RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review

It&#x27;s nice to know there are a few &quot;safe&quot; Rust crypto primitives (especially the `ChaCha20+Poly1305` which is also found in `libsodium`):<p>* AES&#x2F;GCM: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;AEADs&#x2F;tree&#x2F;master&#x2F;aes-gcm" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;AEADs&#x2F;tree&#x2F;master&#x2F;aes-gcm</a><p>* ChaCha20+Poly1305: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;AEADs&#x2F;tree&#x2F;master&#x2F;chacha20poly1305" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;AEADs&#x2F;tree&#x2F;master&#x2F;chacha20poly...</a><p>Quoting from the &quot;key findings&quot; of that report:<p>&gt; NCC Group did not find any vulnerability in the audited crates. &gt; &gt; The RustCrypto implementations use all the recommended techniques to achieve constant-time implementations; in particular, the fallback AES implementation (to be used when there are no usable hardware AES opcodes) uses bitslicing to avoid any table lookups at secret-dependent addresses. Similarly, received authentication tags are compared with constant-time comparison functions. &gt; &gt; A few cosmetic remarks, mostly related to potential performance improvements, have been assembled into RustCrypto.<p>----<p>It seems that the audited code includes also:<p>* `aes-gcm` and `chacha20poly1305`: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;AEADs&#x2F;tree&#x2F;a15698fdba23ffb17b84d9ecaa2c9c80706ecf03" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;AEADs&#x2F;tree&#x2F;a15698fdba23ffb17b8...</a><p>* `aes` from RustCrypto&#x2F;block-ciphers: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;block-ciphers&#x2F;tree&#x2F;e385f1ebb2ec48547194e51c5193309ee328d93b" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;block-ciphers&#x2F;tree&#x2F;e385f1ebb2e...</a><p>* `chacha20` and `salsa20-core`: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;stream-ciphers&#x2F;tree&#x2F;1235638004c21dee4e76af4cc932cf1cd815e8f9" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;stream-ciphers&#x2F;tree&#x2F;1235638004...</a><p>* `aead`, `stream-cipher` and `universal-hash`: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;traits&#x2F;tree&#x2F;4569d256f02ac0ecefa393baf225fb4a6df35875" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;traits&#x2F;tree&#x2F;4569d256f02ac0ecef...</a><p>* `ghash`, `poly1305` and `polyval`: <a href="https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;universal-hashes&#x2F;tree&#x2F;1ab06bd79542e75490468b227dd3c2cbe42d3d92" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RustCrypto&#x2F;universal-hashes&#x2F;tree&#x2F;1ab06bd7...</a>