[noise] ChaCha speed update

Trevor Perrin trevp at trevp.net
Tue Jul 25 22:46:25 PDT 2017

On Wed, Jul 26, 2017 at 5:34 AM, Tony Arcieri <bascule at gmail.com> wrote:
> On Tue, Jul 25, 2017 at 3:56 PM, D. J. Bernstein <djb at cr.yp.to> wrote:
>> Romain Dolbeau has now submitted benchmarks for an Intel Skylake with
>> AVX-512:
>>    * 0.48 cycles/byte: 12-round ChaCha12-256.
>>    * 0.48 cycles/byte: 12-round Salsa20/12-256.
>>    * 0.69 cycles/byte: 20-round ChaCha20-256.
>>    * 0.69 cycles/byte: 20-round Salsa20-256.
>>    * 0.87 cycles/byte: 14-round AES-256.
>> https://bench.cr.yp.to/results-stream.html#amd64-manny1024
>> Thanks to Intel for giving up on AES and joining the monoculture! :-)
>> The code is C code from Dolbeau, using _mm512_rol_epi32() etc.
> I've been very curious about these numbers, as ChaCha is an algorithm that
> seems to fit AVX-512 like a glove.

I'd also wonder how the comparison goes when you add authentication
(GCM to AES, and Poly1305 to ChaCha20).

>> Meanwhile there's a burst of papers this month from people struggling
>> with the security limitations of AES:
>>    https://eprint.iacr.org/2017/697
>>    https://eprint.iacr.org/2017/702
>>    https://eprint.iacr.org/2017/708
> Unless I'm missing something, these papers are all about AES-GCM-SIV and the
> security limitations that arise from GCM, not AES...

I think those papers do deal with encrypting large data volumes under
an AES key.  Since AES is a PRP on 128 bits, the bounds are tighter
than for ChaCha.

(I also think these bounds are mostly not a practical problem, at
least for Noise, but annoying to have to think about).


More information about the Noise mailing list