On 2014-07-03, Damien Miller <d...@mindrot.org> wrote: >> Just out for curiosity. >> what is the fastest and lightest in cpu terms algorithm in ssh? > > In recent OpenSSH, chacha20-poly1...@openssh.com is what you want.
Most likely yes, but I wouldn't entirely dismiss Nick's suggestion to test actual performance. E.g., I stopped preferring chacha20-poly1305 for my Blade 100, because aes128-ctr/umac-64 was actually faster when I checked. And, speaking in general, the choice of MAC has as much influence on bulk throughput as the cipher, if not more so. It's remarkable that new MACs are still such a performance problem. GHASH for AES-GCM is widely acknowledged to be a nightmare in software, but I feel Poly1305's claim to speed is also overstated. DJB's propaganda refers to his hyperoptimized x86 implementation that bizarrely abuses the floating point registers to perform integer arithmetic. The portable version we use has an inner loop that requires 25 multiplications 32x32->64 bits for each 16-byte block. For simple CPUs, that will stall out the pipeline. -- Christian "naddy" Weisgerber na...@mips.inka.de
