[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)
Steve Weis
steveweis at gmail.com
Mon Mar 10 15:12:30 EDT 2014
On Sat, Mar 8, 2014 at 8:23 PM, Zooko O'Whielacronx <zookog at gmail.com> wrote:
> Oh yes, and ChaCha is much more efficient than RC4.
> http://www.cryptopp.com/benchmarks.html says that modified alleged RC4
> ("MARC4") takes about 14 cycles per byte and that Salsa20 takes about
> 4 cycles per byte. http://bench.cr.yp.to/results-stream.html says that
> ChaCha20 is usually around 15% more efficient than Salsa20 on modern
> Intel CPUs.
When it comes to Intel's Haswell CPUs, AES-GCM is twice as fast as
ChaCha20. DJB's performance numbers show ChaCha20 running at 2.78
cycles / byte: http://bench.cr.yp.to/results-stream.html
Shay Gueron claims that OpenSSL's AES128-GCM implementation on Haswell
runs at 1.03 cycles / byte and that AES256-GCM runs at 1.31 cycles /
byte. For older Ivy Bridge and Sandy Bridge systems, AES-GCM runs
roughly 2.55-2.87 cycles / byte, depending on the key size:
http://2013.diac.cr.yp.to/slides/gueron.pdf
Just to put it in perspective, the latest E3v3 Haswell CPUs run with 4
cores at up to 3.6 GHz. If I did my arithmetic correctly, that's up to
encrypting 28.51 Gbps per core.
More information about the cryptography
mailing list