pierrelf.com / we
we (web engine): Experimental web browser project to understand the limits of Claude
fork atom

AES-128-GCM and AES-256-GCM (NIST SP 800-38D) #49

open opened by pierrelf.com

Phase 5: Pure Rust Crypto#

Implement AES-GCM authenticated encryption in the crypto crate per NIST SP 800-38D.

Requirements#

AES block cipher (FIPS 197):

  • AES-128 and AES-256 key schedules
  • Single-block encrypt/decrypt
  • Constant-time implementation (no table-based lookups vulnerable to timing attacks, or use unsafe constant-time operations)

GCM mode (NIST SP 800-38D):

  • GHASH: Galois field multiplication in GF(2^128)
  • GCM encrypt: (key, nonce, plaintext, AAD) -> (ciphertext, tag)
  • GCM decrypt: (key, nonce, ciphertext, AAD, tag) -> plaintext or error
  • 96-bit nonce (IV), 128-bit authentication tag
  • Support for additional authenticated data (AAD)

Acceptance Criteria#

  • AES-128 and AES-256 block cipher with key expansion
  • GHASH implementation
  • AES-128-GCM and AES-256-GCM encrypt/decrypt
  • Pass NIST GCM test vectors (AES-GCM test cases from SP 800-38D)
  • Authentication tag verification fails on tampered ciphertext
  • cargo test -p we-crypto passes
  • cargo clippy -p we-crypto -- -D warnings clean
sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:meotu43t6usg4qdwzenk4s2t/sh.tangled.repo.issue/3mgemt4zymo2k