PHP Conference Nagoya 2025

sodium_crypto_aead_aes256gcm_is_available

(PHP 7 >= 7.2.0, PHP 8)

sodium_crypto_aead_aes256gcm_is_availableハードウェアが AES256-GCM をサポートしているかを確認する

説明

sodium_crypto_aead_aes256gcm_is_available(): bool

この関数の戻り値は、 ハードウェアが AES256-GCM をサポートしているかどうかに依存します。

パラメータ

この関数にはパラメータはありません。

戻り値

AES-256-GCM を使って暗号化しても安全な場合、true を返します。 そうでない場合、false を返します。

add a note

User Contributed Notes 1 note

up
4
Soatok Dreamseeker
3 years ago
The reason libsodium has an "is_available()" API for AES-GCM and not the ChaCha-Poly AEAD ciphers is that, unlike OpenSSL, libsodium will not expose AES-GCM unless your processor supports hardware-accelerated AES and PCLMULQDQ instructions.

If you're wondering what that means: software AES is vulnerable to cache-timing vulnerabilities, due to its internal dependence on table look-ups: https://cr.yp.to/antiforgery/cachetiming-20050414.pdf (PDF)

There's a similar attack on the authentication step in GCM (called GMAC or GHASH, depending on context), which leaks the GHASH key (called H) and can be used to perform chosen-ciphertext attacks freely.

- You can learn more about GCM exploits here (under the condition of nonce reuse rather than timing leaks, but the consequence is the same): https://www.youtube.com/watch?v=uxuXFK5XKEU

- You can learn more about AES-GCM here: https://soatok.blog/2020/05/13/why-aes-gcm-sucks/

- You can learn more about how it compares to other encryption modes here: https://soatok.blog/2020/07/12/comparison-of-symmetric-encryption-methods/

The other AEAD modes are safe to implement in software without risk of side-channel leakage.

The take-away is: AES-GCM isn't guaranteed to be available on all hardware because, without hardware support, libsodium will not provide insecure implementations.

If you want something guaranteed to be available even on hardware you do not control (hello open source maintainers), your choices are ChaCha20-Poly1305 and XChaCha20-Poly1305.

If you can control the hardware and explicitly need AES-GCM (n.b. for FIPS 140-2 validation), feel free to use AES-256-GCM.

<?php
function do_something(string $message, CryptoKeyObject $key): string {
if (!
sodium_crypto_aead_aes256gcm_is_available()) {
throw new
Exception("AES-256-GCM isn't available on your hardware");
}
// ... your code here ...
}
?>
To Top