[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)
Steve Weis
steveweis at gmail.com
Tue Mar 11 23:03:21 EDT 2014
On Tue, Mar 11, 2014 at 3:02 PM, Jon Callas <jon at callas.org> wrote:
>> When it comes to Intel's Haswell CPUs, AES-GCM is twice as fast as
>> ChaCha20.
>
> Yes, but the world is not Intel, it's ARM. Meow.
>
> The world would be better served by CCM, which can be implemented well even in Javascript than more GCM, which is slow in most places, and is brittle.
Do you have CCM performance numbers to share? Or do you have GCM
performance numbers for ARM?
Krovetz and Rogaway show CCM as slightly slower than GCM on x86, ARM,
and PowerPC: http://www.cs.ucdavis.edu/~rogaway/papers/ae.pdf
For x86, this paper predates some of Shay Gueron's GCM optimizations
which are checked into OpenSSL and the PCLMULQDQ instruction in
Haswell. GCM is now running at ~1 cycle / byte.
Just out of curiosity, I ran OpenSSL speed from commit
44f7e399d342f0fbb90be023c2b9828a866fc8d1 to compare GCM, CCM, and
CBC-HMAC-SHA1 on an Intel i7-3770 @ 3.40GHz. "The 'numbers' are in
1000s of bytes per second processed."
$ ./openssl speed -evp aes-128-gcm
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-gcm 383145.66k 1001505.22k 1385985.37k 1498142.38k 1527376.55k
$ ./openssl speed -evp aes-128-cbc-hmac-sha1
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc-hmac-sha1 278307.04k 371995.39k 561519.27k
663274.15k 699250.01k
$ ./openssl speed -evp aes-128-ccm
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-ccm 532831.23k 2140334.77k 8531998.12k 34132725.42k 273049384.28k
If I'm reading it correctly, that says it's CCM encrypting 273 GB /
second on a single core. That would be clearly wrong and I'm guessing
it's an OpenSSL 'speed' bug.
More information about the cryptography
mailing list