On Tue, Sep 20, 2016 at 03:15:19AM -0800, Kent Overstreet wrote:
> Not on the list or I would've replied directly, but on Haswell, ChaCha20 (in
> software) is over 2x as fast as AES (in hardware), at realistic (for a
> filesystem) block sizes:
On Skylake and Broadwell processors, AES is faster (the posting is
from a ChaCha20 enthusiast):
https://blog.cloudflare.com/it-takes-two-to-chacha-poly/
My big worry though is that schemes that require that nonces/IV's must
**never** be reused are fragile. It's for the same reason that DSA
makes my skin crawl. If you ever screw up --- maybe after a crash, or
a file system bug, you end up reusing a nonce, it's game over.
So if there are hardware solutions which are faster or fast enough
that the crypto is no longer dominant cost, why not use a cipher
scheme which is more robust?
- Ted
P.S. We're also both ignoring the cost of whatever changes are needed in
the file system to guarantee that the nonce is never, ever reused...
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
