Cipher preference

Christian Weisgerber naddy at mips.inka.de
Thu Jan 2 02:41:17 EST 2014


James Cloos <cloos at jhcloos.com> wrote:

> When testing chacha20-poly1305, I noticed that aes-gcm is significantly
> faster than aes-ctr or aes-cbs with umac.  Even on systems w/o aes-ni
> or other recent instruction set additions.

No way.  This disagrees completely with what I'm seeing:

On Sandy Bridge systems with AES-NI, aes128-gcm is about as fast
as aes128-ctr+umac-64.

On x86-64 systems without AES-NI, aes128-gcm is slower than
aes128-ctr+umac-64.  (OpenSSL 1.0.1c, 1.0.1e)

On other systems without AES-NI or the benefit of assembly language
optimizations in OpenSSL, aes128-gcm is painfully slower than
aes128-ctr+umac-64.  (OpenSSL 1.0.1c)

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de


More information about the openssh-unix-dev mailing list