From 779a850e0fb967aac79124c7e18b14706d5f2652 Mon Sep 17 00:00:00 2001
From: Frank Denis
Date: Tue, 25 Feb 2025 15:03:50 +0100
Subject: Add optional support for AEGIS encryption

AEGIS is a new family of authenticated encryption algorithms that offers
stronger security, higher usage limits, and better performance than AES-GCM.

This pull request adds support for a new `-aegis` command-line flag, allowing
AEGIS-128X2 to be used as an alternative to AES-GCM on CPUs with AES acceleration.

It also introduces the ability to use ciphers with different key sizes.

More information on AEGIS is available here:
- https://cfrg.github.io/draft-irtf-cfrg-aegis-aead/draft-irtf-cfrg-aegis-aead.html
- https://github.com/cfrg/draft-irtf-cfrg-aegis-aead

gocryptfs -speed speed on Apple M1:

AES-GCM-256-OpenSSL              3718.79 MB/s
AES-GCM-256-Go                   5083.43 MB/s   (selected in auto mode)
AES-SIV-512-Go                    625.20 MB/s
XChaCha20-Poly1305-OpenSSL       1358.63 MB/s   (selected in auto mode)
XChaCha20-Poly1305-Go             832.11 MB/s
Aegis128X2-Go                   11818.73 MB/s

gocryptfs -speed speed on AMD Zen 4:

AES-GCM-256-OpenSSL              5215.86 MB/s
AES-GCM-256-Go                   6918.01 MB/s   (selected in auto mode)
AES-SIV-512-Go                    449.61 MB/s
XChaCha20-Poly1305-OpenSSL       2643.48 MB/s
XChaCha20-Poly1305-Go            3727.46 MB/s   (selected in auto mode)
Aegis128X2-Go                   28109.92 MB/s
---
 Documentation/MANPAGE.md     |  4 ++++
 Documentation/file-format.md | 12 +++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

(limited to 'Documentation')

diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md
index c7a1c03..fd8f5db 100644
--- a/Documentation/MANPAGE.md
+++ b/Documentation/MANPAGE.md
@@ -164,6 +164,10 @@ specify `-aessiv`.
 Use XChaCha20-Poly1305 file content encryption. This should be much faster
 than AES-GCM on CPUs that lack AES acceleration.
 
+#### -aegis
+Use AEGIS file content encryption. This should be much faster
+than AES-GCM on CPUs with AES acceleration.
+
 Run `gocryptfs -speed` to find out if and how much faster.
 
 MOUNT OPTIONS
diff --git a/Documentation/file-format.md b/Documentation/file-format.md
index 7cce72c..ee10524 100644
--- a/Documentation/file-format.md
+++ b/Documentation/file-format.md
@@ -24,7 +24,13 @@ Data block, XChaCha20-Poly1305 (enabled via `-init -xchacha`)
 	1-4096 bytes encrypted data
 	16 bytes Poly1305 tag
 
-Full block overhead (AES-GCM and AES-SIV mode) = 32/4096 = 1/128 = 0.78125 %
+Data block, AEGIS (enabled via `-init -aegis`)
+
+	16 bytes nonce
+	1-4096 bytes encrypted data
+	16 bytes tag
+
+Full block overhead (AEGIS, AES-GCM and AES-SIV mode) = 32/4096 = 1/128 = 0.78125 %
 
 Full block overhead (XChaCha20-Poly1305 mode) = 40/4096 = \~1 %
 
@@ -36,8 +42,8 @@ Example: 1-byte file, AES-GCM and AES-SIV mode
 
 Total: 51 bytes
 
-Example: 5000-byte file, , AES-GCM and AES-SIV mode
----------------------------------------------------
+Example: 5000-byte file, AEGIS, AES-GCM and AES-SIV mode
+--------------------------------------------------------
 
 	Header       18 bytes
 	Data block 4128 bytes
-- 
cgit v1.2.3