[noise] ChaCha speed update
samuel.c.p.neves at gmail.com
Wed Jul 26 19:32:34 PDT 2017
On Wed, Jul 26, 2017 at 6:46 AM, Trevor Perrin <trevp at trevp.net> wrote:
> I'd also wonder how the comparison goes when you add authentication
> (GCM to AES, and Poly1305 to ChaCha20).
The latest OpenSSL assembly pack from Andy Polyakov has more details:
ChaCha20 runs at 0.57 cpb, while poly1305 runs at 0.35 cpb, both using
AVX-512. Unlike AES-GCM, where the GHASH part has, since Skylake, been
able to hide almost entirely in between the AES-NI instructions,
ChaCha20 and poly1305 will be competing for the same vector resources,
which means the combined runtime will most likely be additive. I would
expect the combination to run at >= 0.57 + 0.35 = 0.92 cycles per
byte, around the same speed as AES256-GCM, and all the while drawing
more power by waking up the dormant upper parts of the vector units.
More information about the Noise