On Tue, 20 Sep 2016 07:51:52 -0800, Kent Overstreet wrote:
> On Tue, Sep 20, 2016 at 10:23:20AM -0400, Theodore Ts'o wrote:
>> On Tue, Sep 20, 2016 at 03:15:19AM -0800, Kent Overstreet wrote:
>> > Not on the list or I would've replied directly, but on Haswell,
>> > ChaCha20 (in software) is over 2x as fast as AES (in hardware), at
>> > realistic (for a filesystem) block sizes:
Apologies if this doesn't CC you - replying via gmane, since (not being
subscribed via email either) I can't try the same trick I did to include
Ted (i.e., reply via my mail client).
One useful trick, though - if you have a Usenet client, gmane _will_ let
you reply directly, even to old messages. That's what I'm doing.
>> On Skylake and Broadwell processors, AES is faster (the posting is from
>> a ChaCha20 enthusiast):
> The performance delta in his graphs isn't near as big as what I've
> measured, which makes me suspect OpenSSL's ChaCha20 implementation isn't
> nearly as fast as the kernel's.
>> My big worry though is that schemes that require that nonces/IV's must
>> **never** be reused are fragile. It's for the same reason that DSA
>> makes my skin crawl. If you ever screw up --- maybe after a crash, or
>> a file system bug, you end up reusing a nonce, it's game over.
>> So if there are hardware solutions which are faster or fast enough that
>> the crypto is no longer dominant cost, why not use a cipher scheme
>> which is more robust?
> Block ciphers have their own downsides though - XTS is really a big pile
> of hacks and workarounds. On the whole, if you can get nonces right, a
> stream cipher cryptosystem (and ChaCha20 especially) is on the whole
> drastically simpler, and thus easier to understand and audit.
Yes, I would entirely agree with your assessment of XTS (in particular,
the doubling of the length of the key is rooted in the original authors
misunderstanding the XEX paper...).
> And if you can do nonces correctly, ChaCha20/Poly1305 is pretty much one
> of the gold standards - it's secure against pretty much any vaguely
> realistic threat model. XTS, not so much - it's just the best you can do
> given the constraints of typical disk crypto. The gold standards of
> encryption today are the AEADs - and AES/GCM fails badly with nonce
> reuse too, there aren't any AEADs yet that don't fail badly with nonce
Not true - SIV is a generic construction, which has been applied to AES
(AES-SIV, RFC 5297) and ChaCha20 (HS1-SIV, submitted to CAESAR). There's
also AES-GCM-SIV, which takes advantage of GCM hardware acceleration as
well as AES acceleration.
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html