> There’s also a degree of practicality: right now there is zero ChaPoly > async acceleration hardware anywhere that would fit into the crypto > API. > Actually, that assumption is factually wrong. I don't know if anything is *publicly* available, but I can assure you the silicon is running in labs already. And something will be publicly available early next year at the latest. Which could nicely coincide with having Wireguard support in the kernel (which I would also like to see happen BTW) ... > At some point, it might come to exist and have incredible > performance, and then we’ll both feel very motivated to make this work > for WireGuard. But it might also not come to be (AES seems to have won > over most of the industry), in which case, why hassle? > Not "at some point". It will. Very soon. Maybe not in consumer or server CPUs, but definitely in the embedded (networking) space. And it *will* be much faster than the embedded CPU next to it, so it will be worth using it for something like bulk packet encryption. Regards, Pascal van Leeuwen Silicon IP Architect, Multi-Protocol Engines @ Verimatrix www.insidesecure.com