Consider more algorithms: ascon, aegis, eme, rijndael-256

paulmillr commented 1 year ago

Ascon won NIST lightweight cryptography contest ^1
Aegis is AES-based cipher present in linux, zig, libsodium ^2
- https://crypto.stackexchange.com/a/106125, but unpopular
- "We think NIST should standardize AEGIS" because it supports plaintexts up to 2EiB instead of AES-GCM 64GiB ^3
- Implemented using noble-ciphers in https://github.com/stknob/aegis-ts
EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 eme. The reference link is also from an implementation in Go.
- It's parallelizable. And it's used in rclone for the crypt backend. A personal reason is that I'm porting rclone to Web/Deno so having a professional implementation would be much better than my own.
- Seems to be abandoned
Rijndael-256. The confidentiality of AES-GCM is far below 128-bit security ^3. Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks. Rijndael to AES is what keccak is to SHA3: previous, unstandardized version. The idea is to support 256-bit blocks instead of 128-bit blocks of AES.

It's unclear if any of these algorithms are actually worth implementing in noble.

mirceanis commented 4 months ago

➕ 💯 for AESKW

that would allow me to greatly simplify the dependencies in several projects I maintain, where I have to use a very heavy isomorphic-webcrypto otherwise