AES256-GCM with precomputation
Applications that encrypt several messages using the same key can gain a little speed by expanding the AES key only once, via the precalculation interface.
The crypto_aead_aes256gcm_beforenm() function initializes a context ctx by expanding the key k and always returns 0.
A 16 bytes alignment is required for the address of ctx. The size of this value can be obtained using sizeof(crypto_aead_aes256gcm_state), or crypto_aead_aes256gcm_statebytes().
Combined mode with precalculation
The crypto_aead_aes256gcm_encrypt_afternm() and crypto_aead_aes256gcm_decrypt_afternm() functions are identical to crypto_aead_aes256gcm_encrypt() and crypto_aead_aes256gcm_decrypt(), but accept a previously initialized context ctx instead of a key.
Detached mode with precalculation
The crypto_aead_aes256gcm_encrypt_detached_afternm() and crypto_aead_aes256gcm_decrypt_detached_afternm() functions are identical to crypto_aead_aes256gcm_encrypt_detached() and crypto_aead_aes256gcm_decrypt_detached(), but accept a previously initialized context ctx instead of a key.
Constants
crypto_aead_aes256gcm_KEYBYTEScrypto_aead_aes256gcm_NPUBBYTEScrypto_aead_aes256gcm_ABYTES
Data types
crypto_aead_aes256gcm_state
Notes
The nonce is 96 bits long. In order to prevent nonce reuse, if a key is being reused, it is recommended to increment the previous nonce instead of generating a random nonce for each message. To prevent nonce reuse in a client-server protocol, either use different keys for each direction, or make sure that a bit is masked in one direction, and set in the other.
When using AES-GCM, it is also recommended to switch to a new key before reaching ~350 GB encrypted with the same key. If frequent rekeying is not an option, use (X)ChaCha20-Poly1305 instead.
Last updated