AEGIS availability

[Avatat]

Hi!

Mumble is looking for modern encryption mechanisms. Now we use AES-OCB, but we consider a switch to AES-GCM-256, ChaCha20-Poly1305, or AEGIS. You are the only project I know, which has at least partially implemented AEGIS algorithm :)

@jedisct1, @angt, what's the progress of AEGIS-256 implementation? Are you plan to implement AEGIS-128L too? I'm not a developer, but I will ask - do you need any help with AEGIS things?

I asked the second question because we need encryption with the lowest latency possible, and AEGIS-128L is almost two times faster than AEGIS-256.

[jedisct1]

Hi,

AEGIS-256 is implemented, for the Intel and ARM crypto extensions. Not in the stable branch, though, so you may want to use angt's standalone implementation for now

There are no plans to add other variants. AEGIS-256 has the advantage of having a large nonce size, and it is plenty fast enough to saturate the network way before the CPU.

[mouse07410]

1. What properties of AES-OCB are you unhappy with? Why are you looking to replace it? In what ways do you expect the replacement to be better?

2. People don't select algorithm strength based on performance - you either need the security of 256-bit keys, or you don't. If you don't - stay with shorter keys, as they almost always guarantee better performance.

[Avatat]

Thank you for your quick reply! @jedisct1, does AEGIS-256 implementation support non-accelerated environments? I'm asking because I know, that your AES-256-GCM implementation requires AES-NI. I wanted to benchmark AEGIS-128L too because it can give us the lowest latency.

@mouse07410, thanks for joining the discussion :)

1. As I understand, we want to change it, because AES-OCB is old, slow, and patented. We are looking for modern, fast (with and without hardware acceleration), and patent-free algorithm and its implementation. Here is my summary, and here is the original issue.
2. There is no much difference in speed between AEGIS-256 and AEGIS-128, but there is a huge difference comparing to AEGIS-128L.

[jedisct1]

AEGIS was specifically designed to leverage AES-NI and its parallelism. It would be very slow without hardware acceleration.

[Avatat]

But it will be faster than AEG-GCM-256 and ChaCha20-Poly1305, right?

[angt]

Hello all, I should point that it's also very hard to make it constant time without AES-NI.

[Avatat]

@jedisct1, @angt, so the best solution for our case will be the use of AEGIS-256 in accelerated environments (AES-NI or ARM NEON), and ChaCha20-Poly1305, where acceleration isn't available?

[jedisct1]

That's exactly what glorytun does.

[Avatat]

Thank you for all answers and effort!