AEGIS-128X and AEGIS-256X are proposed variants of the high performance authenticated ciphers AEGIS-128L and AEGIS-256, designed to take advantage of the vectorized AES instructions present on recent x86_64 CPUs.
AEGIS-128X and AEGIS-256X are now included in the AEGIS specification.
Rationale: Adding more parallelism to the AEGIS authenticated encryption algorithms
AEGIS-128X has exceptional performance, even without AVX512.
BoringSSL benchmark (16K blocks):
aegis-128x4: 44654 MiB/s
aegis-128x2: 39707 MiB/s
aegis-128l: 19514 MiB/s
aes128-ocb: 10195 MiB/s
aes128-gcm: 4940 MiB/s
256-bit variants:
aegis-256x4: 35521 MiB/s
aegis-256x2: 23555 MiB/s
aegis-256: 12055 MiB/s
aes256-ocb: 7143 MiB/s
aes256-gcm: 4649 MiB/s
aegis-128x4: 53573 MiB/s
aegis-128x2: 45821 MiB/s
aegis-128l: 19514 MiB/s
Results for a 2-way variant, requiring AVX2 only:
Zig benchmark:
aegis-128x: 39781 MiB/s
aegis-128l: 23863 MiB/s
aegis-256: 12077 MiB/s
OpenSSL 3 AES benchmarks on the same machine:
aes128-ocb: 16013 MiB/s
aes256-ocb: 11520 MiB/s
aes128-gcm: 10243 MiB/s
Results for a 2-way variant, requiring AVX2 only:
Zig benchmark:
aegis-128x: 35642 MiB/s
aegis-128l: 19209 MiB/s
aegis-256: 11529 MiB/s
OpenSSL 3 AES benchmarks on the same machine:
aes128-ocb: 8161 MiB/s
aes256-ocb: 6255 MiB/s
aes128-gcm: 4182 MiB/s
Zig benchmark (single core):
aegis-128x mac: 37537 MiB/s
aegis-128l mac: 24381 MiB/s
blake3 (rust/asm): 4570 MiB/s
Results for a 2-way variant, requiring AVX2 only:
Zig benchmark:
aegis-128x: 29070 MiB/s
aegis-128l: 15178 MiB/s
aegis-256: 9066 MiB/s
OpenSSL 3 AES benchmarks on the same machine:
aes128-ocb: 8933 MiB/s
aes256-ocb: 6255 MiB/s
aes128-gcm: 4387 MiB/s
Zig benchmark (single core):
aegis-128x mac: 31992 MiB/s
aegis-128l mac: 20768 MiB/s
blake3 (rust/asm): 4900 MiB/s
Given that the AESENC
instruction has the same latency/throughput regardless of the register size, one can expect AEGIS-128X to be about 4x the speed of AEGIS-128L on server-class CPUs with VAES and AVX512.
However, we may already be hitting memory bandwidth limits.