From ceb3e6c289db8e1e7a66204c6d06a40089fd6bc1 Mon Sep 17 00:00:00 2001 From: Teodor Calin Date: Tue, 7 Jul 2026 12:34:16 +0300 Subject: [PATCH] =?UTF-8?q?blog:=20expand=20X25519+AES-GCM=20post=20?= =?UTF-8?q?=E2=80=94=20AES-128=20vs=20AES-256-GCM=20(#83)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...dependency-encryption-x25519-aes-gcm.astro | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/src/pages/blog/zero-dependency-encryption-x25519-aes-gcm.astro b/src/pages/blog/zero-dependency-encryption-x25519-aes-gcm.astro index 63739d1..8e835d3 100644 --- a/src/pages/blog/zero-dependency-encryption-x25519-aes-gcm.astro +++ b/src/pages/blog/zero-dependency-encryption-x25519-aes-gcm.astro @@ -262,7 +262,28 @@ Message delivered
  • Relay privacy: Even when traffic is relayed through the beacon for NAT traversal, encryption is end-to-end. The beacon sees only opaque ciphertext.
  • -

    For how encryption integrates with Pilot's trust model and Ed25519 identity system, see Secure AI Agent Communication With Zero Trust. For the full protocol architecture including addressing, transport, and services, see How Pilot Protocol Works. For real-world applications of this encryption in sensitive environments, see Secure Research Collaboration: Share Models, Not Data and Building a Private Agent Network for Your Company.

    +

    AES-128-GCM vs. AES-256-GCM: Why Pilot Pairs X25519 With the 256-bit Key

    + +

    X25519 key exchange is often paired with AES-128-GCM rather than AES-256-GCM. TLS 1.3 defines TLS_AES_128_GCM_SHA256 as its mandatory-to-implement cipher suite, and WireGuard's Noise-based handshake also derives a 128-bit symmetric key for its ChaCha20-Poly1305 transport. Seeing X25519 next to AES-128-GCM in a protocol spec or a TLS handshake trace is common, and it is a deliberate, well-reasoned choice in those designs -- a 128-bit key already provides a security margin considered adequate against classical cryptanalysis, and a smaller key can mean marginally less work per block cipher round.

    + +

    Pilot Protocol's key derivation from X25519 produces a 32-byte (256-bit) shared secret, and the daemon uses the full 32 bytes as the AES-256-GCM key rather than truncating to 16 bytes for AES-128-GCM. Go's crypto/aes package selects the cipher variant purely from key length -- aes.NewCipher returns an AES-128 cipher for a 16-byte key and an AES-256 cipher for a 32-byte key, with no separate code path required. Since X25519's ECDH output is already 32 bytes, using all of it for AES-256 avoids a truncation or key-derivation step that AES-128-GCM would otherwise need.

    + + + + + + + + + + + + +
    AspectAES-128-GCMAES-256-GCM (Pilot)
    Key size16 bytes32 bytes
    Rounds (AES block cipher)1014
    Common pairingTLS 1.3 default suite, WireGuard-style handshakesTLS 1.3 optional suite, protocols that use the full X25519 ECDH output directly
    Hardware accelerationAES-NI / ARMv8 Crypto ExtensionsAES-NI / ARMv8 Crypto Extensions (same instruction set, more rounds executed)
    AuthenticationGCM tag, same constructionGCM tag, same construction
    + +

    Both variants use the identical GCM authenticated-encryption construction described above -- the same nonce format, the same 16-byte authentication tag, the same Seal/Open API in Go's standard library. The only difference is how many AES rounds the block cipher runs and how large the key is. Pilot's choice of AES-256-GCM is not a rejection of AES-128-GCM as insecure; it is simply the more direct fit for a design that already produces a 256-bit ECDH shared secret from X25519 and wants to use it in full, with a single, uniform key size across every tunnel, protocol version, and platform the daemon runs on.

    + +

    For how encryption integrates with Pilot's trust model and Ed25519 identity system, see Secure AI Agent Communication With Zero Trust. For the full protocol architecture including addressing, transport, and services, see How Pilot Protocol Works. For real-world applications of this encryption in sensitive environments, see Secure Research Collaboration: Share Models, Not Data and Building a Private Agent Network for Your Company. For a broader look at how this encrypted transport fits into peer discovery and reachability, see Overlay Network for AI Agents: Architecture and Trust Model.

    Try Pilot Protocol

    @@ -271,6 +292,18 @@ Message delivered
    `; const faqItems = [ + { + question: "Does X25519 have to be paired with AES-128-GCM?", + answer: "No. X25519 key exchange produces a 32-byte (256-bit) shared secret, which can be used directly as an AES-256-GCM key or truncated/derived down to a 16-byte AES-128-GCM key. Both pairings are used in real protocols -- TLS 1.3's default cipher suite and WireGuard-style handshakes commonly pair X25519 with a 128-bit key, while Pilot Protocol uses the full 256-bit ECDH output for AES-256-GCM.", + }, + { + question: "Why does Pilot Protocol use AES-256-GCM instead of AES-128-GCM?", + answer: "Pilot's X25519 key exchange already produces a 32-byte shared secret. Using all 32 bytes as the AES-256-GCM key avoids an extra truncation or key-derivation step, and Go's crypto/aes package selects the AES-256 code path automatically from a 32-byte key with no additional dependency or configuration.", + }, + { + question: "Is AES-128-GCM less secure than AES-256-GCM?", + answer: "Both are authenticated encryption ciphers using the same GCM construction, nonce format, and authentication tag; the difference is key size (16 vs. 32 bytes) and the number of AES rounds (10 vs. 14). AES-128-GCM is considered secure and is the default cipher suite in TLS 1.3 -- it is not a lesser choice, just a different key-size trade-off than Pilot's design made.", + }, { question: "How does X25519 + AES-GCM encryption work without external dependencies?", answer: "Pilot Protocol uses Go's crypto/ecdh package for X25519 key exchange and crypto/aes plus crypto/cipher for AES-256-GCM authenticated encryption. Both are part of Go's standard library, maintained by the Go team, so there is no OpenSSL, libsodium, or third-party crypto module in the dependency tree.",