Portable constant time Go AES.

Yawning Angel 26d1add596 ct64: Clean up `RkeyOrtho` 2 years ago
ct32 b312789672 Clean ups. 4 years ago
ct64 26d1add596 ct64: Clean up `RkeyOrtho` 2 years ago
ghash 9fd815f19c Add a constant time GHASH(). #6 4 years ago
internal 14cd724026 Style cleanups. 4 years ago
.gitignore c94273c376 Initial import. 4 years ago
LICENSE.txt c4ffda5e0b Reordered the copyrights in the license. No functional changes. 4 years ago
README.md a60e5457d7 Add a note about AMD64 AES-NI autodetection. #7 4 years ago
aes.go e466e3c35f Improve compatibility with the `crypto/aes` package 2 years ago
aes_test.go c0276d7548 Expose a function to detect if the runtime is usable. 3 years ago
aesni.go e06297f348 Fix up the AES-NI detection build constraints. 4 years ago
aesni_stub.go e06297f348 Fix up the AES-NI detection build constraints. 4 years ago
cpuid_amd64.s 246afd4e80 Use `crypto/aes` on AMD64 when it's safe to do so. #7 4 years ago


bsaes - BitSliced AES

Yawning Angel (yawning at schwanenlied dot me)

The AES operations in this package are not implemented using constant-time algorithms. An exception is when running on systems with enabled hardware support for AES that makes these operations constant-time.

-- https://golang.org/pkg/crypto/aes/

bsaes is a portable pure-Go constant time AES implementation based on the excellent code from BearSSL. On AMD64 systems with AES-NI and a sufficiently recent Go runtime, it will transparently call crypto/aes when NewCipher is invoked.


  • Constant time.

  • 32 bit and 64 bit variants, with the appropriate one selected at runtime.

  • Provides crypto/cipher.Block.

  • crypto/cipher.ctrAble support for less-slow CTR-AES mode.

  • crypto/cipher.cbcDecAble support for less-slow CBC-AES decryption.

  • crypto/cipher.gcmAble support for less-slow GCM-AES. This includes a constant time GHASH.

  • The raw guts of the implementations provided as sub-packages, for people to use to implement other things.


Primitive Version ns/op MB/s
ECB-AES128 ct32 914 17.50
ECB-AES256 ct32 1268 12.62
CTR-AES128 (16 KiB) ct32 472010 34.17
CBC-AES128 Decrypt (16 KiB) ct32 583238 28.09
GCM-AES128 (16 KiB) ct32 605676 27.05
ECB-AES128 ct64 932 17.16
ECB-AES256 ct64 1258 12.72
CTR-AES128 (16 KiB) ct64 296016 55.35
CBC-AES128 Decrypt (16 KiB) ct64 350047 46.81
GCM-AES128 (16 KiB) ct64 435660 37.61

All numbers taken on an Intel i7-5600U with Turbo Boost disabled, running on linux/amd64.