README
¶
aez - AEZ (Duh)
Yawning Angel (yawning at schwanenlied dot me)
This is an implementation of AEZ, primarily based on the reference code. It appears to be correct and the output matches test vectors.
Features:
- Constant time, always.
- Will use AES-NI if available on AMD64.
- Unlike the
aesnicode, supports a vector of AD, nbytes > 16, and tau > 16.
Benchmarks:
| Version | Message Size | ns/op | MB/s |
|---|---|---|---|
| aesni | 1 | 2430 | 0.41 |
| 32 | 2161 | 14.80 | |
| 512 | 2491 | 205.51 | |
| 1024 | 2608 | 392.52 | |
| 2048 | 2922 | 700.74 | |
| 4096 | 3669 | 1116.12 | |
| 8192 | 5096 | 1607.43 | |
| 16384 | 7892 | 2075.93 | |
| 32768 | 13214 | 2479.65 | |
| 65536 | 24416 | 2684.11 | |
| 1024768 | 381778 | 2684.20 | |
| ct64 (no-asm) | 1 | 7185 | 0.14 |
| 32 | 9081 | 3.52 | |
| 512 | 26117 | 19.60 | |
| 1024 | 40259 | 25.43 | |
| 2048 | 67867 | 30.18 | |
| 4096 | 124411 | 32.92 | |
| 8192 | 241456 | 33.93 | |
| 16394 | 462033 | 35.46 | |
| 32768 | 914127 | 35.85 | |
| 65536 | 1804397 | 36.32 | |
| 1024768 | 27380841 | 37.43 | |
| ct32 (no-asm) | 1 | 6482 | 0.15 |
| 32 | 8673 | 3.69 | |
| 512 | 26926 | 19.01 | |
| 1024 | 45842 | 22.34 | |
| 2048 | 83350 | 24.57 | |
| 4096 | 159436 | 25.69 | |
| 8192 | 322488 | 25.40 | |
| 16394 | 618034 | 26.51 | |
| 32768 | 1200462 | 27.30 | |
| 65536 | 2366829 | 27.69 | |
| 1024768 | 37128937 | 27.60 |
All numbers taken on an Intel i7-5600U with Turbo Boost disabled, running on
linux/amd64. A 16 byte authenticator (tau) and no AD was used for each test.
Even on systems without AES-NI certain operations are done using SSE2
(eg: XORs), but for the purposes of benchmarking this was disabled for the
ct64/ct32 tests.
Documentation
¶
Overview ¶
Package aez implements the AEZ AEAD primitive.
Index ¶
Constants ¶
const (
// Version is the version of the AEZ specification implemented.
Version = "v5"
)
Variables ¶
This section is empty.
Functions ¶
func Decrypt ¶
func Decrypt(key []byte, nonce []byte, additionalData [][]byte, tau int, ciphertext, dst []byte) ([]byte, bool)
Decrypt decrypts and authenticates the ciphertext, authenticates the additional data, and if successful appends the resulting plaintext to the provided slice and returns the updated slice and true. The length of the expected authentication tag in bytes is specified by tau. The ciphertext and dst slices MUST NOT overlap.
func Encrypt ¶
func Encrypt(key []byte, nonce []byte, additionalData [][]byte, tau int, plaintext, dst []byte) []byte
Encrypt encrypts and authenticates the plaintext, authenticates the additional data, and appends the result to ciphertext, returning the updated slice. The length of the authentication tag in bytes is specified by tau. The plaintext and dst slices MUST NOT overlap.
func IsHardwareAccelerated ¶
func IsHardwareAccelerated() bool
IsHardwareAccelerated returns true iff the AEZ implementation will use hardware acceleration (eg: AES-NI).
Types ¶
type AeadAEZ ¶
type AeadAEZ struct {
// contains filtered or unexported fields
}
AeadAEZ is AEZ wrapped in the crypto/cipher.AEAD interface. It expects a 16 byte nonce, and uses a 16 byte tag, per the recommended defaults in the specification.
The AEZ primitive itself supports a vector of authenticated data, variable length nonces, and variable length authentication tags. Users who require such functionality should investigate the one-shot Encrypt/Decrypt calls instead.
func (*AeadAEZ) NonceSize ¶
NonceSize returns the size of the nonce that must be passed to Seal and Open.
func (*AeadAEZ) Open ¶
Open decrypts and authenticates ciphertext, authenticates the additional data and, if successful, appends the resulting plaintext to dst, returning the updated slice. The nonce must be NonceSize() bytes long and both it and the additional data must match the value passed to Seal.
func (*AeadAEZ) Overhead ¶
Overhead returns the maximum difference between the lengths of a plaintext and its ciphertext.
func (*AeadAEZ) Reset ¶
func (a *AeadAEZ) Reset()
Reset clears the sensitive keying material from the datastructure such that it will no longer be in memory.
func (*AeadAEZ) Seal ¶
Seal encrypts and authenticates plaintext, authenticates the additional data and appends the result to dst, returning the updated slice. The nonce must be NonceSize() bytes long.
The nonce additionally should be unique for all time, for a given key, however the AEZ primitive does provide nonce-reuse misuse-resistance, see the paper for more details (MRAE).
Source Files