AES-dust

March 22, 2026 · View on GitHub

AES-dust is a compact, size-conscious AES-128 block cipher implementation written in portable C99. It targets resource-constrained environments while still providing modern build tooling and packaging.

Highlights

  • AES-128 with ECB, CBC, CTR, OFB, XTS, CFB, EAX, CCM, GCM, and GCM-SIV modes.
  • Portable, warning-clean C99 code tested on 32- and 64-bit little-endian architectures and the Arduino Uno.
  • CMake-based build with generated package config files and optional pkg-config integration.
  • Self-test executable and vector suites to validate integrations.

Getting Started

Prerequisites

  • CMake 3.16 or newer
  • A C compiler with C99 support
  • (Optional) CTest for running the bundled tests

Configure and build

cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build

Configuration Options

  • AES_DUST_ENABLE_WERROR (default OFF) - treat compiler warnings as errors.
  • BUILD_TESTING (default ON) - enable the test executable and CTest integration.
  • BUILD_SHARED_LIBS (default OFF) - build the library as a shared library.
  • Standard CMake controls such as CMAKE_INSTALL_PREFIX work as expected.

Running Tests

Tests build automatically when BUILD_TESTING is enabled:

ctest --test-dir build --output-on-failure

On Windows multi-config generators pass -C Debug or -C Release as appropriate. The helper batch script and Makefile targets supply the correct arguments for you.

Installation and Consumption

Install headers, the library, and generated metadata:

cmake --install build --prefix /your/install/prefix

Consume from another CMake project:

find_package(aes_dust CONFIG REQUIRED)
target_link_libraries(your_app PRIVATE aes_dust::aes128)

After installation, pkg-config users can obtain compiler and linker flags with:

pkg-config --cflags --libs aes_dust

Supported Modes

Ordered roughly by practical security properties (AEAD > confidentiality-only; misuse-resistant first).

ModeSecurity intent / propertiesNotes
GCM-SIVAEAD, nonce-misuse resistant (SIV)Confidentiality + integrity; best when nonce uniqueness cannot be guaranteed.
EAXAEAD, nonce-basedConfidentiality + integrity; requires unique nonce.
CCMAEAD, nonce-basedConfidentiality + integrity; requires unique nonce and constrained nonce/tag lengths.
GCMAEAD, nonce-basedConfidentiality + integrity; nonce reuse is catastrophic.
XTSTweakable confidentiality for storageNo integrity; requires unique tweak per sector/block.
CTRStream cipher mode (confidentiality)Unique nonce required; no integrity.
OFBStream cipher mode (confidentiality)Unique IV required; no integrity.
CFBStream cipher mode (confidentiality)Unique IV required; no integrity.
CBCBlock mode (confidentiality)Random/unpredictable IV required; no integrity.
ECBNo semantic securityPatterns leak; avoid unless you know why you need it.

Test Coverage

Three test executables are built when BUILD_TESTING is enabled.

aes_dust_vectors_test — official KAT vectors and negative authentication tests

ModeTest vectorsExtra checks
ECBFIPS-197 App. B; NIST SP 800-38A §F.1.1 blocks 1–4 (encrypt + decrypt)
CBCNIST SP 800-38A §F.2.1 4-block encrypt + decryptRejects non-block-aligned length
CFB-128NIST SP 800-38A §F.3.13 4-block encrypt + decrypt
OFBNIST SP 800-38A §F.4.1 4-block encrypt + decrypt
CTRNIST SP 800-38A §F.5.1 4-block encrypt + decrypt; partial-block (10 bytes)
XTSIEEE 1619-2007 TC1 (16 bytes) and TC2 (32 bytes) encrypt + decryptRejects input shorter than one block
EAXRogaway et al. (2003) TC1 (empty), TC2 (2 bytes), TC3 (5 bytes) encrypt + decryptTampered tag, ciphertext, and AAD each rejected
CCMRFC 3610 TC13 (23-byte msg, 8-byte tag) and TC14 (24-byte msg, 8-byte tag)Tampered tag and ciphertext rejected; plaintext zeroed on failure
GCMNIST SP 800-38D §B TC1 (empty) and TC2 (16-byte zero PT); custom 80-byte vectorTampered tag, ciphertext, and AAD each rejected
GCM-SIVRFC 8452 §8.1 TC1 (empty) and TC2 (8-byte PT) encrypt + decryptTampered tag and ciphertext rejected
LightMAC4 KAT vectors (s=64, t=128): empty, 1, 8, 9 bytes; one-shot and streaming APIPositive and negative verify; invalid parameter rejection

aes_dust_test — cross-mode round-trip and Monte Carlo tests

ModeTests
ECBFIPS-197 and NIST SP 800-38A §F.1 encrypt + decrypt round-trip (4 vectors each)
CBCEncrypt/decrypt round-trip (2 single-block vectors); NIST AESAVS Monte Carlo test (100 × 1000 iterations)
CFB-128NIST SP 800-38A §F.3.13 4-block encrypt + decrypt with ciphertext comparison
OFBEncrypt/decrypt round-trip (2 single-block vectors); NIST AESAVS Monte Carlo test (100 × 1000 iterations)
CTREncrypt/decrypt round-trip (4 blocks, per-block counter reset)
XTSIEEE 1619-2007 TC1 and TC2 encrypt + decrypt with ciphertext comparison
EAXRogaway et al. TC1–TC3 encrypt + decrypt
CCMRFC 3610 TC13 and TC14 encrypt + decrypt with ciphertext and tag comparison
GCM-SIVRFC 8452 §8.1 TC1 and TC2 encrypt + decrypt
GCMCustom 80-byte vector with AAD; tag comparison + decrypt

aes_dust_lightmac_test — LightMAC KAT and fuzz

Sub-testDescription
KAT (kat)7 known-answer vectors (varying s, t, message length); one-shot, streaming, and verify API
Fuzz (fuzz 200)200 randomised round-trips: generate tag, verify it matches, verify tampered tag fails, verify tampered message fails

Project Layout

PathPurpose
include/Public headers for each AES-128 mode
src/Library sources and the main CMake target
docs/Reference material and design notes
cmake/Package configuration templates
pkgconfig/Template for the aes_dust.pc file
test.cCross-mode round-trip and Monte Carlo test driver
test_vectors.cOfficial KAT vectors and negative authentication tests
test_lightmac.cLightMAC KAT and fuzz test driver

Portability and Security Notes

The implementation is tuned for minimal size rather than constant-time behaviour. Evaluate side-channel resistance for your threat model before deploying the code in high-assurance environments.

License

AES-dust is released under the terms of the Unlicense, placing the code in the public domain.