Cipher preference

James Cloos cloos at jhcloos.com
Sat Jan 25 08:47:03 EST 2014


>>>>> "CW" == Christian Weisgerber <naddy at mips.inka.de> writes:

JC>> When testing chacha20-poly1305, I noticed that aes-gcm is significantly
JC>> faster than aes-ctr or aes-cbs with umac.  Even on systems w/o aes-ni
JC>> or other recent instruction set additions.

CW> No way.  This disagrees completely with what I'm seeing:

CW> On x86-64 systems without AES-NI, aes128-gcm is slower than
CW> aes128-ctr+umac-64.  (OpenSSL 1.0.1c, 1.0.1e)

On my k10 in performance mode, with long scp(1)s which (as reported by
scp) is limited to 2MB/s, aes128-ctr + umac-64-etm at openssh.com took 17%
of a core, aes128-gcm at openssh.com took 12% and chacha20-poly1305@
openssh.com took 10%, as reported by GNU time(1).

CW> On other systems without AES-NI or the benefit of assembly language
CW> optimizations in OpenSSL, aes128-gcm is painfully slower than
CW> aes128-ctr+umac-64.  (OpenSSL 1.0.1c)

W/o assembly that is not surprising.  I bet chacha+poly is the most
efficient secure option on those platforms.

-JimC
--
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6


More information about the openssh-unix-dev mailing list