[noise] [ANNOUNCE] WireGuard Launched!

Brian Smith brian at briansmith.org
Wed Aug 10 19:51:38 PDT 2016


D. J. Bernstein <djb at cr.yp.to> wrote:

> Brian Smith writes:
> > wouldn't the performance be much better on Skylake+ and ARMv8+?
>
> No. Concretely, several generations of Intel chips have run 12-round
> ChaCha12-256 at practically the same speed as 12-round AES-192


Nobody seems interested in ChaCha12 and AES-192, so I won't discuss them
further.


> Intel is doubling the vector size in its newest CPUs---again!---this
> time from 256 bits to 512 bits.
>

<snip>


> Intel decided that on its large cores it
> could justify the area for 8 inverters, and then for 16 inverters, and
> probably 32 on future cores---but this is only a small percentage of the
> overall area of Intel's vector units, and the percentage doesn't seem to
> be increasing as the years go by.
>

I agree that these are relevant issues: Whether things like AVX-512 will
make ChaCha20-Poly1305 as fast or faster than AES-GCM on current and future
Intel processors. I am looking forward to see a demo of AVX-512-based
ChaCha20-Poly1305 outperforming similarly optimized AES-GCM on the same
CPU. Right now, with the hardware and code I have, AES-GCM is more
efficient. I would love for that to change.

I also think that the power consumption on ARMv8 (AAarch64/Aarch32) is an
important factor, for mobile applications. And, also, what network card
manufacturers do for on-NIC encryption (offloaded from the main CPU) is
important.  And also what (ISO/IETF/802.11) standards groups choose to
mandate seems to be important. Since they all seem to be going the AES-GCM
route now, it seems kind of inevitable to me that we'll have lots of
hardware-accelerated AES-GCM, even on platforms that don't have vector
units, and we'll all be required to implement AES-GCM even if our own
particular platform is better at ChaCha20-Poly1305. But, again, I'd love
for things to turn out differently than that, because I much prefer
software-implemented crypto, and ChaCha20-Poly1305 is very convenient for
software, as everybody knows.

Anyway, I do appreciate the responses. Thanks!

Cheers,
Brian
-- 
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160810/a3d476e1/attachment.html>


More information about the Noise mailing list