Cipher preference
James Cloos
cloos at jhcloos.com
Sat Jan 25 08:47:03 EST 2014
>>>>> "CW" == Christian Weisgerber <naddy at mips.inka.de> writes:
JC>> When testing chacha20-poly1305, I noticed that aes-gcm is significantly
JC>> faster than aes-ctr or aes-cbs with umac. Even on systems w/o aes-ni
JC>> or other recent instruction set additions.
CW> No way. This disagrees completely with what I'm seeing:
CW> On x86-64 systems without AES-NI, aes128-gcm is slower than
CW> aes128-ctr+umac-64. (OpenSSL 1.0.1c, 1.0.1e)
On my k10 in performance mode, with long scp(1)s which (as reported by
scp) is limited to 2MB/s, aes128-ctr + umac-64-etm at openssh.com took 17%
of a core, aes128-gcm at openssh.com took 12% and chacha20-poly1305@
openssh.com took 10%, as reported by GNU time(1).
CW> On other systems without AES-NI or the benefit of assembly language
CW> optimizations in OpenSSL, aes128-gcm is painfully slower than
CW> aes128-ctr+umac-64. (OpenSSL 1.0.1c)
W/o assembly that is not surprising. I bet chacha+poly is the most
efficient secure option on those platforms.
-JimC
--
James Cloos <cloos at jhcloos.com> OpenPGP: 1024D/ED7DAEA6
More information about the openssh-unix-dev
mailing list