Crate aes

source · []
Expand description

Pure Rust implementation of the Advanced Encryption Standard (AES, a.k.a. Rijndael).

⚠️ Security Warning: Hazmat!

This crate implements only the low-level block cipher function, and is intended for use for implementing higher-level constructions only. It is NOT intended for direct use in applications.


Supported backends

This crate provides multiple backends including a portable pure Rust backend as well as ones based on CPU intrinsics.

By default, it performs runtime detection of CPU intrinsics and uses them if they are available.

“soft” portable backend

As a baseline implementation, this crate provides a constant-time pure Rust implementation based on fixslicing, a more advanced form of bitslicing implemented entirely in terms of bitwise arithmetic with no use of any lookup tables or data-dependent branches.

Enabling the compact Cargo feature will reduce the code size of this backend at the cost of decreased performance (using a modified form of the fixslicing technique called “semi-fixslicing”).

ARMv8 intrinsics (nightly-only)

On aarch64 targets including aarch64-apple-darwin (Apple M1) and Linux targets such as aarch64-unknown-linux-gnu and aarch64-unknown-linux-musl, support for using AES intrinsics provided by the ARMv8 Cryptography Extensions is available when using the nightly compiler, and can be enabled using the armv8 crate feature.

On Linux and macOS, when the armv8 feature is enabled support for AES intrinsics is autodetected at runtime. On other platforms the aes target feature must be enabled via RUSTFLAGS.

x86/x86_64 intrinsics (AES-NI)

By default this crate uses runtime detection on i686/x86_64 targets in order to determine if AES-NI is available, and if it is not, it will fallback to using a constant-time software implementation.

Passing RUSTFLAGS=-Ctarget-feature=+aes,+ssse3 explicitly at compile-time will override runtime detection and ensure that AES-NI is always used. Programs built in this manner will crash with an illegal instruction on CPUs which do not have AES-NI enabled.

Note: runtime detection is not possible on SGX targets. Please use the afforementioned RUSTFLAGS to leverage AES-NI on these targets.


use aes::Aes128;
use aes::cipher::{
    BlockCipher, BlockEncrypt, BlockDecrypt, KeyInit,

let key = GenericArray::from([0u8; 16]);
let mut block = GenericArray::from([42u8; 16]);

// Initialize cipher
let cipher = Aes128::new(&key);

let block_copy = block.clone();

// Encrypt block in-place
cipher.encrypt_block(&mut block);

// And decrypt it back
cipher.decrypt_block(&mut block);
assert_eq!(block, block_copy);

// implementation supports parrallel block processing
// number of blocks processed in parallel depends in general
// on hardware capabilities
let mut blocks = [block; 100];
cipher.encrypt_blocks(&mut blocks);

for block in blocks.iter_mut() {
    assert_eq!(block, &block_copy);

cipher.decrypt_blocks(&mut blocks);

for block in blocks.iter_mut() {
    assert_eq!(block, &block_copy);

For implementation of block cipher modes of operation see block-modes repository.

Configuration Flags

You can modify crate using the following configuration flags:

  • aes_armv8: enable ARMv8 AES intrinsics (nightly-only).
  • aes_force_soft: force software implementation.
  • aes_compact: reduce code size at the cost of slower performance (affects only software backend).

It can be enabled using RUSTFLAGS enviromental variable (e.g. RUSTFLAGS="--cfg aes_compact") or by modifying .cargo/config.


pub use cipher;


⚠️ Low-level “hazmat” AES functions.


AES-128 block cipher

AES-128 block cipher (decrypt-only)

AES-128 block cipher (encrypt-only)

AES-192 block cipher

AES-192 block cipher (decrypt-only)

AES-192 block cipher (encrypt-only)

AES-256 block cipher

AES-256 block cipher (decrypt-only)

AES-256 block cipher (encrypt-only)

Type Definitions

128-bit AES block

Eight 128-bit AES blocks