Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider more algorithms: ascon, aegis, EME, rijndael-256 #12

Open
paulmillr opened this issue Oct 7, 2023 · 20 comments
Open

Consider more algorithms: ascon, aegis, EME, rijndael-256 #12

paulmillr opened this issue Oct 7, 2023 · 20 comments

Comments

@paulmillr
Copy link
Owner

paulmillr commented Oct 7, 2023

  1. Ascon won NIST lightweight cryptography contest 1
  2. Aegis is AES-based cipher present in linux, zig, libsodium 2
  3. EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 eme. The reference link is also from an implementation in Go.
    • It's parallelizable. And it's used in rclone for the crypt backend. "A personal reason is that I'm porting rclone to Web/Deno". Some folks want it, because EME is used in FS encryption sometimes
    • Seems to be abandoned
  4. Rijndael-256. Rijndael to AES is what keccak is to SHA3: previous, non-standardized version. -256 supports 256-bit blocks. The confidentiality of AES-GCM is far below 128-bit security 3. Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks.
    • NIST plans to standardize it 4

It's unclear if any of these algorithms are actually worth implementing in noble.

Footnotes

  1. https://csrc.nist.gov/News/2023/lightweight-cryptography-nist-selects-ascon

  2. https://doc.libsodium.org/secret-key_cryptography/aead/aegis-256

  3. https://csrc.nist.gov/csrc/media/Presentations/2023/proposal-for-standardization-of-encryption-schemes/images-media/sess-4-mattsson-bcm-workshop-2023.pdf 2

  4. https://csrc.nist.gov/news/2024/nist-proposes-to-standardize-wider-variant-of-aes

@paulmillr paulmillr changed the title Implement Ascon Consider implementing Ascon Dec 10, 2023
@paulmillr paulmillr changed the title Consider implementing Ascon Add more algorithms: ascon, aegis, eme, rijndael-256, aes-kw Apr 8, 2024
@mirceanis
Copy link
Contributor

➕ 💯 for AESKW

that would allow me to greatly simplify the dependencies in several projects I maintain, where I have to use a very heavy isomorphic-webcrypto otherwise

@paulmillr
Copy link
Owner Author

@mirceanis AESKW is done.

@paulmillr paulmillr changed the title Add more algorithms: ascon, aegis, eme, rijndael-256, aes-kw Consider more algorithms: ascon, aegis, eme, rijndael-256 Aug 5, 2024
@alterstep
Copy link

I would like AEGIS. There is a JavaScript implementation, but it's only AEGIS-128L and is not very good.

@paulmillr
Copy link
Owner Author

@alterstep any chance you'll be able to describe what are you using it for?

@alterstep
Copy link

@alterstep any chance you'll be able to describe what are you using it for?

Yes, I use libsodium on the server because AEGIS is very fast. On the client side, I could use libsodium-js, but it's very large, and I don't need its full functionality. Noble-ciphers would be perfect.

@paulmillr
Copy link
Owner Author

Yes, but why do you need something "very fast"? Why can't AES work for you?

@alterstep
Copy link

Yes, but why do you need something "very fast"? Why can't AES work for you?

256-bit nonces too.

@paulmillr
Copy link
Owner Author

Why AEGIS instead of XChacha20-poly1305?

@alterstep
Copy link

sodium AEGIS-256 is more than 5 times faster than XChaCha

@paulmillr
Copy link
Owner Author

Interesting, ok.

The question is, however, do you actually need this speed? Is the speed of algorithms a bottleneck in your application?

@BigPanda97
Copy link

Ascon and AEGIS are both nice. And there is an Ascon-js version already available which could probably easily be implemented here.

@paulmillr
Copy link
Owner Author

Keep in mind it's not just "implementing" - it's also continuously supporting and perhaps having 3rd party audits of the code.

@paulmillr
Copy link
Owner Author

AEGIS has been implemented here: https://github.com/stknob/aegis-ts/tree/main

@paulmillr paulmillr changed the title Consider more algorithms: ascon, aegis, eme, rijndael-256 Consider more algorithms: ascon, aegis, EME, rijndael-256 Jan 10, 2025
@BigPanda97
Copy link

I would still recommend implementing them, as Ascon and AEGIS both are very useful ciphers, probably much more than Salsa20.

@paulmillr
Copy link
Owner Author

@BigPanda97 what makes them more useful than Salsa for your use case?

@BigPanda97
Copy link

@BigPanda97 what makes them more useful than Salsa for your use case?

This question seems more like a joke. Salsa is basically used nowhere nowadays except for Threema messenger which still uses it. However:

So both of them have and will have a very widespread usage just like AES, underlining their importance in every cryptographic library.

@paulmillr
Copy link
Owner Author

If you read topic start post, it mentions benefits already. There is no need to write it twice.

I'm not asking about benefits of algorithms. I'm asking how you, personally would benefit from having those algo / algos in noble. Details of your environment. Why can't it use ChaCha20poly1305.

Salsa is basically used nowhere nowadays

one, two

@BigPanda97
Copy link

If you read topic start post, it mentions benefits already. There is no need to write it twice.

Wrong, the implementation in TLS and the publishing of the final standardisation is new.

I'm not asking about benefits of algorithms. I'm asking how you, personally would benefit from having those algo / algos in noble.

For example to decrypt stuff which has been encrypted using LibSodiums AEGIS? 🙄

Salsa is basically used nowhere nowadays

Your example searches reveal many old and outdated projects as well as many implementations where the underlying algorithms of the API have been switched to ChaCha instead. A productive usage of Salsa is useless nowadays, since ChaCha is both more secure and more efficient/faster.

There is still no valid reason, why any good and reputable cryptographic library should NOT implement AEGIS and ASCON. Both will be the algorithms of the future.

@paulmillr
Copy link
Owner Author

There is still no valid reason, why any good and reputable cryptographic library should NOT implement AEGIS and ASCON

So submit a pull request.

@BigPanda97
Copy link

There is still no valid reason, why any good and reputable cryptographic library should NOT implement AEGIS and ASCON

So submit a pull request.

I wouldn't consider myself experienced enough for it, sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants