tldr: AES-NI is faster than RC4 on Intel processors > 2009. 170% faster actually [5]
"The RC4 is fast" meme is true, because RC4 uses simple math operations like modulo and bitwise AND. [1]. CPUs have always done these operations fast. Other crypto algorithms used by SSL, like 3DES, were deliberately designed to be slow in software. [2].
However, modern Intel chips have dedicated instructions for perform AES, called AES-NI [3]. For these chips, an AES operation is not broken down into a series of opcodes the CPU executes. The CPU just does it. AES-NI is actually faster than RC4. [4]
We need to kill the RC4 is fast, everything else is slow myth. "TLS has exactly one performance problem: it is not used widely enough." [5]
I 100% believe you. All of my speed testing revolves around benchmarking ciphers with openssh. The fastest was arcfour and the second fastest was blowfish. After that was aes128...
But my company used AMD for whatever reason. I suspect though that if client and server both have AES support built into the cpu or use a crypto chip that AES would be the fastest as you said.
My point, however, was just to counter the speculation that Google uses RC4 because they misinterpreted BEAST results.
AES-NI is an extension of the instruction set of the CPU just like x64 extensions, or the older MMX, MMX2, SSE style extensions. They are opcodes that are hardwired into the CPU itself.
Software has to be compiled to take advantage of these additional instructions. Much like how you can compile software for say, i586 instead of i386, and get code that executes faster. so it all depends on how OpenSSH is compiled (and, to some extent, whether the OpenSSH source code has extract compiler flags/code sections)
"The RC4 is fast" meme is true, because RC4 uses simple math operations like modulo and bitwise AND. [1]. CPUs have always done these operations fast. Other crypto algorithms used by SSL, like 3DES, were deliberately designed to be slow in software. [2].
However, modern Intel chips have dedicated instructions for perform AES, called AES-NI [3]. For these chips, an AES operation is not broken down into a series of opcodes the CPU executes. The CPU just does it. AES-NI is actually faster than RC4. [4]
We need to kill the RC4 is fast, everything else is slow myth. "TLS has exactly one performance problem: it is not used widely enough." [5]
1- http://en.wikipedia.org/wiki/RC4#Implementation
2- DES was designed around bit swapping, not byte swapping, which is super easy to do in hardware and much slower to do in software.
3- http://en.wikipedia.org/wiki/AES_instruction_set
4- http://zombe.es/post/4078724716/openssl-cipher-selection
5- https://istlsfastyet.com/