[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)

Steve Weis steveweis at gmail.com
Tue Mar 11 23:03:21 EDT 2014

On Tue, Mar 11, 2014 at 3:02 PM, Jon Callas <jon at callas.org> wrote:
>> When it comes to Intel's Haswell CPUs, AES-GCM is twice as fast as
>> ChaCha20.
> Yes, but the world is not Intel, it's ARM. Meow.
> The world would be better served by CCM, which can be implemented well even in Javascript than more GCM, which is slow in most places, and is brittle.

Do you have CCM performance numbers to share? Or do you have GCM
performance numbers for ARM?

Krovetz and Rogaway show CCM as slightly slower than GCM on x86, ARM,
and PowerPC: http://www.cs.ucdavis.edu/~rogaway/papers/ae.pdf

For x86, this paper predates some of Shay Gueron's GCM optimizations
which are checked into OpenSSL and the PCLMULQDQ instruction in
Haswell. GCM is now running at ~1 cycle / byte.

Just out of curiosity, I ran OpenSSL speed from commit
44f7e399d342f0fbb90be023c2b9828a866fc8d1 to compare GCM, CCM, and
CBC-HMAC-SHA1 on an Intel i7-3770 @ 3.40GHz. "The 'numbers' are in
1000s of bytes per second processed."

$ ./openssl speed -evp aes-128-gcm
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     383145.66k  1001505.22k  1385985.37k  1498142.38k  1527376.55k

$ ./openssl speed -evp aes-128-cbc-hmac-sha1
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc-hmac-sha1   278307.04k   371995.39k   561519.27k
663274.15k   699250.01k

$ ./openssl speed -evp aes-128-ccm
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-ccm     532831.23k  2140334.77k  8531998.12k 34132725.42k 273049384.28k

If I'm reading it correctly, that says it's CCM encrypting 273 GB /
second on a single core. That would be clearly wrong and I'm guessing
it's an OpenSSL 'speed' bug.

More information about the cryptography mailing list