cipher: traits for encrypt-only (and decrypt-only) block ciphers?

[tarcieri]

All of the AES-based AEADs we've implemented are based on AES-CTR (as implemented in various forms in the ctr crate).

CTR notably only needs the encryption component of AES, but right now if we use aes-soft in combination with ctr, we still pay an eager key schedule setup penalty for decryption, even if that code is never used (I think... it'd be nice if if LLVM were smart enough to elide it that'd, and also reduce code size).

Perhaps we should have traits like crypto::block::Encrypt and crypto::block::Decrypt, which could be combined into BlockCipher? For example, BlockCipher could have a blanket impls for both Encrypt and Decrypt, so you can use a BlockCipher anywhere that Encrypt or Decrypt are required, and we could find ways to make it easy to construct a BlockCipher out of separate Encrypt and Decrypt impls for cases like aes-soft where the two are really independent.

I think ideally in cases where we're using AES-CTR, we can avoid the key schedule setup penalty for decryption, and ideally all of the decryption-related code as well.

[newpavlov]

Sounds good!

It also will make encrypter types smaller for some ciphers (notably AES), since we no longer have to store decryption round keys. But we must be careful with blanket implementations. For ciphers which do not have different round keys for encryption and decryption (e.g. Kuzneychik) it will be reasonable for a single type to implement all 3 traits, while for AES we would need to add 2 base types per cipher implementing the respective traits and a wrapper on top of them implementing BlockCipher, which can be defined in the cipher crate.