bsaes.js - JavaScript AES
Just as it's possible to write a TCP/IP protocol stack in some utterly inappropriate programing language like ML or Visual Basic, so too, it's possible to implement TCP/IP over carrier pidgeons, or paper tape, or demons summoned from the vasty deep.
-- Stross, C., The Jennifer Morgue
This package provides a pure-JavaScript bitsliced AES implementation, as logical operations on 32 bit unsigned integers, ported from the Go port of the BearSSL code.
As a concession to performance and the futility of pure-JS crypto,
a variable time table based AESENC
analog is also provided in the
unsafe
sub-module.
WARNING
THIS IS NOT INTENDED AS A GENERAL PURPOSE AES IMPLEMENTATION. Unless
you need access to AES algorithm internals (ie: AddRoundKey
, SubBytes
,
ShiftRows
, and or MixColumns
) it is strongly recommended that you use
crypto
instead.
While sensible languages and compilers generally would transform an AES implementation of this design into something that is timing side-channel free, JavaScript and it's various implementations are not sensible by any common definition of the word.
Notes
-
The inverse transformations are not currently implemented for reasons of brevity.
-
The bitsliced nature of the implementation means that under the hood each operation is applied to 2 blocks at once. This can be used to increase performance of certain constructs.
-
If timing side-channels are beyond your threat model, this could be more easily accomplished via a table driven implementation, with better performance.
-
The package is not documented as developers that can't figure it out really have no business using it, at all.