Skip to main content

phantom_protocol/crypto/
aes_session.rs

1//! High-Performance AES-GCM Session Encryption
2//!
3//! Uses `ring` crate for AES-256-GCM with hardware acceleration.
4//! On Apple Silicon M1: ARM FEAT_AES intrinsics (~4-8 GB/s)
5//! On x86_64: AES-NI instructions (~4-8 GB/s)
6//!
7//! `ring` uses hand-optimized assembly for both ARM64 and x86_64,
8//! ensuring maximum throughput compared to pure-Rust crates.
9//!
10//! Under `--features fips` the AEAD backend swaps to `aws-lc-rs`
11//! (FIPS-validated AWS-LC). The Rust API surface is identical to
12//! `ring::aead` (same `LessSafeKey` / `Nonce` / `seal_in_place_append_tag`
13//! / `open_in_place`), so the rest of this module is untouched and `ring`
14//! is no longer linked on the fips path — see `crypto/adaptive_crypto.rs`
15//! for the same backend dispatch.
16
17#[cfg(feature = "fips")]
18use aws_lc_rs::aead::{Aad, LessSafeKey, Nonce, UnboundKey, AES_256_GCM};
19#[cfg(not(feature = "fips"))]
20use ring::aead::{Aad, LessSafeKey, Nonce, UnboundKey, AES_256_GCM};
21use std::sync::atomic::{AtomicU64, Ordering};
22
23/// Overhead bytes added by AES-256-GCM (16-byte auth tag)
24pub const AES_GCM_OVERHEAD: usize = 16;
25
26/// High-performance session encryption using ring's AES-256-GCM
27/// (hardware accelerated on ARM64/x86_64)
28pub struct AesSession {
29    /// Send cipher key
30    send_key: LessSafeKey,
31    /// Receive cipher key
32    recv_key: LessSafeKey,
33    /// Send nonce counter
34    send_counter: AtomicU64,
35    /// Receive nonce counter
36    recv_counter: AtomicU64,
37    /// Nonce prefix (4 bytes, set per session)
38    nonce_prefix: [u8; 4],
39}
40
41impl AesSession {
42    /// Create from a 32-byte shared secret (derived from PQC handshake).
43    /// This is the "initiator" side.
44    pub fn from_shared_secret(shared_secret: &[u8; 32]) -> Result<Self, crate::CoreError> {
45        Self::build(shared_secret, false)
46    }
47
48    /// Create the "peer" (responder) side — send/recv keys are swapped so that
49    /// initiator's encrypt can be decrypted by peer's decrypt, and vice versa.
50    pub fn from_shared_secret_peer(shared_secret: &[u8; 32]) -> Result<Self, crate::CoreError> {
51        Self::build(shared_secret, true)
52    }
53
54    fn build(shared_secret: &[u8; 32], swap: bool) -> Result<Self, crate::CoreError> {
55        // `crypto::kdf::derive_key_32` cfg-dispatches between
56        // `blake3::derive_key` (default) and HKDF-SHA256 (`--features
57        // fips`). API shape and 32-byte output are identical.
58        // CRYPTO-3: wipe the per-direction AEAD key bytes on every exit path
59        // once copied into ring's opaque `UnboundKey`.
60        let key_a = zeroize::Zeroizing::new(crate::crypto::kdf::derive_key_32(
61            "phantom-aes-send-v1",
62            shared_secret,
63        ));
64        let key_b = zeroize::Zeroizing::new(crate::crypto::kdf::derive_key_32(
65            "phantom-aes-recv-v1",
66            shared_secret,
67        ));
68
69        let (send_bytes, recv_bytes) = if swap { (key_b, key_a) } else { (key_a, key_b) };
70
71        let send_unbound = UnboundKey::new(&AES_256_GCM, &*send_bytes)
72            .map_err(|_| crate::CoreError::CryptoError("Invalid key".into()))?;
73        let recv_unbound = UnboundKey::new(&AES_256_GCM, &*recv_bytes)
74            .map_err(|_| crate::CoreError::CryptoError("Invalid key".into()))?;
75
76        let prefix_bytes = crate::crypto::kdf::derive_key_32("phantom-nonce-pfx-v1", shared_secret);
77        let mut nonce_prefix = [0u8; 4];
78        nonce_prefix.copy_from_slice(&prefix_bytes[..4]);
79
80        Ok(Self {
81            send_key: LessSafeKey::new(send_unbound),
82            recv_key: LessSafeKey::new(recv_unbound),
83            send_counter: AtomicU64::new(0),
84            recv_counter: AtomicU64::new(0),
85            nonce_prefix,
86        })
87    }
88
89    /// Encrypt in place: appends 16-byte tag. Returns total ciphertext length.
90    #[inline]
91    pub fn encrypt_in_place(&self, aad: &[u8], buf: &mut Vec<u8>) -> Result<(), EncryptError> {
92        let counter = self.send_counter.fetch_add(1, Ordering::Relaxed);
93        let nonce = self.make_nonce(counter);
94        self.send_key
95            .seal_in_place_append_tag(nonce, Aad::from(aad), buf)
96            .map_err(|_| EncryptError::EncryptionFailed)?;
97        Ok(())
98    }
99
100    /// Encrypt: allocates a new Vec with ciphertext.
101    #[inline]
102    pub fn encrypt(&self, aad: &[u8], plaintext: &[u8]) -> Result<Vec<u8>, EncryptError> {
103        let mut buf = Vec::with_capacity(plaintext.len() + AES_GCM_OVERHEAD);
104        buf.extend_from_slice(plaintext);
105        self.encrypt_in_place(aad, &mut buf)?;
106        Ok(buf)
107    }
108
109    /// Decrypt in place: verifies tag and truncates. Returns plaintext slice.
110    #[inline]
111    pub fn decrypt_in_place<'a>(
112        &self,
113        aad: &[u8],
114        buf: &'a mut [u8],
115    ) -> Result<&'a mut [u8], EncryptError> {
116        let counter = self.recv_counter.fetch_add(1, Ordering::Relaxed);
117        let nonce = self.make_nonce(counter);
118        self.recv_key
119            .open_in_place(nonce, Aad::from(aad), buf)
120            .map_err(|_| EncryptError::DecryptionFailed)
121    }
122
123    /// Decrypt: allocates a new Vec with plaintext.
124    #[inline]
125    pub fn decrypt(&self, aad: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, EncryptError> {
126        let mut buf = ciphertext.to_vec();
127        let plaintext = self.decrypt_in_place(aad, &mut buf)?;
128        let len = plaintext.len();
129        buf.truncate(len);
130        Ok(buf)
131    }
132
133    #[inline(always)]
134    fn make_nonce(&self, counter: u64) -> Nonce {
135        let mut n = [0u8; 12];
136        n[..4].copy_from_slice(&self.nonce_prefix);
137        n[4..12].copy_from_slice(&counter.to_be_bytes());
138        Nonce::assume_unique_for_key(n)
139    }
140}
141
142/// Encryption errors
143#[derive(Debug, Clone, Copy)]
144pub enum EncryptError {
145    EncryptionFailed,
146    DecryptionFailed,
147}
148
149impl std::fmt::Display for EncryptError {
150    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
151        match self {
152            Self::EncryptionFailed => write!(f, "Encryption failed"),
153            Self::DecryptionFailed => write!(f, "Decryption / authentication failed"),
154        }
155    }
156}
157
158impl std::error::Error for EncryptError {}
159
160#[cfg(test)]
161mod tests {
162    use super::*;
163
164    #[test]
165    fn round_trip() {
166        let secret = [0xABu8; 32];
167        // Two "peers" derived from the same secret, but with swapped keys
168        let session_a = AesSession::from_shared_secret(&secret).unwrap();
169        let session_b = AesSession::from_shared_secret_peer(&secret).unwrap();
170
171        let msg = b"Hello, PQC world!";
172        let ct = session_a.encrypt(&[], msg).expect("Encryption failed");
173
174        // session_b decrypt uses recv_key which matches session_a's send_key
175        let pt = session_b.decrypt(&[], &ct).expect("Decryption failed");
176        assert_eq!(&pt, msg);
177    }
178
179    #[test]
180    fn throughput_smoke() {
181        use std::time::Instant;
182
183        let session = AesSession::from_shared_secret(&[0xAB; 32]).unwrap();
184        let data = vec![0u8; 64 * 1024];
185        let iters = 50_000;
186
187        let start = Instant::now();
188        for _ in 0..iters {
189            let enc = session.encrypt(&[], &data).expect("Encryption failed");
190            std::hint::black_box(enc);
191        }
192        let elapsed = start.elapsed();
193
194        let total_mb = (data.len() * iters) as f64 / 1024.0 / 1024.0;
195        let throughput = total_mb / elapsed.as_secs_f64();
196        let backend = if cfg!(feature = "fips") {
197            "aws-lc-rs"
198        } else {
199            "ring"
200        };
201        eprintln!("{backend} AES-256-GCM: {throughput:.0} MiB/s");
202        // With HW AES should be well above 1 GiB/s
203    }
204}