Expand description
AEGIS-256X2 authenticated encryption.
This module wraps [aegis::aegis256x2::Aegis256X2] to provide a safe,
consuming API built around a (key, nonce) pair that is baked into the
cipher at construction time.
§Variant
AEGIS-256X2 with a 256-bit (32-byte) authentication tag.
| Property | Value |
|---|---|
| Key | 256 bits (32 bytes) |
| Nonce | 256 bits (32 bytes) |
| Tag | 256 bits (32 bytes) |
AEGIS-256X2 runs two AEGIS-256 instances in parallel, doubling throughput on CPUs with AES instructions (AES-NI on x86-64, Crypto Extensions on ARM).
§When to prefer AEGIS over ChaCha20Poly1305Cipher
AEGIS-256X2 is significantly faster than ChaCha20-Poly1305 for large
payloads on hardware that carries AES instructions, often by 3–5×.
However, each AegisCipher::new call runs the AEGIS key schedule, which
has a fixed per-message cost. For high-frequency small messages — each
under a freshly constructed cipher with a different nonce — that overhead
can make ChaCha20-Poly1305 faster. Prefer AEGIS when the payload per
cipher instance is large; prefer ChaCha20Poly1305Cipher for many small
independent messages.
§Key and nonce handling
AegisCipher::new takes both the key and the nonce because the
underlying Aegis256X2::new requires both to initialise its state. The
underlying crate does not implement Zeroize, so AegisCipher implements
Drop manually: it overwrites every byte of the struct (the full initialised
AEGIS state in the pure-Rust backend, or the raw key+nonce in the C backend)
with zeros using volatile writes, preventing compiler optimisation from
eliding the scrub. All operations on AegisCipher consume self, making
it a compile-time error to reuse the same (key, nonce) pair across two
different calls.
§Streaming large payloads
AEGIS-256X2 is an all-at-once AEAD — the authentication tag depends on the
complete message. For streaming large payloads with bounded memory, split
the stream into fixed-size chunks and call encrypt /
decrypt on each with a derived per-chunk nonce (e.g.
base nonce XOR little-endian chunk index in the first 8 bytes). Each chunk
carries its own TAG_LEN-byte tag and is authenticated immediately.
Structs§
- Aegis
Cipher - AEGIS-256X2 cipher bound to a single
(key, nonce)pair.