Evaluation of some React Native crypto libraries

GSoC Projects Native Encryption
1

I have evaluated several React Native crypto libraries. Here is an overview of them:

Name Last publish iOS implementation Android implementation Note
react-native-aes-crypto 2 months ago CommonCrypto javax.crypto Only supports AES/CBC/PKCS7Padding and AES/CTR/PKCS5Padding
hybrid-crypto-js 4 years ago/10 months ago Javascript Javascript Pure Javascript
react-native-aes-ecb 2 years ago Javascript Javascript Pure Javascript, ECB mode only (no IV, dangerous)
react-native-crypto-aes-cbc 5 months ago CommonCrypto javax.crypto CBC mode only (vulnerable to the padding oracle attack, no authentication)
react-native-zebra-aes-crypto 5 months ago CommonCrypto javax.crypto CTR mode only (no authentication)
expo-crypto a month ago (not checked) (not checked) Only provides digest method and random data generator
react-native-quick-crypto 4 days ago OpenSSL/C++ OpenSSL/C++ Relatively new (started on Feb 13, 2022)
browserify/crypto-browserify 7 years ago Javascript Javascript Pure Javascript, NPM package unmaintained

react-native-quick-crypto might be a good option to use, although the Android implementation doesn't match my initial plan (OpenSSL vs. javax.crypto).

2 Likes
2

A transition to quantum-resistant cryptography is it an option ?

3

(The content below is just based on my knowledge and understanding. Feel free to correct me if I'm wrong.)

I just read the passage of your link and the Zoom Cryptography Whitepaper. The post-quantum cryptographic algorithm mentioned in your passage (Kyber-768) is an asymmetric algorithm, while Joplin uses a symmetric algorithm (AES) to encrypt the notes. As noted in Wikipedia,

most current symmetric cryptographic algorithms and hash functions are considered to be relatively secure against attacks by quantum computers.

You can also find that Zoom uses AES to encrypt the meeting streams and emails. It's documented in their whitepaper.

1 Like
4

Yes I’ve linked this article because they quote several companies following NIST Post-Quantum Cryptography Standardization in their own services.

I've read this also. I don’t have enough mathematical knowledge to compare how much difference there is between AES and new post Quantum algorithms.

5

I think the real world understanding is currently;

  1. Symmetric Encryption like Joplin uses has no known quantum weaknesses.
  2. Asymmetric Encryption would suffer Shors Algorithm, providing Quantum Computers a decent speed boost in attacking it.
  3. However Quantum Computers aren't magic. They can knock several billion years off the calculation and still be several billion years too slow to be useful.
  4. But also it's a brand new field, and no one know what the answers will look like in 20 years, or whether there'll be better algorithms that destroy all guarantees the crypto provides in classical modes.
  5. Stuff's expensive.

Regardless, upgrading from 128bit to 256bit AES provides the same boost to quantum computing as it does to classical computing by today's knowledge. Quantum Resistant Encryption in todays world is primarily around public/private keys (asymmetric crypto).

4 Likes
6

FYI, we will use 256bit AES in this project.