sits behind the existing privkey.sign() abstraction. The two tracks do not block each other. All marked as draft and WIP. Happy to hear any thoughts on the design, the IKem interface, or anything else. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone,
I have been doing research on integrating post-quantum cryptography into the libp2p Noise handshake, and I wanted to bring it to this community and get your thoughts.
What was done on the JS side
I recently implemented the
Noise_XXhfs_25519+XWing_ChaChaPoly_SHA256handshake in js-libp2p-noise at Chainsafe. The XXhfs pattern is the Noise HFS extension that adds two extra tokens, e1 and ekem1, which perform a KEM operation alongside the classical X25519 DH. The KEM used is X-Wing, a hybrid ofML-KEM-768andX25519, so the session key is secure as long as either algorithm holds.The protocol ID is /noise-pq/1.0.0.
A working demo that runs in both Node.js and the browser is here: https://github.com/paschal533/pqc-libp2p-example
Benchmark results on a pure-JS runtime (Windows, Node.js v22):
The overhead is significant but manageable. For long-lived connections it is negligible. The main benefit is protecting against Store-Now-Decrypt-Later attacks on recorded traffic, which is a real threat today regardless of when quantum computers arrive.
Proposal for py-libp2p
I would like to research and implement the same handshake in py-libp2p so we can do interoperability testing between a Python node and a JS node over
/noise-pq/1.0.0.I have written a detailed migration roadmap covering 7 phases, from the architecture decision (whether noiseprotocol is extensible enough to add custom tokens) all the way to live interop tests and benchmarks.The key design questions for Python are:
ML-KEM-768: liboqs-python (C bindings, most audited) vs pymlkem (pure Python, no C dependency)?I am happy to do this work as part of my ongoing PQC research across libp2p implementations. Would love to hear if there are already plans for this or if there are any constraints I should know about before starting.
cc @seetadev @acul71 @pacrob
Related:
Beta Was this translation helpful? Give feedback.
All reactions