# AEGIS Encryption with PHP Sodium Extension

AEGIS is an AES-based family of authenticated encryption algorithms that are significantly faster than ubiquitous algorithms such as AES-GCM and CHACHA20-POLY1305. The Sodium extension in PHP 8.4 supports `AEGIS-128L`

and `AEGIS-256`

encryption algorithms if the Sodium extension is compiled with `libsodium`

1.0.19 or later.

The two encryption algorithms in the AEGIS family, `AEGIS-128L`

and `AEGIS-256`

, are 2-3 times faster than AES-GCM, and 3-4 times faster than the CHACHA20-POLY1305 algorithms. They leverage hardware AES acceleration on `x86_64`

and `aarch64`

(64-bit ARM architecture) CPU architectures.

The AEGIS paper provides detailed information about the inner workings of the algorithms.

## AEGIS Availability on PHP

AEGIS family of encryption algorithms is available on PHP when:

**PHP versions 8.4**and later*and*- Sodium extension compiled with
`libsodium`

1.0.19 and later*and* - on
`x86_64`

or`aarch64`

CPU architectures

To check if AEGIS is available on PHP, check for the availability of one of the AEGIS functions:

```
if (function_exists('\sodium_crypto_aead_aegis128l_encrypt')) {
// AEGIS available
}
```

See PHP 8.4: Sodium:

`AEGIS-128L`

and`AEGIS-256`

support for all new AEGIS functions and constants added in PHP 8.4.

## AEGIS-128L

`AEGIS-128L`

can theoretically encrypt data lengths below 2^64 bits, and uses a 128-bit key. It is the only symmetric encryption algorithm in Sodium extension that uses a 128-bit key, while the others use a 256-bit key.

It also takes a 128-bit *nonce* value, which must be provided to decrypt.

The following is an example of generating a key, and nonce, encrypting data with additional data, and decrypting it:

```
// generate a random key of sufficient length (16 bytes)
// This value must not be public.
$key = sodium_crypto_aead_aegis128l_keygen();
// Generate random nonce value of SODIUM_CRYPTO_AEAD_AEGIS128L_NPUBBYTES length (16 bytes).
// This value should be stored along the encrypted text, but is not required to be private
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_AEGIS128L_NPUBBYTES);
// Additional data. This can be a user ID, email address, or empty.
$additional_data = '';
// Message to encrypt
$message = 'Hello';
// Encrypt
$ciphertext = sodium_crypto_aead_aegis128l_encrypt($message, $additional_data, $nonce, $key);
// Decrypt
$decryptedMessage = sodium_crypto_aead_aegis128l_decrypt($ciphertext, $additional_data, $nonce, $key); // "Hello"
```

## AEGIS-256

`AEGIS-256`

uses 256-bit keys, and can encrypt data lengths below 2^64 bits. With some exceptions, `AEGIS-256`

is about 20% more computationally intensive than AEGIS-128L.

The following is an example of generating a key and a nonce and encrypting and decrypting a plain text message to a ciphertext and back using additional data:

```
// generate a random key of sufficient length (32 bytes)
// This value must not be public.
$key = sodium_crypto_aead_aegis256_keygen();
// Generate random nonce value of SODIUM_CRYPTO_AEAD_AEGIS128L_NPUBBYTES length (32 bytes).
// This value should be stored along the encrypted text, but is not required to be private
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_AEGIS256_NPUBBYTES);
// Additional data. This can be a user ID, email address, or empty.
$additional_data = '';
// Message to encrypt
$message = 'Hello';
// Encrypt
$ciphertext = sodium_crypto_aead_aegis256_encrypt($message, $additional_data, $nonce, $key);
// Decrypt
$decryptedMessage = sodium_crypto_aead_aegis256_decrypt($ciphertext, $additional_data, $nonce, $key); // "Hello"
```

## AEGIS Performance against AES-GCM and CHACHA20-POLY1305

The AEGIS family of encryption algorithms has an encryption rate about **two to three times faster** than the current recommended AES-GCM algorithm. For example, moderate consumer hardware encrypts data in AES-GCM at a rate of about 2.3 GB/sec, while AEGIS family of algorithms encrypts at a rate of 4.5-5.0 GB/sec.

The following benchmark results are from a benchmark run on an AMD Ryzen 4800H CPU, an `x86_64`

CPU with AES-NI CPU instructions.

For the **Data rate** benchmark, a 20 MB block of random bytes was encrypted using five algorithms supported in Sodium extension, and taking the average of 100 iterations. This excludes the time it took to generate the nonce and the key.

The **Operations/second** benchmark encrypted 1 KB of data, taking the average from 1 million iterations. Similar to the Data rate benchmark, it excludes the RNG time.

Algorithm | Data Rate (GB/sec) | Operations/sec |
---|---|---|

aes256gcm | 2.31 GB/sec | 1,168,300 ops/sec |

chacha20poly1305 | 1.29 GB/sec | 738,411 ops/sec |

chacha20poly1305_ietf | 1.28 GB/sec | 746,409 ops/sec |

xchacha20poly1305 | 1.28 GB/sec | 692,764 ops/sec |

aegis128l | 4.99 GB/sec | 1,925,310 ops/sec |

aegis256 | 4.61 GB/sec | 1,771,924 ops/sec |

All AES algorithms here will be faster on CPUs with

`AES-NI`

instructions. It is mostly low-end mobile devices and other low-powered devices such as embedded devices that will *not*have the

`AES-NI`

instructions. However, majority of servers that PHP runs on will likely be CPUs capable of reaching similar speeds as shown in the benchmark results above.