Geralt
  • Introduction
  • Random data
  • Constant time
  • Secure memory
  • Encoding
  • Padding
  • Hashing
  • Message authentication
  • Password hashing
  • Key derivation
  • Authenticated encryption
    • Stream and file encryption
    • AEGIS-128L
    • AEGIS-256
    • ChaCha20-Poly1305
    • XChaCha20-Poly1305
  • Key exchange
  • Digital signatures
  • Advanced
    • Validation
    • Concat
    • ChaCha20
    • XChaCha20
    • HChaCha20
    • Poly1305
    • Ed25519 to X25519
Powered by GitBook
On this page
  • Purpose
  • Usage
  • Encrypt
  • Decrypt
  • Constants
  • Notes
  1. Authenticated encryption

AEGIS-128L

Last updated 1 year ago

Purpose

is an AES-based authenticated encryption with associated data (AEAD) scheme that was a finalist. It encrypts a plaintext message using a 128-bit key and nonce (number used only once) whilst calculating a 256-bit tag over the plaintext and associated data.

The associated data is useful for authenticating file headers, version numbers, timestamps, counters, and so on. It can be used to prevent and . It is not encrypted nor part of the ciphertext. It must be reproduceable or stored somewhere for decryption to be possible.

Decryption involves verifying the tag for the given inputs, which detects tampering and incorrect parameters. If verification fails, an error is returned. Otherwise, the plaintext is returned.

For encryption, the nonce MUST NOT be repeated or reused with the same key. You MUST or the nonce for each plaintext message encrypted using the same key.

Random nonces can be used for up to 2^48 messages with the same key. If in doubt, use , which has no practical limit.

Consider using for a 256-bit security level, which provides against cryptographically relevant quantum computers. However, 128-bit security be post-quantum secure, and AEGIS-128L is .

Usage

Encrypt

Fills a span with ciphertext and an appended tag computed from a plaintext message, nonce, key, and optional associated data.

AEGIS128L.Encrypt(Span<byte> ciphertext, ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> nonce, ReadOnlySpan<byte> key, ReadOnlySpan<byte> associatedData = default)

Exceptions

ciphertext has a length not equal to plaintext.Length + TagSize.

nonce has a length not equal to NonceSize.

key has a length not equal to KeySize.

Encryption failed.

Decrypt

Verifies that the tag appended to the ciphertext is correct for the given inputs. If verification fails, an exception is thrown. Otherwise, it fills a span with the decrypted ciphertext.

AEGIS128L.Decrypt(Span<byte> plaintext, ReadOnlySpan<byte> ciphertext, ReadOnlySpan<byte> nonce, ReadOnlySpan<byte> key, ReadOnlySpan<byte> associatedData = default)

Exceptions

plaintext has a length not equal to ciphertext.Length - TagSize.

ciphertext has a length less than TagSize.

nonce has a length not equal to NonceSize.

key has a length not equal to KeySize.

Invalid authentication tag for the given inputs.

Constants

These are used for validation and/or save you defining your own constants.

public const int KeySize = 16;
public const int NonceSize = 16;
public const int TagSize = 32;

Notes

Encrypting data in 16-64 KiB chunks instead of as a single plaintext message is RECOMMENDED to keep memory usage low and detect corrupted chunks early. Unfortunately, it is difficult to get right. You MUST ensure that chunks cannot be:

  1. Truncated

  2. Removed

  3. Reordered

  4. Duplicated

If decryption fails midway through a stream due to tampering or corruption, erase the previous plaintext outputs from memory and/or disk and throw an error.

Without hardware support, (X)ChaCha20-Poly1305 is faster, and the AEGIS-128L implementation may be vulnerable to side-channel attacks.

If you intend to feed multiple, variable-length inputs into the associated data, beware of . Please read the page for more information.

The key MUST be uniformly random. It can either be or the output of a . Furthermore, it SHOULD be rotated periodically (e.g. a different key per file).

1 and 2 can be accomplished by including the length of all the ciphertext chunks added together in the associated data of the first chunk. Alternatively, you can use the construction.

3 and 4 can be resolved by using a nonce or by including the previous tag in the associated data of the next chunk.

As a general rule, avoid compression before encryption. It can and has been the cause of .

To make AEGIS-128L , you can the associated data using a cryptographic hash function with a minimum of 128-bit preimage resistance and use the output as the AEAD associated data parameter.

Current popular AEAD schemes like AES-GCM and ChaCha20-Poly1305 are . By contrast, AEGIS-128L is believed to be (but not ). This prevents when the adversary can choose the key and/or nonce (but when they can choose the associated data). For example, it is computationally infeasible to output an AEGIS-128L ciphertext that can be decrypted without an authentication error using a different key.

AEGIS-128L is than AEGIS-256, (X)ChaCha20-Poly1305, and AES-GCM when there is AES hardware support, which is available on most modern x64/ARM64 CPUs.

AEGIS-128L can be used as a by encrypting with the message as the associated data and an empty plaintext, resulting in just a tag. However, it MUST NOT be used as a hash function (e.g. without a secret key or for key derivation).

AEGIS-128L was specified to use a 128-bit tag. This is currently not supported in libsodium. Similarly, AEGIS-128 from the is not supported nor part of the .

ArgumentOutOfRangeException
ArgumentOutOfRangeException
CryptographicException
ArgumentOutOfRangeException
ArgumentOutOfRangeException
ArgumentOutOfRangeException
ArgumentOutOfRangeException
CryptographicException
canonicalization attacks
Concat
STREAM
leak information
several attacks
fully committing
hash
non-committing
key committing
fully committing
attacks
not
significantly faster
MAC
originally
CAESAR competition
Internet-Draft
AEGIS-128L
CAESAR competition
confused deputy attacks
replay attacks
AEGIS-256
AEGIS-256
additional protection
should
faster
ArgumentOutOfRangeException
KDF
randomly generated
randomly generate
increment
counter