Consider more algorithms: ascon, aegis, EME, rijndael-256

[paulmillr]

1. Ascon won NIST lightweight cryptography contest ¹
2. Aegis is AES-based cipher present in linux, zig, libsodium ²
   • "We think NIST should standardize AEGIS" because it supports plaintexts up to 2EiB instead of AES-GCM 64GiB ³
   • More info in https://crypto.stackexchange.com/a/106125
   • Implemented on top of noble-ciphers in https://github.com/stknob/aegis-ts
3. EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 eme. The reference link is also from an implementation in Go.
   • It's parallelizable. And it's used in rclone for the crypt backend. "A personal reason is that I'm porting rclone to Web/Deno". Some folks want it, because EME is used in FS encryption sometimes
   • Seems to be abandoned
4. Rijndael-256. Rijndael to AES is what keccak is to SHA3: previous, non-standardized version. -256 supports 256-bit blocks. The confidentiality of AES-GCM is far below 128-bit security ³. Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks.
   • NIST plans to standardize it ⁴

It's unclear if any of these algorithms are actually worth implementing in noble.

Footnotes

1. https://csrc.nist.gov/News/2023/lightweight-cryptography-nist-selects-ascon ↩

2. https://doc.libsodium.org/secret-key_cryptography/aead/aegis-256 ↩

3. https://csrc.nist.gov/csrc/media/Presentations/2023/proposal-for-standardization-of-encryption-schemes/images-media/sess-4-mattsson-bcm-workshop-2023.pdf ↩ ↩²

4. https://csrc.nist.gov/news/2024/nist-proposes-to-standardize-wider-variant-of-aes ↩

[mirceanis]

➕ 💯 for AESKW

that would allow me to greatly simplify the dependencies in several projects I maintain, where I have to use a very heavy isomorphic-webcrypto otherwise

[paulmillr]

@mirceanis AESKW is done.

[alterstep]

I would like AEGIS. There is a JavaScript implementation, but it's only AEGIS-128L and is not very good.

[paulmillr]

@alterstep any chance you'll be able to describe what are you using it for?

[alterstep]

@alterstep any chance you'll be able to describe what are you using it for?

Yes, I use libsodium on the server because AEGIS is very fast. On the client side, I could use libsodium-js, but it's very large, and I don't need its full functionality. Noble-ciphers would be perfect.

[paulmillr]

Yes, but why do you need something "very fast"? Why can't AES work for you?

[alterstep]

Yes, but why do you need something "very fast"? Why can't AES work for you?

256-bit nonces too.

[paulmillr]

Why AEGIS instead of XChacha20-poly1305?

[alterstep]

sodium AEGIS-256 is more than 5 times faster than XChaCha

[paulmillr]

Interesting, ok.

The question is, however, do you actually need this speed? Is the speed of algorithms a bottleneck in your application?

[BigPanda97]

Ascon and AEGIS are both nice. And there is an Ascon-js version already available which could probably easily be implemented here.

[paulmillr]

Keep in mind it's not just "implementing" - it's also continuously supporting and perhaps having 3rd party audits of the code.

[paulmillr]

AEGIS has been implemented here: https://github.com/stknob/aegis-ts/tree/main

[BigPanda97]

I would still recommend implementing them, as Ascon and AEGIS both are very useful ciphers, probably much more than Salsa20.

[paulmillr]

@BigPanda97 what makes them more useful than Salsa for your use case?

[BigPanda97]

@BigPanda97 what makes them more useful than Salsa for your use case?

This question seems more like a joke. Salsa is basically used nowhere nowadays except for Threema messenger which still uses it. However:

• AEGIS is currently being standardised as a new cipher suite for TLS (https://datatracker.ietf.org/doc/draft-denis-tls-aegis/) and is together with ChaCha20 the standard cipher of LibSodium (https://github.com/jedisct1/libsodium), the most used cryptographic library worldwide.

• ASCON is "the standard" by NIST for lightweight cryptography, and they published it now officially as standard "NIST SP 800-232" (https://csrc.nist.gov/pubs/sp/800/232/ipd) in November.

So both of them have and will have a very widespread usage just like AES, underlining their importance in every cryptographic library.

[paulmillr]

If you read topic start post, it mentions benefits already. There is no need to write it twice.

I'm not asking about benefits of algorithms. I'm asking how you, personally would benefit from having those algo / algos in noble. Details of your environment. Why can't it use ChaCha20poly1305.

Salsa is basically used nowhere nowadays

one, two

[BigPanda97]

If you read topic start post, it mentions benefits already. There is no need to write it twice.

Wrong, the implementation in TLS and the publishing of the final standardisation is new.

I'm not asking about benefits of algorithms. I'm asking how you, personally would benefit from having those algo / algos in noble.

For example to decrypt stuff which has been encrypted using LibSodiums AEGIS? 🙄

Salsa is basically used nowhere nowadays

Your example searches reveal many old and outdated projects as well as many implementations where the underlying algorithms of the API have been switched to ChaCha instead. A productive usage of Salsa is useless nowadays, since ChaCha is both more secure and more efficient/faster.

There is still no valid reason, why any good and reputable cryptographic library should NOT implement AEGIS and ASCON. Both will be the algorithms of the future.