Consider more algorithms: Ascon, Aegis, EME, Rijndael-256 #12
Description
- Ascon won NIST lightweight cryptography contest 1
- Aegis is AES-based cipher present in linux, zig, libsodium 2
- Very fast
- Plaintexts up to 2EiB instead of AES-GCM 64GiB 3
- Fully committing, unlike AES-GCM
- More info in https://crypto.stackexchange.com/a/106125
- Implemented on top of noble-ciphers in https://github.com/stknob/aegis-ts
- EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 eme. The reference link is also from an implementation in Go.
- It's parallelizable. And it's used in rclone for the crypt backend. "A personal reason is that I'm porting rclone to Web/Deno". Some folks want it, because EME is used in FS encryption sometimes
- Seems to be abandoned
- Rijndael-256. Rijndael to AES is what keccak is to SHA3: previous, non-standardized version. -256 supports 256-bit blocks. The confidentiality of AES-GCM is far below 128-bit security 3. Confidentiality advantage for an attacker is <
$\sigma^2/2^{129}$ where$\sigma$ is the number of encrypted 128-bit chunks.- NIST plans to standardize it 4
It's unclear if any of these algorithms are actually worth implementing in noble.
Footnotes
-
https://csrc.nist.gov/News/2023/lightweight-cryptography-nist-selects-ascon ↩
-
https://doc.libsodium.org/secret-key_cryptography/aead/aegis-256 ↩
-
https://csrc.nist.gov/csrc/media/Presentations/2023/proposal-for-standardization-of-encryption-schemes/images-media/sess-4-mattsson-bcm-workshop-2023.pdf ↩ ↩2
-
https://csrc.nist.gov/news/2024/nist-proposes-to-standardize-wider-variant-of-aes ↩