Amazon has introduced the aws-lc-rs cryptographic library, which is intended for use in Rust applications and is API-compatible with the ring Rust library. The project code is distributed under the Apache 2.0 and ISC licenses. The library supports Linux (x86, x86-64, aarch64) and macOS (x86-64) platforms.
The implementation of cryptographic operations in aws-lc-rs is based on the AWS-LC library (AWS libcrypto), written in C++ and in turn based on code from the BoringSSL project (a Google-maintained offshoot of OpenSSL). Additionally, two low-level crate packages are proposed: aws-lc-sys (auto-generated low-level bindings over AWS-LC) and aws-lc-fips-sys (low-level bindings based on FFI (Foreign Function Interface)), reproducing the AWS-LC API.
The AWS-LC library includes formally verified implementations of the SHA-2, HMAC, AES-GCM, AES-KWP, HKDF, ECDH, and ECDSA algorithms that meet the requirements for cryptographic systems that can be used by government agencies in the United States and Canada. Creating a Rust binding is driven by the need to have FIPS-compliant crypto libraries that can be used in Rust projects. In the aws-lc-rs library, Amazon decided to combine the Ring API, which is familiar and common among Rust programmers, and verified implementations of algorithms from the AWS-LC library that comply with FIPS requirements.
The use of the AWS-LC library as the basis also made it possible to use all the specific optimizations developed by Amazon in aws-lc-rs. For example, AWS-LC provides options for the ChaCha20-Poly1305 and NIST P-256 algorithms that are separately optimized for ARM processors, and significant optimizations for x86 systems have been made to speed up the processing of ECDSA digital signatures. When testing the operation of TLS 1.2 and 1.3 protocols, the aws-lc-rs library significantly outperformed the rustls package in terms of performance, demonstrating both a reduction in connection setup time and an increase in throughput (more than twice in ECDSA tests).
Source: opennet.ru