AES-EME2-BLAKE3
Pure Rust implementation of the AES-EME2-BLAKE3 Deterministic Authenticated Encryption (DAE) cipher.
Security Notes
aes-eme2-blake3 is designed to provide 100% Nonce Misuse Resistance (NMR).
Standard modes like AES-GCM fail catastrophically if a nonce is reused. This library
uses a Synthetic Initialization Vector (SIV) architecture. BLAKE3 computes a MAC over
the plaintext, associated data (AD), and nonce. This MAC is then used as the tweak
for the wide-block EME2 cipher. Reusing a nonce with different data completely
changes the tweak, maintaining absolute security.
Furthermore, unlike stream ciphers, EME2 acts as a Strong Pseudorandom Permutation (SPRP). It processes your entire payload as a single, massive cryptographic block. If an attacker alters even a single bit of the ciphertext, the decryption process will scramble the entire plaintext into unrecognizable garbage, guaranteeing the subsequent BLAKE3 authentication check will fail.
All implementations contained in the crate rely on the constant-time guarantees of
the underlying aes and blake3 crates, while the EME2 core logic itself avoids
data-dependent branching.
Performance & Architecture
We consciously trade pure throughput for maximum operational security.
In our benchmarks, aes-eme2-blake3 achieves a peak decryption throughput of ~197 MiB/s,
whereas a hardware-accelerated AES-GCM implementation achieves ~1.21 GiB/s
(roughly 6x faster).
This performance difference is entirely expected and reasonable given the architectural goals. AES-GCM is a single-pass stream cipher. EME2 is a true wide-block cipher that requires two full passes over the entire plaintext buffer to build an XOR sum, ensuring that every byte depends mathematically on every other byte.
Throughput Benchmarks
| Payload Size | AES-EME2-BLAKE3 Encrypt | AES-EME2-BLAKE3 Decrypt | AES-GCM Encrypt | AES-GCM Decrypt |
|---|---|---|---|---|
| 32 B | 45.9 MiB/s | 47.1 MiB/s | 209.8 MiB/s | 175.2 MiB/s |
| 64 B | 75.4 MiB/s | 70.6 MiB/s | 345.3 MiB/s | 323.7 MiB/s |
| 1 KB | 156.4 MiB/s | 156.5 MiB/s | 1000.6 MiB/s | 894.4 MiB/s |
| 64 KB | 197.2 MiB/s | 197.3 MiB/s | 1.21 GiB/s | 1.21 GiB/s |
| 512 KB | 196.8 MiB/s | 194.9 MiB/s | 1.15 GiB/s | 1.15 GiB/s |
| 1 MB | 197.6 MiB/s | 194.8 MiB/s | 1.17 GiB/s | 1.20 GiB/s |
| 10 MB | 185.6 MiB/s | 188.6 MiB/s | 1.16 GiB/s | 1.14 GiB/s |
License
Licensed under either of:
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.