AEGIS Encryption with PHP Sodium Extension

Published On10 Dec 2023

AEGIS Encryption with PHP Sodium Extension AEGIS is an AES-based family of authenticated encryption algorithms that are significantly faster than ubiquitous algorithms such as AES-GCM and CHACHA20-POLY1305. The Sodium extension in PHP 8.4 supports AEGIS-128L and AEGIS-256 encryption algorithms if the Sodium extension is compiled with libsodium 1.0.19 or later.

The two encryption algorithms in the AEGIS family, AEGIS-128L and AEGIS-256, are 2-3 times faster than AES-GCM, and 3-4 times faster than the CHACHA20-POLY1305 algorithms. They leverage hardware AES acceleration on x86_64 and aarch64 (64-bit ARM architecture) CPU architectures.

The AEGIS paper provides detailed information about the inner workings of the algorithms.

AEGIS Availability on PHP

AEGIS family of encryption algorithms is available on PHP when:

  • PHP versions 8.4 and later and
  • Sodium extension compiled with libsodium 1.0.19 and later and
  • on x86_64 or aarch64 CPU architectures

To check if AEGIS is available on PHP, check for the availability of one of the AEGIS functions:

if (function_exists('\sodium_crypto_aead_aegis128l_encrypt')) {
    // AEGIS available
}

See PHP 8.4: Sodium: AEGIS-128L and AEGIS-256 support for all new AEGIS functions and constants added in PHP 8.4.

AEGIS-128L

AEGIS-128L can theoretically encrypt data lengths below 2^64 bits, and uses a 128-bit key. It is the only symmetric encryption algorithm in Sodium extension that uses a 128-bit key, while the others use a 256-bit key.

It also takes a 128-bit nonce value, which must be provided to decrypt.

The following is an example of generating a key, and nonce, encrypting data with additional data, and decrypting it:

// generate a random key of sufficient length (16 bytes)
// This value must not be public.
$key = sodium_crypto_aead_aegis128l_keygen();

// Generate random nonce value of SODIUM_CRYPTO_AEAD_AEGIS128L_NPUBBYTES length (16 bytes).
// This value should be stored along the encrypted text, but is not required to be private
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_AEGIS128L_NPUBBYTES);

// Additional data. This can be a user ID, email address, or empty.
$additional_data = '';

// Message to encrypt
$message = 'Hello';

// Encrypt
$ciphertext = sodium_crypto_aead_aegis128l_encrypt($message, $additional_data, $nonce, $key);

// Decrypt
$decryptedMessage = sodium_crypto_aead_aegis128l_decrypt($ciphertext, $additional_data, $nonce, $key); // "Hello"

AEGIS-256

AEGIS-256 uses 256-bit keys, and can encrypt data lengths below 2^64 bits. With some exceptions, AEGIS-256 is about 20% more computationally intensive than AEGIS-128L.

The following is an example of generating a key and a nonce and encrypting and decrypting a plain text message to a ciphertext and back using additional data:

// generate a random key of sufficient length (32 bytes)
// This value must not be public.
$key = sodium_crypto_aead_aegis256_keygen();

// Generate random nonce value of SODIUM_CRYPTO_AEAD_AEGIS128L_NPUBBYTES length (32 bytes).
// This value should be stored along the encrypted text, but is not required to be private
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_AEGIS256_NPUBBYTES);

// Additional data. This can be a user ID, email address, or empty.
$additional_data = '';

// Message to encrypt
$message = 'Hello';

// Encrypt
$ciphertext = sodium_crypto_aead_aegis256_encrypt($message, $additional_data, $nonce, $key);

// Decrypt
$decryptedMessage = sodium_crypto_aead_aegis256_decrypt($ciphertext, $additional_data, $nonce, $key); // "Hello"

AEGIS Performance against AES-GCM and CHACHA20-POLY1305

The AEGIS family of encryption algorithms has an encryption rate about two to three times faster than the current recommended AES-GCM algorithm. For example, moderate consumer hardware encrypts data in AES-GCM at a rate of about 2.3 GB/sec, while AEGIS family of algorithms encrypts at a rate of 4.5-5.0 GB/sec.

The following benchmark results are from a benchmark run on an AMD Ryzen 4800H CPU, an x86_64 CPU with AES-NI CPU instructions.

For the Data rate benchmark, a 20 MB block of random bytes was encrypted using five algorithms supported in Sodium extension, and taking the average of 100 iterations. This excludes the time it took to generate the nonce and the key.

The Operations/second benchmark encrypted 1 KB of data, taking the average from 1 million iterations. Similar to the Data rate benchmark, it excludes the RNG time.

Algorithm Data Rate (GB/sec) Operations/sec
aes256gcm 2.31 GB/sec 1,168,300 ops/sec
chacha20poly1305 1.29 GB/sec 738,411 ops/sec
chacha20poly1305_ietf 1.28 GB/sec 746,409 ops/sec
xchacha20poly1305 1.28 GB/sec 692,764 ops/sec
aegis128l 4.99 GB/sec 1,925,310 ops/sec
aegis256 4.61 GB/sec 1,771,924 ops/sec

AEGIS performance compared to others
AEGIS algorithms are twice as fast as AES-GCM, and 3-4 times as CHACHA20-POLY1305. Benchmarked by encrypting 20 MB of data and taking the average of 100 iterations on an AMD Ryzen 4800H CPU.

AEGIS performance compared to others
AEGIS algorithms can perform more than twice the encryption operations a second compared to AES-GCM. Benchmarked by encrypting 1 KB of data 1 million times on an AMD Ryzen 4800H CPU.
All AES algorithms here will be faster on CPUs with AES-NI instructions. It is mostly low-end mobile devices and other low-powered devices such as embedded devices that will not have the AES-NI instructions. However, majority of servers that PHP runs on will likely be CPUs capable of reaching similar speeds as shown in the benchmark results above.

Recent Articles on PHP.Watch

All ArticlesFeed 
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian

A guide for Debian and Ubuntu on how to install PHP 8.4 on a new server or how to upgrade an existing PHP setup to PHP 8.4.
How to fix `mysql_native_password` not loaded errors on MySQL 8.4

How to fix mysql_native_password not loaded errors on MySQL 8.4

How to fix the SQLSTATE[HY000] [1524] Plugin 'mysql_native_password' is not loaded errors caused in MySQL 8.4 no longer enabling the mysql_native_password plugin by default.
How to fix PHP Curl HTTPS Certificate Authority issues on Windows

How to fix PHP Curl HTTPS Certificate Authority issues on Windows

On Windows, HTTPS requests made with the Curl extension can fail because Curl has no root certificate list to validate the server certificates. This article discusses the secure and effective solutions, and highlights bad advice that can leave PHP applications insecure.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.

Support PHP.Watch — If you find the articles, version information, Codex, and other PHP.Watch contributions useful, consider supporting through GitHub Sponsors. Your sponsorship helps dedicate more time to creating valuable content and improving the PHP community. Together, we can keep the momentum going — thank you for your support!

Thanks to the highest tier sponsor: @TomasVotruba for your generous support to keep PHP.Watch moving 💜