Crate aes_gcm_siv

AES-GCM-SIV (RFC 8452): high-performance Authenticated Encryption with Associated Data (AEAD) cipher which also provides nonce reuse misuse resistance.

Suitable as a general purpose symmetric encryption cipher, AES-GCM-SIV also removes many of the "sharp edges" of AES-GCM, providing significantly better security bounds while simultaneously eliminating the most catastrophic risks of nonce reuse that exist in AES-GCM.

Decryption performance is equivalent to AES-GCM. Encryption is marginally slower.

See also:

• Adam Langley: AES-GCM-SIV
• Coda Hale: Towards A Safer Footgun

Security Warning

No security audits of this crate have ever been performed, and it has not been thoroughly assessed to ensure its operation is constant-time on common CPU architectures.

Where possible the implementation uses constant-time hardware intrinsics, or otherwise falls back to an implementation which contains no secret-dependent branches or table lookups, however it's possible LLVM may insert such operations in certain scenarios.

Usage

use aes_gcm_siv::Aes256GcmSiv; // Or `Aes128GcmSiv`
use aead::{Aead, NewAead, generic_array::GenericArray};

let key = GenericArray::clone_from_slice(b"an example very very secret key.");
let aead = Aes256GcmSiv::new(key);

let nonce = GenericArray::from_slice(b"secret nonce"); // 96-bytes; unique per message
let ciphertext = aead.encrypt(nonce, b"plaintext message".as_ref()).expect("encryption failure!");
let plaintext = aead.decrypt(nonce, ciphertext.as_ref()).expect("decryption failure!");

Re-exports

pub use aead;

Structs

AesGcmSiv

AES-GCM-SIV: Misuse-Resistant Authenticated Encryption Cipher (RFC 8452)

Constants

A_MAX	Maximum length of associated data (from RFC 8452 Section 6)
C_MAX	Maximum length of ciphertext (from RFC 8452 Section 6)
P_MAX	Maximum length of plaintext (from RFC 8452 Section 6)

Type Definitions

Aes128GcmSiv	AES-GCM-SIV with a 128-bit key
Aes256GcmSiv	AES-GCM-SIV with a 256-bit key