Add AES-GCM support to libcrux provider (#98)

* implement AES-GCM support in libcrux provider
* test `HpkeLibcrux` provider with `Aes128Gcm` and `Aes256Gcm`
* test `HpkeLibcrux` provider with all `KdfAlgorithm` variants
* update changelogs

Author: wysiwys

CHANGELOG.md

@@ -5,8 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
 ## [0.3.0] - 2025-07-01
 
+- [#98](https://github.com/cryspen/hpke-rs/pull/98): add support for AES-GCM to the Libcrux provider
+
 - [#77]():
   - `rustcrypto` and `libcrux` features expose the corresponding crypto providers
   - trait types are re-exported as `hpke_types` for convenience

libcrux_provider/CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+- [#98](https://github.com/cryspen/hpke-rs/pull/98): add support for AES-GCM to the provider
+
 ## 0.3.0 - 2025-07-01
 
 * initial release

libcrux_provider/Cargo.toml

@@ -14,7 +14,8 @@ hpke-rs-crypto = { version = "0.3.0", path = "../traits" }
 libcrux-ecdh = { version = "0.0.4", default-features = false }
 libcrux-hkdf = { version = "0.0.4" }
 libcrux-kem = { version = "0.0.4", default-features = false }
-libcrux-chacha20poly1305 = { version = "0.0.4" }
+libcrux-aead = { version = "0.0.4" }
+libcrux-traits = { version = "0.0.4", default-features = false }
 # Randomness
 rand = { version = "0.9", default-features = false }
 rand_core = { version = "0.9", features = ["os_rng"] }

libcrux_provider/src/lib.rs

@@ -144,19 +144,28 @@ impl HpkeCrypto for HpkeLibcrux {
         aad: &[u8],
         msg: &[u8],
     ) -> Result<Vec<u8>, Error> {
-        // only chacha20poly1305 is supported
-        if !matches!(alg, AeadAlgorithm::ChaCha20Poly1305) {
-            return Err(Error::UnknownAeadAlgorithm);
-        }
+        let alg = aead_alg(alg)?;
+
+        use libcrux_traits::aead::typed_refs::Aead as _;
 
-        let iv = <&[u8; 12]>::try_from(nonce).map_err(|_| Error::AeadInvalidNonce)?;
+        // set up buffer for ctxt and tag
+        let mut msg_ctx: Vec<u8> = alloc::vec![0; msg.len() + alg.tag_len()];
+        let (ctxt, tag) = msg_ctx.split_at_mut(msg.len());
 
-        // TODO: instead, use key conversion from the libcrux-chacha20poly1305 crate, when available,
-        let key = <&[u8; 32]>::try_from(key)
+        // set up nonce
+        let nonce = alg.new_nonce(nonce).map_err(|_| Error::AeadInvalidNonce)?;
+
+        // set up key
+        let key = alg
+            .new_key(key)
             .map_err(|_| Error::CryptoLibraryError("AEAD invalid key length".into()))?;
 
-        let mut msg_ctx: Vec<u8> = alloc::vec![0; msg.len() + 16];
-        libcrux_chacha20poly1305::encrypt(key, msg, &mut msg_ctx, aad, iv)
+        // set up tag
+        let tag = alg
+            .new_tag_mut(tag)
+            .map_err(|_| Error::CryptoLibraryError("Invalid tag length".into()))?;
+
+        key.encrypt(ctxt, tag, nonce, aad, msg)
             .map_err(|_| Error::CryptoLibraryError("Invalid configuration".into()))?;
 
         Ok(msg_ctx)
@@ -169,31 +178,40 @@ impl HpkeCrypto for HpkeLibcrux {
         aad: &[u8],
         cipher_txt: &[u8],
     ) -> Result<Vec<u8>, Error> {
-        // only chacha20poly1305 is supported
-        if !matches!(alg, AeadAlgorithm::ChaCha20Poly1305) {
-            return Err(Error::UnknownAeadAlgorithm);
-        }
-        if cipher_txt.len() < 16 {
+        let alg = aead_alg(alg)?;
+
+        use libcrux_traits::aead::typed_refs::{Aead as _, DecryptError};
+
+        if cipher_txt.len() < alg.tag_len() {
             return Err(Error::AeadInvalidCiphertext);
         }
 
-        let boundary = cipher_txt.len() - 16;
+        let boundary = cipher_txt.len() - alg.tag_len();
 
+        // set up buffers for ptext, ctext, and tag
         let mut ptext = alloc::vec![0; boundary];
+        let (ctext, tag) = cipher_txt.split_at(boundary);
 
-        let iv = <&[u8; 12]>::try_from(nonce).map_err(|_| Error::AeadInvalidNonce)?;
+        // set up nonce
+        let nonce = alg.new_nonce(nonce).map_err(|_| Error::AeadInvalidNonce)?;
 
-        // TODO: instead, use key conversion from the libcrux-chacha20poly1305 crate, when available,
-        let key = <&[u8; 32]>::try_from(key)
+        // set up key
+        let key = alg
+            .new_key(key)
             .map_err(|_| Error::CryptoLibraryError("AEAD invalid key length".into()))?;
-        libcrux_chacha20poly1305::decrypt(key, &mut ptext, cipher_txt, aad, iv).map_err(
-            |e| match e {
-                libcrux_chacha20poly1305::AeadError::InvalidCiphertext => {
+
+        // set up tag
+        let tag = alg
+            .new_tag(tag)
+            .map_err(|_| Error::CryptoLibraryError("Invalid tag length".into()))?;
+
+        key.decrypt(&mut ptext, nonce, aad, ctext, tag)
+            .map_err(|e| match e {
+                DecryptError::InvalidTag => {
                     Error::CryptoLibraryError(format!("AEAD decryption error: {:?}", e))
                 }
                 _ => Error::CryptoLibraryError("Invalid configuration".into()),
-            },
-        )?;
+            })?;
 
         Ok(ptext)
     }
@@ -237,8 +255,7 @@ impl HpkeCrypto for HpkeLibcrux {
     /// Returns an error if the AEAD algorithm is not supported by this crypto provider.
     fn supports_aead(alg: AeadAlgorithm) -> Result<(), Error> {
         match alg {
-            // Don't support Aes
-            AeadAlgorithm::Aes128Gcm | AeadAlgorithm::Aes256Gcm => Err(Error::UnknownAeadAlgorithm),
+            AeadAlgorithm::Aes128Gcm | AeadAlgorithm::Aes256Gcm => Ok(()),
             AeadAlgorithm::ChaCha20Poly1305 => Ok(()),
             AeadAlgorithm::HpkeExport => Ok(()),
         }
@@ -295,6 +312,16 @@ fn kem_key_type_to_ecdh_alg(alg: KemAlgorithm) -> Result<libcrux_ecdh::Algorithm
     }
 }
 
+#[inline(always)]
+fn aead_alg(alg_type: AeadAlgorithm) -> Result<libcrux_aead::Aead, Error> {
+    match alg_type {
+        AeadAlgorithm::ChaCha20Poly1305 => Ok(libcrux_aead::Aead::ChaCha20Poly1305),
+        AeadAlgorithm::Aes128Gcm => Ok(libcrux_aead::Aead::AesGcm128),
+        AeadAlgorithm::Aes256Gcm => Ok(libcrux_aead::Aead::AesGcm256),
+        _ => Err(Error::UnknownAeadAlgorithm),
+    }
+}
+
 impl hpke_rs_crypto::RngCore for HpkeLibcruxPrng {
     fn next_u32(&mut self) -> u32 {
         self.rng.next_u32()

src/test_aead.rs

@@ -21,11 +21,36 @@ fn test_aes_gcm_128_self() {
         HpkeRustCrypto::aead_open(AeadAlgorithm::Aes128Gcm, &key, &nonce, &aad, &ctxt).unwrap();
     assert_eq!(&ptxt, msg);
 
-    // assert error on Libcrux provider
-    HpkeLibcrux::aead_seal(AeadAlgorithm::Aes128Gcm, &key, &nonce, &aad, msg)
-        .expect_err("Unsupported algorithm");
-    HpkeLibcrux::aead_open(AeadAlgorithm::Aes128Gcm, &key, &nonce, &aad, &ctxt)
-        .expect_err("Unsupported algorithm");
+    // test libcrux crypto provider
+    let ctxt = HpkeLibcrux::aead_seal(AeadAlgorithm::Aes128Gcm, &key, &nonce, &aad, msg).unwrap();
+    let ptxt = HpkeLibcrux::aead_open(AeadAlgorithm::Aes128Gcm, &key, &nonce, &aad, &ctxt).unwrap();
+    assert_eq!(&ptxt, msg);
+}
+
+#[test]
+fn test_aes_gcm_256_self() {
+    let key = [
+        0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, 0xda,
+        0xb9, 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43,
+        0xda, 0xb9,
+    ];
+    let nonce = [
+        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+    ];
+    let aad = [0x03, 0x04, 0x05];
+    let msg = b"test message";
+
+    // test rust crypto provider
+    let ctxt =
+        HpkeRustCrypto::aead_seal(AeadAlgorithm::Aes256Gcm, &key, &nonce, &aad, msg).unwrap();
+    let ptxt =
+        HpkeRustCrypto::aead_open(AeadAlgorithm::Aes256Gcm, &key, &nonce, &aad, &ctxt).unwrap();
+    assert_eq!(&ptxt, msg);
+
+    // test libcrux crypto provider
+    let ctxt = HpkeLibcrux::aead_seal(AeadAlgorithm::Aes256Gcm, &key, &nonce, &aad, msg).unwrap();
+    let ptxt = HpkeLibcrux::aead_open(AeadAlgorithm::Aes256Gcm, &key, &nonce, &aad, &ctxt).unwrap();
+    assert_eq!(&ptxt, msg);
 }
 
 #[test]