
Adiantum: Encryption for the Next Billion Users - edmorley
https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
======
sciurus
LWN had good articles about Google's initial abandoned approach
([https://lwn.net/Articles/761992/](https://lwn.net/Articles/761992/)) and
Adiantum
([https://lwn.net/Articles/776721/](https://lwn.net/Articles/776721/))

------
fpgaminer
I wonder if Threefish would have been a better option. It's often overlooked.

Threefish has native support for disk encryption, since it has a tweak built
right in. So rather than having to use a complex construction like Adiantum,
you can just use a single primitive. Threefish is ARX, just like ChaCha. And
its speed is within the ballpark (Wikipedia says 3.95cpb for ChaCha20; 6.1 cpb
for Threefish).

Whether or not Adiantum as a construction is proved secure, its complexity
will lead to increased risk of implementation failure.

In other words, you can choose to attempt to maintain secure implementions of
ChaCha, Poly1305, and AES (which is notoriously difficult to get right without
side channels). Or ... just implement Threefish (which is as simple to
implement as ChaCha).

~~~
ebiggers
(I'm one of the authors of the blog post)

We considered it, of course, along with many other block ciphers. However,
heavily optimized Threefish-256 is 22.6 cycles per byte on Cortex-A7 (by far
the most common CPU this is needed on) which is over twice as slow as
Adiantum. Threefish-512 and Threefish-1024 would be much slower still. We're
already at the borderline of the performance needed to actually get all
Android devices encrypted, so over 2x worse performance is a no-go.

Threefish also wasn't published as a standalone block cipher but rather was
part of Skein, which lost the SHA-3 competition. Therefore it hasn't received
as much cryptanalysis as ChaCha and AES, and probably won't get much more in
the future.

Finally, note that unlike Adiantum, Threefish isn't a wide-block cipher, where
flipping one bit in the sector scrambles all other bits. So comparing its
complexity directly to Adiantum's is somewhat unfair. Other wide-block modes
such as HCH and HCTR are also more complex than narrow-block modes.

~~~
fpgaminer
Thank you for the additional insight!

------
RcouF1uZ4gsC
It seemed liked the 90's and early 2000's crypto was based on Ron Rivest -
RSA, MD5, RC4

It seems like 2010's and early 2020's crypto will be based on Daniel Bernstein
- ChaCha20, Poly1305, Curve25519

