Re: XTS cipher mode for cluster file encryption - Mailing list pgsql-hackers

From Yura Sokolov
Subject Re: XTS cipher mode for cluster file encryption
Date
Msg-id a2eede02840b9e2d1a2ec9e2ec1ffe0c9e3fae3d.camel@postgrespro.ru
Whole thread Raw
In response to Re: XTS cipher mode for cluster file encryption  (Sasasu <i@sasa.su>)
Responses Re: XTS cipher mode for cluster file encryption
List pgsql-hackers
В Вт, 26/10/2021 в 11:08 +0800, Sasasu пишет:
> On 2021/10/26 04:32, Yura Sokolov wrote:
> > And among others Adiantum looks best: it is fast even without hardware
> > acceleration,
> 
> No, AES is fast on modern high-end hardware.
> 
> on X86 AMD 3700X
> type              1024 bytes  8192 bytes   16384 bytes
> aes-128-ctr       8963982.50k 11124613.88k 11509149.42k
> aes-128-gcm       3978860.44k 4669417.10k  4732070.64k
> aes-128-xts       7776628.39k 9073664.63k  9264617.74k
> chacha20-poly1305 2043729.73k 2131296.36k  2141002.10k
> 
> on ARM RK3399, A53 middle-end with AES-NI
> type              1024 bytes   8192 bytes   16384 bytes
> aes-128-ctr       1663857.66k  1860930.22k  1872991.57k
> aes-128-xts       685086.38k   712906.07k   716073.64k
> aes-128-gcm       985578.84k   1054818.30k  1056768.00k
> chacha20-poly1305 309012.82k   318889.98k   319711.91k
> 
> I think the baseline is the speed when using read(2) syscall on 
> /dev/zero (which is 3.6GiB/s, on ARM is 980MiB/s)
> chacha is fast on the low-end arm, but I haven't seen any HTTPS sites 
> using chacha, including Cloudflare and Google.

1. Chacha20-poly1305 includes authentication code (poly1305),
   aes-gcm also includes (GCM).
   But aes-128-(ctr,xts) doesn't.
   Therefore, Chacha should be compared with ctr,xts, not Chacha-Poly1305.
2. Chacha20 has security margin x2.8: only 7 rounds from 20 are broken.
   AES-128 has security margin x1.4: broken 7 rounds from 10.
   That is why Adiantum uses Chacha12: it is still "more secure" than AES-128.

Yes, AES with AES-NI is fastest. But not so much.

And, AES-CTR could be easily used instead of ChaCha12 in Adiantum.
Adiantum uses ChaCha12 as a stream cipher, and any other stream cipher will
be ok as well with minor modifications to algorithm. 

> 
> On 2021/10/26 04:32, Yura Sokolov wrote:
>  >> That sounds like a great thing to think about adding ... after we get
>  >> something in that's based on XTS.
>  > Why? I see no points to do it after. Why not XTS after Adiantum?
>  >
>  > Ok, I see one: XTS is standartized.
> :>
> PostgreSQL even not discuss single-table key rotation or remote KMS.
> I think it's too hard to use an encryption algorithm which openssl 
> doesn't implement.

That is argument. But, again, openssl could be used for primitives:
AES + AES-CTR + Poly/GCM. And Adiantum like construction could be
composed from them quite easily.




pgsql-hackers by date:

Previous
From: Dilip Kumar
Date:
Subject: Re: Gather performance analysis
Next
From: Amit Kapila
Date:
Subject: Re: Skipping logical replication transactions on subscriber side