5 releases

0.1.4 Aug 15, 2022
0.1.3 Oct 21, 2021
0.1.2 Oct 21, 2021
0.1.1 Oct 21, 2021
0.1.0 Oct 21, 2021

#460 in Cryptography

MIT license

428 lines

ROCCA for Rust

This is a Rust implementation of the ROCCA authenticated cipher, ported from the Zig implementation.

ROCCA is key committing, has a 256 bit key size, a 128 bit nonce, processes 256 bit message blocks and outputs a 128 bit authentication tag.

Cargo flags

  • std: allow dynamic allocations

std is the default.

IMPORTANT: In order to get decent code on x86 and x86_64 CPUs, you should set additional rustc flags prior to compiling that crate or a project using it:

export RUSTFLAGS="-Ctarget-feature=+aes,+sse4.1"

A benchmark can be run that way:

export RUSTFLAGS="-C target-cpu=native -Ctarget-feature=+aes,+pclmul,+sse4.1"
cargo bench


Benchmarks take a 16384 bytes input block. Results are in bytes per second.

Rust implementations


  • aes-gcm
  • chacha20poly1305
  • aegis128l
  • rocca

Macbook Pro - 2,4 GHz Intel Core i9, RUSTFLAGS set.

cipher speed
aes256-gcm 1.59 G/s
aes128-gcm 1.91 G/s
chacha20-poly1305 1.48 G/s
aegis128l 6.21 G/s
rocca 6.49 G/s

WebAssembly (Wasmtime)

cipher speed
aes256-gcm 36.88 M/s
aes128-gcm 44.13 M/s
chacha20-poly1305 193.05 M/s
aegis128l 48.98 M/s
rocca 58.61 M/s

Other implementations

cipher (implementation) speed
aes256-gcm (OpenSSL) 4.97 G/s
aes128-gcm (OpenSSL) 6.89 G/s
chacha20-poly1305 (OpenSSL) 2.67 G/s
aes128-ocb (OpenSSL) 7.10 G/s
aegis128l (Zig) 14.08 G/s
rocca (Zig) 16.28 G/s