Re: XTS cipher mode for cluster file encryption

On 2021/10/26 04:32, Yura Sokolov wrote:
> And among others Adiantum looks best: it is fast even without hardware
> acceleration,

No, AES is fast on modern high-end hardware.

on X86 AMD 3700X
type 1024 bytes 8192 bytes 16384 bytes
aes-128-ctr 8963982.50k 11124613.88k 11509149.42k
aes-128-gcm 3978860.44k 4669417.10k 4732070.64k
aes-128-xts 7776628.39k 9073664.63k 9264617.74k
chacha20-poly1305 2043729.73k 2131296.36k 2141002.10k

on ARM RK3399, A53 middle-end with AES-NI
type 1024 bytes 8192 bytes 16384 bytes
aes-128-ctr 1663857.66k 1860930.22k 1872991.57k
aes-128-xts 685086.38k 712906.07k 716073.64k
aes-128-gcm 985578.84k 1054818.30k 1056768.00k
chacha20-poly1305 309012.82k 318889.98k 319711.91k

I think the baseline is the speed when using read(2) syscall on
/dev/zero (which is 3.6GiB/s, on ARM is 980MiB/s)
chacha is fast on the low-end arm, but I haven't seen any HTTPS sites
using chacha, including Cloudflare and Google.

On 2021/10/26 04:32, Yura Sokolov wrote:
>> That sounds like a great thing to think about adding ... after we get
>> something in that's based on XTS.
> Why? I see no points to do it after. Why not XTS after Adiantum?
>
> Ok, I see one: XTS is standartized.
:>
PostgreSQL even not discuss single-table key rotation or remote KMS.
I think it's too hard to use an encryption algorithm which openssl
doesn't implement.