WebCryptoAPI vs WebAssembly Encryption module

Question

One of the main benefits of WebCrypto API was that it is much faster than JS crypto libraries . Now that WebAssembly is out there, would a WASM module of an efficient C++ implementation outperform, say WebCrypto's AES ?

Answer 1

I agree with JF Bastien, WASM based crypto has many other risks so you're generally much better off using WebCrypto for that reason. Also, to-date, none of the performance benchmarks I have seen show WASM implemented crypto algorithms performing anywhere near as fast as WebCrypto. Most WebCrypto libraries are based on platform crypto which already includes highly optimized ASM for common algorithms.

Answer 2

Even if a WebAssembly implementation can outperform WebCrypto I would strongly advise against using your own. WebCrypto has platform knowledge which you simply don't have when using WebAssembly, and that means the implementation can make its algorithms use ISA-specific instructions as well as ensure that your crypto doesn't leak secrets. This simply isn't possible with WebAssembly today.

You might think "the JIT knows the platform, and could pattern-match my crypto code to Make It Do The Right Thing", but at that point it might as well instead recognize that you're calling into WebCrypto and make that call extra fast. You're then shipping less code.

Here's a paper which shows secret extraction when not using WebCrypto "Drive-by Key-Extraction Cache Attacks from Portable Code".

Quoting the paper:

the only secure way to perform cryptographic operations in JavaScript is to delegate them to the browser so that they can be executed using a native code implementation. Indeed, modern Browsers are equipped with WebCrypto API [70] that allows JavaScript to execute some cryptographic operations

This applies to WebAssembly as well as JavaScript.