Implements AES-256-GCM authenticated encryption as an EVM precompile. Provides on-chain encrypt and decrypt operations with associated authenticated data (AAD). Used for encrypted storage, on-chain data rooms, and FHE key wrapping.
0x0000000000000000000000000000000000009210 -- Crypto Ops range.
Operation selector is the first byte of input.
0x01 Encrypt: key(32) + nonce(12) + aad_len(2) + aad + plaintext -> ciphertext + tag(16)
0x02 Decrypt: key(32) + nonce(12) + aad_len(2) + aad + ciphertext+tag -> plaintext
The 16-byte GCM authentication tag is appended to the ciphertext on encrypt and verified on decrypt. AAD length is encoded as a 2-byte big-endian integer.
1. AES-256-GCM is IND-CCA2 secure (chosen-ciphertext resistant) under the assumption that AES is a pseudorandom permutation.
2. Nonce reuse with the same key is catastrophic -- it leaks plaintext XOR and allows tag forgery. Contracts must guarantee unique nonces per key.
3. Key material on-chain is visible to all validators. Use ECIES (LP-121) or HPKE (LP-122) for key transport; only decrypt with derived keys.
4. Maximum plaintext size per call should be kept under 64 KB to avoid excessive gas costs.
github.com/luxfi/precompile/aes/Copyright (C) 2024-2026, Lux Partners Limited. All rights reserved.
Licensed under the MIT License.