[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)
Jon Callas
jon at callas.org
Tue Mar 11 18:02:51 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mar 10, 2014, at 12:12 PM, Steve Weis <steveweis at gmail.com> wrote:
> When it comes to Intel's Haswell CPUs, AES-GCM is twice as fast as
> ChaCha20. DJB's performance numbers show ChaCha20 running at 2.78
> cycles / byte: http://bench.cr.yp.to/results-stream.html
>
> Shay Gueron claims that OpenSSL's AES128-GCM implementation on Haswell
> runs at 1.03 cycles / byte and that AES256-GCM runs at 1.31 cycles /
> byte. For older Ivy Bridge and Sandy Bridge systems, AES-GCM runs
> roughly 2.55-2.87 cycles / byte, depending on the key size:
> http://2013.diac.cr.yp.to/slides/gueron.pdf
>
> Just to put it in perspective, the latest E3v3 Haswell CPUs run with 4
> cores at up to 3.6 GHz. If I did my arithmetic correctly, that's up to
> encrypting 28.51 Gbps per core.
Yes, but the world is not Intel, it's ARM. Meow.
The world would be better served by CCM, which can be implemented well even in Javascript than more GCM, which is slow in most places, and is brittle.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFTH4gLsTedWZOD3gYRAgGZAJ9KNmsXhkbgd9KbLOKmdJdCPg21zACg3AmX
aGtvvaokHEnOSRj3yISZTAI=
=zaMB
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list