>>>>> "CW" == Christian Weisgerber <naddy at mips.inka.de> writes: JC>> When testing chacha20-poly1305, I noticed that aes-gcm is significantly JC>> faster than aes-ctr or aes-cbs with umac. Even on systems w/o aes-ni JC>> or other recent instruction set additions. CW> No way. This disagrees completely with what I'm seeing: CW> On x86-64 systems without AES-NI, aes128-gcm is slower than CW> aes128-ctr+umac-64. (OpenSSL 1.0.1c, 1.0.1e) On my k10 in performance mode, with long scp(1)s which (as reported by scp) is limited to 2MB/s, aes128-ctr + umac-64-etm at openssh.com took 17% of a core, aes128-gcm at openssh.com took 12% and chacha20-poly1305@ openssh.com took 10%, as reported by GNU time(1). CW> On other systems without AES-NI or the benefit of assembly language CW> optimizations in OpenSSL, aes128-gcm is painfully slower than CW> aes128-ctr+umac-64. (OpenSSL 1.0.1c) W/o assembly that is not surprising. I bet chacha+poly is the most efficient secure option on those platforms. -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 1024D/ED7DAEA6
