Paving the way for Deoxys-II

Today Oasis Labs is open sourcing implementations of Deoxys-II, a strong cryptographic primitive we use in our own platform architecture, in Rust, Go, and JavaScript. Together, we see these implementations as providing a strong systems basis for deploying Deoxys-II — with efficient, constant-time performance and language diversity to support most use cases and platforms.

We at Oasis hope this release will both promote adoption of strong primitives, and will lead to additional external validation and use of our implementations (Note: there has been no independent audit of these implementations at this point).

Below we provide more detail on the technical significance of open sourcing this primitive and performance comparisons.

Background on Deoxys-II

At the heart of any distributed system is a set of cryptographic primitives that provide the mathematical guarantees of authenticity and confidentiality.

Choosing strong primitives and implementation are critical for maintaining the overall security of a system. As we build the Oasis platform, designed to offer high integrity and confidentiality, we need to make sure the security bounds and properties of chosen primitives are sufficient.

For current best practices, we turned to the recently completed CAESAR competition, a selection process for the generation of primitive recommendations for algorithms offering authenticated encryption — a confidential message that can be validated as coming from a known sender. Since 2013, the competition vetted a candidate pool of more than 50 submissions, and recently provided a final set of portfolio recommendations. Deoxys-II, which is based on a tweakable block cipher implemented on top of the AES round function is recommended for defense in depth applications. The algorithm has a strong security bound, and is Nonce misuse resistant. This means that even if a client provides the same nonce multiple times, for instance because of a weak random number generator, or software bugs, the damage is minimized.

Performance metrics

For a sense of the speed of these implementations, we provide rough performance figures for the encryption of a 4 KiB message, measured on an Intel(R) Core(TM) i7–8550U CPU @ 1.80GHz, with Hyper-Threading and Turbo Boost both disabled. The Go and Rust implementations are using AES-NI and SSSE3.

| Implementation | Throughput (MiB/s) | Cycles per Byte |
| Go | 671.65 | 2.62 |
| Rust | 604.51 | 2.91 |

We have also developed a pure JavaScript implementation of Deoxys-II for compatibility. In practice, most web applications will prefer a wasm packaging of a native implementation. However, we also want to ensure there is a fallback implementation for constrained clients where wasm and other newer technologies are not available.

Thanks to Andrej, Bennet, and Yawning for building and reviewing these libraries.

For questions about Oasis Labs email us at and we’ll get back to you ASAP.