В Вт, 26/10/2021 в 11:08 +0800, Sasasu пишет: > On 2021/10/26 04:32, Yura Sokolov wrote: > > And among others Adiantum looks best: it is fast even without hardware > > acceleration, > > No, AES is fast on modern high-end hardware. > > on X86 AMD 3700X > type 1024 bytes 8192 bytes 16384 bytes > aes-128-ctr 8963982.50k 11124613.88k 11509149.42k > aes-128-gcm 3978860.44k 4669417.10k 4732070.64k > aes-128-xts 7776628.39k 9073664.63k 9264617.74k > chacha20-poly1305 2043729.73k 2131296.36k 2141002.10k > > on ARM RK3399, A53 middle-end with AES-NI > type 1024 bytes 8192 bytes 16384 bytes > aes-128-ctr 1663857.66k 1860930.22k 1872991.57k > aes-128-xts 685086.38k 712906.07k 716073.64k > aes-128-gcm 985578.84k 1054818.30k 1056768.00k > chacha20-poly1305 309012.82k 318889.98k 319711.91k > > I think the baseline is the speed when using read(2) syscall on > /dev/zero (which is 3.6GiB/s, on ARM is 980MiB/s) > chacha is fast on the low-end arm, but I haven't seen any HTTPS sites > using chacha, including Cloudflare and Google.
1. Chacha20-poly1305 includes authentication code (poly1305), aes-gcm also includes (GCM). But aes-128-(ctr,xts) doesn't. Therefore, Chacha should be compared with ctr,xts, not Chacha-Poly1305. 2. Chacha20 has security margin x2.8: only 7 rounds from 20 are broken. AES-128 has security margin x1.4: broken 7 rounds from 10. That is why Adiantum uses Chacha12: it is still "more secure" than AES-128. Yes, AES with AES-NI is fastest. But not so much. And, AES-CTR could be easily used instead of ChaCha12 in Adiantum. Adiantum uses ChaCha12 as a stream cipher, and any other stream cipher will be ok as well with minor modifications to algorithm. > > On 2021/10/26 04:32, Yura Sokolov wrote: > >> That sounds like a great thing to think about adding ... after we get > >> something in that's based on XTS. > > Why? I see no points to do it after. Why not XTS after Adiantum? > > > > Ok, I see one: XTS is standartized. > :> > PostgreSQL even not discuss single-table key rotation or remote KMS. > I think it's too hard to use an encryption algorithm which openssl > doesn't implement. That is argument. But, again, openssl could be used for primitives: AES + AES-CTR + Poly/GCM. And Adiantum like construction could be composed from them quite easily.