James Cloos <cloos at jhcloos.com> wrote: > When testing chacha20-poly1305, I noticed that aes-gcm is significantly > faster than aes-ctr or aes-cbs with umac. Even on systems w/o aes-ni > or other recent instruction set additions. No way. This disagrees completely with what I'm seeing: On Sandy Bridge systems with AES-NI, aes128-gcm is about as fast as aes128-ctr+umac-64. On x86-64 systems without AES-NI, aes128-gcm is slower than aes128-ctr+umac-64. (OpenSSL 1.0.1c, 1.0.1e) On other systems without AES-NI or the benefit of assembly language optimizations in OpenSSL, aes128-gcm is painfully slower than aes128-ctr+umac-64. (OpenSSL 1.0.1c) -- Christian "naddy" Weisgerber naddy at mips.inka.de
