Comment on page
AEGIS-128L
AEGIS-128L is an AES-based authenticated encryption with associated data (AEAD) scheme that was a CAESAR competition finalist. It encrypts a plaintext message using a 128-bit key and nonce (number used only once) whilst calculating a 256-bit tag over the plaintext and associated data.
The associated data is useful for authenticating file headers, version numbers, timestamps, counters, and so on. It can be used to prevent confused deputy attacks and replay attacks. It is not encrypted nor part of the ciphertext. It must be reproduceable or stored somewhere for decryption to be possible.
Decryption involves verifying the tag for the given inputs, which detects tampering and incorrect parameters. If verification fails, an error is returned. Otherwise, the plaintext is returned.
For encryption, the nonce MUST NOT be repeated or reused with the same key. You MUST increment or randomly generate the nonce for each plaintext message encrypted using the same key.
Random nonces can be used for up to 2^48 messages with the same key. If in doubt, use AEGIS-256, which has no practical limit.
Consider using AEGIS-256 for a 256-bit security level, which provides additional protection against cryptographically relevant quantum computers. However, 128-bit security should be post-quantum secure, and AEGIS-128L is faster.
Fills a span with ciphertext and an appended tag computed from a plaintext message, nonce, key, and optional associated data.
AEGIS128L.Encrypt(Span<byte> ciphertext, ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> nonce, ReadOnlySpan<byte> key, ReadOnlySpan<byte> associatedData = default)
ciphertext
has a length not equal to plaintext.Length + TagSize
.nonce
has a length not equal to NonceSize
.