[noise] ChaCha speed update

Samuel Neves samuel.c.p.neves at gmail.com
Wed Jul 26 19:32:34 PDT 2017


On Wed, Jul 26, 2017 at 6:46 AM, Trevor Perrin <trevp at trevp.net> wrote:
> I'd also wonder how the comparison goes when you add authentication
> (GCM to AES, and Poly1305 to ChaCha20).

The latest  OpenSSL assembly pack from Andy Polyakov has more details:
https://github.com/openssl/openssl/commit/64d92d74985ebb3d0be58a9718f9e080a14a8e7f

ChaCha20 runs at 0.57 cpb, while poly1305 runs at 0.35 cpb, both using
AVX-512. Unlike AES-GCM, where the GHASH part has, since Skylake, been
able to hide almost entirely in between the AES-NI instructions,
ChaCha20 and poly1305 will be competing for the same vector resources,
which means the combined runtime will most likely be additive. I would
expect the combination to run at >= 0.57 + 0.35 = 0.92 cycles per
byte, around the same speed as AES256-GCM, and all the while drawing
more power by waking up the dormant upper parts of the vector units.

Best regards,
Samuel Neves


More information about the Noise mailing list