Re: XTS cipher mode for cluster file encryption

On 2021/10/26 04:32, Yura Sokolov wrote:
> And among others Adiantum looks best: it is fast even without hardware
> acceleration,

No, AES is fast on modern high-end hardware.

on X86 AMD 3700X
type              1024 bytes  8192 bytes   16384 bytes
aes-128-ctr       8963982.50k 11124613.88k 11509149.42k
aes-128-gcm       3978860.44k 4669417.10k  4732070.64k
aes-128-xts       7776628.39k 9073664.63k  9264617.74k
chacha20-poly1305 2043729.73k 2131296.36k  2141002.10k

on ARM RK3399, A53 middle-end with AES-NI
type              1024 bytes   8192 bytes   16384 bytes
aes-128-ctr       1663857.66k  1860930.22k  1872991.57k
aes-128-xts       685086.38k   712906.07k   716073.64k
aes-128-gcm       985578.84k   1054818.30k  1056768.00k
chacha20-poly1305 309012.82k   318889.98k   319711.91k

I think the baseline is the speed when using read(2) syscall on 
/dev/zero (which is 3.6GiB/s, on ARM is 980MiB/s)
chacha is fast on the low-end arm, but I haven't seen any HTTPS sites 
using chacha, including Cloudflare and Google.

On 2021/10/26 04:32, Yura Sokolov wrote:
 >> That sounds like a great thing to think about adding ... after we get
 >> something in that's based on XTS.
 > Why? I see no points to do it after. Why not XTS after Adiantum?
 >
 > Ok, I see one: XTS is standartized.
:>
PostgreSQL even not discuss single-table key rotation or remote KMS.
I think it's too hard to use an encryption algorithm which openssl 
doesn't implement.