В Вт, 26/10/2021 в 11:08 +0800, Sasasu пишет:
> On 2021/10/26 04:32, Yura Sokolov wrote:
> > And among others Adiantum looks best: it is fast even without hardware
> > acceleration,
>
> No, AES is fast on modern high-end hardware.
>
> on X86 AMD 3700X
> type 1024 bytes 8192 bytes 16384 bytes
> aes-128-ctr 8963982.50k 11124613.88k 11509149.42k
> aes-128-gcm 3978860.44k 4669417.10k 4732070.64k
> aes-128-xts 7776628.39k 9073664.63k 9264617.74k
> chacha20-poly1305 2043729.73k 2131296.36k 2141002.10k
>
> on ARM RK3399, A53 middle-end with AES-NI
> type 1024 bytes 8192 bytes 16384 bytes
> aes-128-ctr 1663857.66k 1860930.22k 1872991.57k
> aes-128-xts 685086.38k 712906.07k 716073.64k
> aes-128-gcm 985578.84k 1054818.30k 1056768.00k
> chacha20-poly1305 309012.82k 318889.98k 319711.91k
>
> I think the baseline is the speed when using read(2) syscall on
> /dev/zero (which is 3.6GiB/s, on ARM is 980MiB/s)
> chacha is fast on the low-end arm, but I haven't seen any HTTPS sites
> using chacha, including Cloudflare and Google.
1. Chacha20-poly1305 includes authentication code (poly1305),
aes-gcm also includes (GCM).
But aes-128-(ctr,xts) doesn't.
Therefore, Chacha should be compared with ctr,xts, not Chacha-Poly1305.
2. Chacha20 has security margin x2.8: only 7 rounds from 20 are broken.
AES-128 has security margin x1.4: broken 7 rounds from 10.
That is why Adiantum uses Chacha12: it is still "more secure" than AES-128.
Yes, AES with AES-NI is fastest. But not so much.
And, AES-CTR could be easily used instead of ChaCha12 in Adiantum.
Adiantum uses ChaCha12 as a stream cipher, and any other stream cipher will
be ok as well with minor modifications to algorithm.
>
> On 2021/10/26 04:32, Yura Sokolov wrote:
> >> That sounds like a great thing to think about adding ... after we get
> >> something in that's based on XTS.
> > Why? I see no points to do it after. Why not XTS after Adiantum?
> >
> > Ok, I see one: XTS is standartized.
> :>
> PostgreSQL even not discuss single-table key rotation or remote KMS.
> I think it's too hard to use an encryption algorithm which openssl
> doesn't implement.
That is argument. But, again, openssl could be used for primitives:
AES + AES-CTR + Poly/GCM. And Adiantum like construction could be
composed from them quite easily.