AEADs
AEADs copied to clipboard
RustCrypto
Recommended AEAD algorithms
Following up from https://github.com/RustCrypto/meta/issues/10, this is an issue for discussion potentially adding "recommended" badges to certain algorithms in this repo:
I'd suggest at least the following are safe to recommend:
-
aes-gcm -
aes-gcm-siv -
aes-siv -
chacha20poly1305 -
eax
I don't think there are any algorithms implemented in this repo we should actively recommend people avoid, however some specific thoughts on why not to recommend certain algorithms:
ccm: obsoleted by eax
I don't think we should actively recommend against CCM as it is popular in the embedded space. However I think there were a number of bad decisions made in the design of CCM which are addressed by EAX. Some of those include:
- The length of the plaintext message and AAD need to be known in advance
- AAD is MAC'd last rather than first, which together with the above issue complicates online/streaming encryption
- AES-CCM uses needlessly complex message framing with variable-length length tags
xsalsa20poly1305: obsoleted by chacha20poly1305
- The ChaCha(20) stream cipher family provides better per-round diffusion than the Salsa20 family.
- ChaCha20 is a full AEAD algorithm, whereas XSalsa20Poly1305 does not support AAD.
- ChaCha20Poly1305 is specified in RFC 8439. XSalsa20Poly1305 has no associated RFC.
- The XChaCha20Poly1305 construction provides the same extended nonce benefits as XSalsa20Poly1305.
Note that I plan to introduce generic GCM and SIV crates, making the aes variants thin wrappers around them.
The aes-gcm and aes-siv crates are already generic around a block cipher, as it were.
The idea is to publish them under gcm and siv names respectively, to make them consistent with other crates.
Sure, we can do that, although I'd probably suggest trying to tackle https://github.com/RustCrypto/traits/issues/444 first as for at least the aes-gcm case it requires implementing some specific interactions between e.g. the aes and ghash crates.