On Tue, Sep 20, 2016 at 03:15:19AM -0800, Kent Overstreet wrote: > Not on the list or I would've replied directly, but on Haswell, ChaCha20 (in > software) is over 2x as fast as AES (in hardware), at realistic (for a > filesystem) block sizes:
On Skylake and Broadwell processors, AES is faster (the posting is from a ChaCha20 enthusiast): https://blog.cloudflare.com/it-takes-two-to-chacha-poly/ My big worry though is that schemes that require that nonces/IV's must **never** be reused are fragile. It's for the same reason that DSA makes my skin crawl. If you ever screw up --- maybe after a crash, or a file system bug, you end up reusing a nonce, it's game over. So if there are hardware solutions which are faster or fast enough that the crypto is no longer dominant cost, why not use a cipher scheme which is more robust? - Ted P.S. We're also both ignoring the cost of whatever changes are needed in the file system to guarantee that the nonce is never, ever reused... -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html