diff --git a/core/crypto/deoxysii/deoxysii.odin b/core/crypto/deoxysii/deoxysii.odin
new file mode 100644
index 00000000000..cf6a991d5ce
--- /dev/null
+++ b/core/crypto/deoxysii/deoxysii.odin
@@ -0,0 +1,292 @@
+/*
+package deoxysii implements the Deoxys-II-256 Authenticated Encryption
+with Additional Data algorithm.
+
+- [[ https://sites.google.com/view/deoxyscipher ]]
+- [[ https://thomaspeyrin.github.io/web/assets/docs/papers/Jean-etal-JoC2021.pdf ]]
+*/
+package deoxysii
+
+import "base:intrinsics"
+import "core:bytes"
+import "core:crypto/aes"
+import "core:mem"
+import "core:simd"
+
+// KEY_SIZE is the Deoxys-II-256 key size in bytes.
+KEY_SIZE :: 32
+// IV_SIZE iss the Deoxys-II-256 IV size in bytes.
+IV_SIZE :: 15 // 120-bits
+// TAG_SIZE is the Deoxys-II-256 tag size in bytes.
+TAG_SIZE :: 16
+
+@(private)
+PREFIX_AD_BLOCK :: 0b0010
+@(private)
+PREFIX_AD_FINAL :: 0b0110
+@(private)
+PREFIX_MSG_BLOCK :: 0b0000
+@(private)
+PREFIX_MSG_FINAL :: 0b0100
+@(private)
+PREFIX_TAG :: 0b0001
+@(private)
+PREFIX_SHIFT :: 4
+
+@(private)
+BC_ROUNDS :: 16
+
+@(private = "file")
+_LFSR2_MASK :: simd.u8x16{
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+}
+@(private = "file")
+_LFSR3_MASK :: simd.u8x16{
+	0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
+	0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
+}
+@(private = "file")
+_LFSR_SH1 :: _LFSR2_MASK
+@(private = "file")
+_LFSR_SH5 :: simd.u8x16{
+	0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05,
+	0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05,
+}
+@(private = "file")
+_LFSR_SH7 :: simd.u8x16{
+	0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07,
+	0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07,
+}
+@(private = "file", rodata)
+_RCONS := []byte {
+	0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a,
+	0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
+	0x72,
+}
+
+// Context is a keyed Deoxys-II-256 instance.
+Context :: struct {
+	_subkeys:        [BC_ROUNDS+1][16]byte,
+	_impl:           aes.Implementation,
+	_is_initialized: bool,
+}
+
+@(private)
+_validate_common_slice_sizes :: proc (ctx: ^Context, tag, iv, aad, text: []byte) {
+	if len(tag) != TAG_SIZE {
+		panic("crypto/deoxysii: invalid tag size")
+	}
+
+	if len(iv) != IV_SIZE {
+		panic("crypto/deoxysii: invalid IV size")
+	}
+
+	#assert(size_of(int) == 8 || size_of(int) <= 4)
+	// For the nonce-misuse resistant mode, the total size of the
+	// associated data and the total size of the message do not exceed
+	// `16 * 2^max_l * 2^max_m bytes`, thus 2^128 bytes for all variants
+	// of Deoxys-II. Moreover, the maximum number of messages that can
+	// be handled for a same key is 2^max_m, that is 2^64 for all variants
+	// of Deoxys.
+}
+
+// init initializes a Context with the provided key.
+init :: proc(ctx: ^Context, key: []byte, impl := aes.DEFAULT_IMPLEMENTATION) {
+	if len(key) != KEY_SIZE {
+		panic("crypto/deoxysii: invalid key size")
+	}
+
+	ctx._impl = .Portable
+	// ctx._impl = impl
+	// if ctx._impl == .Hardware && !aes.is_hardware_accelerated() {
+	// 	ctx._impl = .Portable
+	// }
+
+	derive_ks(ctx, key)
+
+	ctx._is_initialized = true
+}
+
+// seal encrypts the plaintext and authenticates the aad and ciphertext,
+// with the provided Context and iv, stores the output in dst and tag.
+//
+// dst and plaintext MUST alias exactly or not at all.
+seal :: proc(ctx: ^Context, dst, tag, iv, aad, plaintext: []byte) {
+	assert(ctx._is_initialized)
+
+	_validate_common_slice_sizes(ctx, tag, iv, aad, plaintext)
+	if len(dst) != len(plaintext) {
+		panic("crypto/deoxysii: invalid destination ciphertext size")
+	}
+	if bytes.alias_inexactly(dst, plaintext) {
+		panic("crypto/deoxysii: dst and plaintext alias inexactly")
+	}
+
+	switch ctx._impl {
+	case .Hardware:
+	case .Portable:
+		e_ref(ctx, dst, tag, iv, aad, plaintext)
+	}
+}
+
+// open authenticates the aad and ciphertext, and decrypts the ciphertext,
+// with the provided Context, iv, and tag, and stores the output in dst,
+// returning true iff the authentication was successful.  If authentication
+// fails, the destination buffer will be zeroed.
+//
+// dst and plaintext MUST alias exactly or not at all.
+@(require_results)
+open :: proc(ctx: ^Context, dst, iv, aad, ciphertext, tag: []byte) -> bool {
+	assert(ctx._is_initialized)
+
+	_validate_common_slice_sizes(ctx, tag, iv, aad, ciphertext)
+	if len(dst) != len(ciphertext) {
+		panic("crypto/deoxysii: invalid destination plaintext size")
+	}
+	if bytes.alias_inexactly(dst, ciphertext) {
+		panic("crypto/deoxysii: dst and ciphertext alias inexactly")
+	}
+
+	ok: bool
+	switch ctx._impl {
+	case .Hardware:
+	case .Portable:
+		ok = d_ref(ctx, dst, iv, aad, ciphertext, tag)
+	}
+	if !ok {
+		mem.zero_explicit(raw_data(dst), len(ciphertext))
+	}
+
+	return false
+}
+
+// reset sanitizes the Context.  The Context must be
+// re-initialized to be used again.
+reset :: proc "contextless" (ctx: ^Context) {
+	mem.zero_explicit(&ctx._subkeys, len(ctx._subkeys))
+	ctx._is_initialized = false
+}
+
+@(private = "file")
+derive_ks :: proc "contextless" (ctx: ^Context, key: []byte) {
+	// Derive the constant component of each subtweakkey.
+	//
+	// The key schedule is as thus:
+	//
+	//   STK_i = TK1_i ^ TK2_i ^ TK3_i ^ RC_i
+	//
+	//   TK1_i = h(TK1_(i-1))
+	//   TK2_i = h(LFSR2(TK2_(i-1)))
+	//   TK3_i = h(LFSR3(TK2_(i-1)))
+	//
+	// where:
+	//
+	//   KT = K || T
+	//   W3 = KT[:16]
+	//   W2 = KT[16:32]
+	//   W1 = KT[32:]
+	//
+	//   TK1_0 = W1
+	//   TK2_0 = W2
+	//   TK3_0 = W3
+	//
+	// As `K` is fixed per Context, the XORs of `TK3_0 .. TK3_n`,
+	// `TK2_0 .. TK2_n` and RC_i can be precomputed in advance like
+	// thus:
+	//
+	//   subkey_i = TK3_i ^ TK2_i ^ RC_i
+	//
+	// When it is time to actually call Deoxys-BC-384, it is then
+	// a simple matter of deriving each round subtweakkey via:
+	//
+	//   TK1_0 = T (Tweak)
+	//   STK_0 = subkey_0 ^ TK1_0
+	//   STK_i = subkey_i (precomputed) ^ H(TK1_(i-1))
+	//
+	// We opt to use SIMD here and for the subtweakkey deriviation
+	// as `H()` is typically a single vector instruction.
+
+	tk2 := intrinsics.unaligned_load((^simd.u8x16)(raw_data(key[16:])))
+	tk3 := intrinsics.unaligned_load((^simd.u8x16)(raw_data(key)))
+
+	// subkey_0 does not apply LFSR2/3 or H.
+	intrinsics.unaligned_store(
+		(^simd.u8x16)(&ctx._subkeys[0]),
+		simd.bit_xor(
+			tk2,
+			simd.bit_xor(
+				tk3,
+				rcon(0),
+			),
+		),
+	)
+
+	// Precompute k_1 .. k_16.
+	for i in 1 ..< BC_ROUNDS+1 {
+		tk2 = h(lfsr2(tk2))
+		tk3 = h(lfsr3(tk3))
+		intrinsics.unaligned_store(
+			(^simd.u8x16)(&ctx._subkeys[i]),
+			simd.bit_xor(
+				tk2,
+				simd.bit_xor(
+					tk3,
+					rcon(i),
+				),
+			),
+		)
+	}
+}
+
+@(private = "file")
+lfsr2 :: #force_inline proc "contextless" (tk: simd.u8x16) -> simd.u8x16 {
+	// LFSR2 is a application of the following LFSR to each byte of input.
+	// (x7||x6||x5||x4||x3||x2||x1||x0) -> (x6||x5||x4||x3||x2||x1||x0||x7 ^ x5)
+	return simd.bit_or(
+		simd.shl(tk, _LFSR_SH1),
+		simd.bit_and(
+			simd.bit_xor(
+				simd.shr(tk, _LFSR_SH7),
+				simd.shr(tk, _LFSR_SH5),
+			),
+			_LFSR2_MASK,
+		),
+	)
+}
+
+@(private = "file")
+lfsr3 :: #force_inline proc "contextless"  (tk: simd.u8x16) -> simd.u8x16 {
+	// LFSR3 is a application of the following LFSR to each byte of input.
+	// (x7||x6||x5||x4||x3||x2||x1||x0) -> (x0 ^ x6||x7||x6||x5||x4||x3||x2||x1)
+	return simd.bit_or(
+		simd.shr(tk, _LFSR_SH1),
+		simd.bit_and(
+			simd.bit_xor(
+				simd.shl(tk, _LFSR_SH7),
+				simd.shl(tk, _LFSR_SH1),
+			),
+			_LFSR3_MASK,
+		),
+	)
+}
+
+@(private)
+h :: #force_inline proc "contextless" (tk: simd.u8x16) -> simd.u8x16 {
+	return simd.swizzle(
+		tk,
+		0x01, 0x06, 0x0b, 0x0c, 0x05, 0x0a, 0x0f, 0x00,
+		0x09, 0x0d, 0x03, 0x04, 0x0d, 0x02, 0x07, 0x08,
+	)
+}
+
+@(private = "file")
+rcon :: #force_inline proc "contextless" (rd: int) -> simd.u8x16 #no_bounds_check {
+	rc := _RCONS[rd]
+	return simd.u8x16{
+		1, 2, 4, 8,
+		rc, rc, rc, rc,
+		0, 0, 0, 0,
+		0, 0, 0, 0,
+	}
+}
\ No newline at end of file
diff --git a/core/crypto/deoxysii/deoxysii_impl_ct64.odin b/core/crypto/deoxysii/deoxysii_impl_ct64.odin
new file mode 100644
index 00000000000..0cc11bfbf38
--- /dev/null
+++ b/core/crypto/deoxysii/deoxysii_impl_ct64.odin
@@ -0,0 +1,271 @@
+package deoxysii
+
+import "base:intrinsics"
+import aes "core:crypto/_aes/ct64"
+import "core:encoding/endian"
+import "core:mem"
+import "core:simd"
+
+// This uses the bitlsiced 64-bit general purpose register SWAR AES
+// round function.  Unlike say, the AEGIS implementation we do not
+// bother pre-interleaving anything, as being able to compute H
+// efficiently is better, and the rest of the subtweak key deriviation
+// is a single 128-bit XOR per subtweakkey.
+
+@(private = "file")
+TWEAK_SIZE :: 16
+@(private = "file")
+BLOCK_SIZE :: 16
+
+@(private = "file")
+tag_tweak :: #force_inline proc "contextless" (
+	dst: ^[TWEAK_SIZE]byte,
+	prefix: byte,
+	block_nr: int,
+) {
+	endian.unchecked_put_u64be(dst[8:], u64(block_nr))
+	endian.unchecked_put_u64le(dst[0:], u64(prefix) << PREFIX_SHIFT) // dst[0] = prefix << PREFIX_SHIFT
+}
+
+@(private = "file")
+enc_tweak :: #force_inline proc "contextless" (
+	dst: ^[TWEAK_SIZE]byte,
+	tag: ^[TAG_SIZE]byte,
+	block_nr: int,
+) {
+	tmp: [8]byte
+	endian.unchecked_put_u64be(dst[:], u64(block_nr))
+
+	copy(dst[:], tag[:])
+	dst[0] |= 0x80
+	for i in 8 ..< TWEAK_SIZE {
+		dst[i] ~= tmp[i]
+	}
+}
+
+@(private = "file")
+bc_x4 :: proc "contextless" (
+	ctx:     ^Context,
+	dst:     []byte,
+	tweaks:  ^[4][TWEAK_SIZE]byte,
+	q_stk:   ^[8]u64,
+	q_b:     ^[8]u64,
+	n:       int,
+) {
+	// Deoxys-BC-384
+	for i in 0 ..= BC_ROUNDS {
+		// Derive the round's subtweakkey
+		sk := intrinsics.unaligned_load((^simd.u8x16)(&ctx._subkeys[i]))
+		for j in 0 ..< n {
+			tk1 := intrinsics.unaligned_load((^simd.u8x16)(&tweaks[i][j]))
+			if i != 0 {
+				tk1 = h(tk1)
+			}
+			intrinsics.unaligned_store(
+				(^simd.u8x16)(raw_data(dst)),
+				simd.bit_xor(sk, tk1),
+			)
+			q_stk[j], q_stk[j + 4] = aes.load_interleaved(dst[:])
+		}
+		aes.orthogonalize(q_stk)
+
+		if i != BC_ROUNDS {
+			aes.sub_bytes(q_b)
+			aes.shift_rows(q_b)
+			aes.mix_columns(q_b)
+		}
+		aes.add_round_key(q_b, q_stk[:])
+	}
+
+	aes.orthogonalize(q_b)
+	for i in 0 ..<n {
+		aes.store_interleaved(dst[i*BLOCK_SIZE:], q_b[i], q_b[i+4])
+	}
+}
+
+@(private = "file", require_results)
+bc_absorb :: proc "contextless" (
+	ctx:          ^Context,
+	dst:          []byte,
+	src:          []byte,
+	tweak_prefix: byte,
+	stk_block_nr: int,
+	xor_dst := true,
+) -> int {
+	q_b, q_stk: [8]u64 = ---, ---
+	tweaks: [4][TWEAK_SIZE]byte = ---
+	tmp: [BLOCK_SIZE*4]byte = ---
+
+	src, stk_block_nr := src, stk_block_nr
+	dst_ := intrinsics.unaligned_load((^simd.u8x16)(raw_data(dst)))
+
+	nr_blocks := len(src) / BLOCK_SIZE
+	for nr_blocks > 0 {
+		// Derive the tweak(s), orthogonalize the plaintext
+		n := min(nr_blocks, 4)
+		for i in 0 ..< n {
+			tag_tweak(&tweaks[i], tweak_prefix, stk_block_nr + i)
+			q_b[i], q_b[i + 4] = aes.load_interleaved(src)
+			src = src[BLOCK_SIZE:]
+		}
+		aes.orthogonalize(&q_b)
+
+		// Deoxys-BC-384
+		bc_x4(ctx, tmp[:], &tweaks, &q_stk, &q_b, n)
+
+		// XOR in the existing Auth/tag (typical) if required
+		switch xor_dst {
+		case true:
+			for i in 0 ..< n {
+				dst_ = simd.bit_xor(
+					dst_,
+					intrinsics.unaligned_load((^simd.u8x16)(raw_data(tmp[i*BLOCK_SIZE:])))
+				)
+			}
+		case false:
+			// The final tag computation does not involve the XOR
+			assert_contextless(len(src) == BLOCK_SIZE)
+			dst_ = intrinsics.unaligned_load((^simd.u8x16)(&tmp))
+		}
+
+		stk_block_nr += n
+		nr_blocks -= n
+	}
+
+	intrinsics.unaligned_store((^simd.u8x16)(raw_data(dst)), dst_)
+
+	mem.zero_explicit(&q_b, size_of(q_b))
+	mem.zero_explicit(&q_stk, size_of(q_stk))
+	mem.zero_explicit(&tweaks, size_of(tweaks))
+	mem.zero_explicit(&tmp, size_of(tmp))
+
+	return stk_block_nr
+}
+
+@(private = "file", require_results)
+bc_encrypt :: proc "contextless" (
+	ctx:          ^Context,
+	dst:          []byte,
+	src:          []byte,
+	q_n:          ^[8]u64, // Orthogonalized
+	tweak_tag:    ^[TAG_SIZE]byte,
+	stk_block_nr: int,
+) -> int {
+	q_b, q_stk: [8]u64 = ---, ---
+	tweaks: [4][TWEAK_SIZE]byte = ---
+	tmp: [BLOCK_SIZE*4]byte = ---
+
+	dst, src, stk_block_nr := dst, src, stk_block_nr
+
+	nr_blocks := len(src) / BLOCK_SIZE
+	for nr_blocks > 0 {
+		// Derive the tweak(s)
+		n := min(nr_blocks, 4)
+		for i in 0 ..< n {
+			enc_tweak(&tweaks[i], tweak_tag, stk_block_nr + i)
+		}
+		q_b = q_n^ // The plaintext is always `0^8 || N`
+
+		// Deoxys-BC-384
+		bc_x4(ctx, tmp[:], &tweaks, &q_stk, &q_b, n)
+
+		// XOR the ciphertext
+		for i in 0 ..< n {
+			intrinsics.unaligned_store(
+				(^simd.u8x16)(raw_data(dst[i*BLOCK_SIZE:])),
+				simd.bit_xor(
+					intrinsics.unaligned_load((^simd.u8x16)(raw_data(src[i*BLOCK_SIZE:]))),
+					intrinsics.unaligned_load((^simd.u8x16)(raw_data(tmp[i*BLOCK_SIZE:]))),
+				),
+			)
+		}
+
+		dst, src = dst[n*BLOCK_SIZE:], src[n*BLOCK_SIZE:]
+		stk_block_nr += n
+		nr_blocks -= n
+	}
+
+	mem.zero_explicit(&q_b, size_of(q_b))
+	mem.zero_explicit(&q_stk, size_of(q_stk))
+	mem.zero_explicit(&tweaks, size_of(tweaks))
+	mem.zero_explicit(&tmp, size_of(tmp))
+
+	return stk_block_nr
+}
+
+@(private)
+e_ref :: proc "contextless" (ctx: ^Context, dst, tag, iv, aad, plaintext: []byte) {
+	// Algorithm 3
+	//
+	// Associated data
+	// A_1 || ... || A_la || A_∗ <- A where each |A_i| = n and |A_∗| < n
+	// Auth <- 0^n
+	// for i = 0 to la − 1 do
+	//   Auth <- Auth ^ EK(0010 || i, A_i+1)
+	// end
+	// if A_∗ != nil then
+	//   Auth <- Auth ^ EK(0110 || la, pad10∗(A_∗))
+	// end
+	//
+	// Message authentication and tag generation
+	// M_1 || ... || M_l || M_∗ <- M where each |M_j| = n and |M_∗| < n
+	// tag <- Auth
+	// for j = 0 to l − 1 do
+	//   tag <- tag ^ EK(0000 || j, M_j+1)
+	// end
+	// if M_∗ != nil then
+	//   tag <- tag ^ EK(0100 || l, pad10∗(M_∗))
+	// end
+	// tag <- EK(0001 || 0^4 ||N, tag)
+	//
+	// Message encryption
+	// for j = 0 to l − 1 do
+	//   C_j <- M_j ^ EK(1 || tag ^ j, 0^8 || N)
+	// end
+	// if M_∗ != nil then
+	//   C_∗ <- M_* ^ EK(1 || tag ^ l, 0^8 || N)
+	// end
+	//
+	// return (C_1 || ... || C_l || C_∗, tag)
+}
+
+@(private, require_results)
+d_ref :: proc "contextless" (ctx: ^Context, dst, iv, aad, ciphertext, tag: []byte) -> bool {
+	// Algorithm 4
+	//
+	// Message decryption
+	// C_1 || ... || C_l || C_∗ <- C where each |C_j| = n and |C_∗| < n
+	// for j = 0 to l − 1 do
+	//   M_j <- C_j ^ EK(1 || tag ^ j, 0^8 || N)
+	// end
+	// if C_∗ != nil then
+	//   M_∗ <- C_∗ ^ EK(1 || tag ^ l, 0^8 || N)
+	// end
+	//
+	// Associated data
+	// A_1 || ... || Al_a || A_∗ <- A where each |Ai_| = n and |A_∗| < n
+	// Auth <- 0
+	// for i = 0 to la − 1 do
+	//   Auth <- Auth ^ EK(0010 || i, A_i+1)
+	// end
+	// if A∗ != nil then
+	//   Auth <- Auth ^ EK(0110| | l_a, pad10∗(A_∗))
+	// end
+	//
+	// Message authentication and tag generation
+	// M_1 || ... || M_l || M_∗ <- M where each |M_j| = n and |M_∗| < n
+	// tag0 <- Auth
+	// for j = 0 to l − 1 do
+	//   tag0 <- tag0 ^ EK(0000 || j, M_j+1)
+	// end
+	// if M_∗ != nil then
+	//   tag0 <- tag0 ^ EK(0100 || l, pad10∗(M_∗))
+	// end
+	// tag0 <- EK(0001 || 0^4 || N, tag0)
+	//
+	// Tag verification
+	// if tag0 = tag then return (M_1 || ... || M_l || M_∗)
+	// else return false
+
+	return false
+}
diff --git a/examples/all/all_main.odin b/examples/all/all_main.odin
index c540dbb3198..32b6f89ee00 100644
--- a/examples/all/all_main.odin
+++ b/examples/all/all_main.odin
@@ -33,6 +33,7 @@ import blake2s          "core:crypto/blake2s"
 import chacha20         "core:crypto/chacha20"
 import chacha20poly1305 "core:crypto/chacha20poly1305"
 import crypto_hash      "core:crypto/hash"
+import deoxysii         "core:crypto/deoxysii"
 import ed25519          "core:crypto/ed25519"
 import hkdf             "core:crypto/hkdf"
 import hmac             "core:crypto/hmac"
@@ -176,6 +177,7 @@ _ :: blake2b
 _ :: blake2s
 _ :: chacha20
 _ :: chacha20poly1305
+_ :: deoxysii
 _ :: ed25519
 _ :: hmac
 _ :: hkdf