[noise] ChaCha speed update
trevp at trevp.net
Tue Jul 25 22:46:25 PDT 2017
On Wed, Jul 26, 2017 at 5:34 AM, Tony Arcieri <bascule at gmail.com> wrote:
> On Tue, Jul 25, 2017 at 3:56 PM, D. J. Bernstein <djb at cr.yp.to> wrote:
>> Romain Dolbeau has now submitted benchmarks for an Intel Skylake with
>> * 0.48 cycles/byte: 12-round ChaCha12-256.
>> * 0.48 cycles/byte: 12-round Salsa20/12-256.
>> * 0.69 cycles/byte: 20-round ChaCha20-256.
>> * 0.69 cycles/byte: 20-round Salsa20-256.
>> * 0.87 cycles/byte: 14-round AES-256.
>> Thanks to Intel for giving up on AES and joining the monoculture! :-)
>> The code is C code from Dolbeau, using _mm512_rol_epi32() etc.
> I've been very curious about these numbers, as ChaCha is an algorithm that
> seems to fit AVX-512 like a glove.
I'd also wonder how the comparison goes when you add authentication
(GCM to AES, and Poly1305 to ChaCha20).
>> Meanwhile there's a burst of papers this month from people struggling
>> with the security limitations of AES:
> Unless I'm missing something, these papers are all about AES-GCM-SIV and the
> security limitations that arise from GCM, not AES...
I think those papers do deal with encrypting large data volumes under
an AES key. Since AES is a PRP on 128 bits, the bounds are tighter
than for ChaCha.
(I also think these bounds are mostly not a practical problem, at
least for Noise, but annoying to have to think about).
More information about the Noise