[tahoe-dev] Tahoe-LAFS Weekly Conference Call summary 2012-08-07
Zooko Wilcox-O'Hearn
zooko at zooko.com
Wed Aug 22 01:23:22 UTC 2012
On Fri, Aug 10, 2012 at 1:47 PM, Zooko Wilcox-O'Hearn <zooko at zooko.com> wrote:
>
> • Shall we keep using AES-128 or upgrade to AES-256? On some
> low-power ARM CPUs AES-128⊕XSalsa20 takes 25% fewer CPU cycles than
> AES-256⊕XSalsa20. Is that significant? We need to do some
> back-of-the-envelope estimates or even a live measurement on an ARM
> device to decide if that cost is significant.
Live measurements on François's small ARM device:
https://tahoe-lafs.org/buildbot-pycryptopp/builders/francois-ts109-armv5tel%20syslib/builds/111/steps/bench/logs/stdio
AES-128: 263 nanoseconds per byte
AES-256: 339 nanoseconds per byte
XSalsa20: 112 nanoseconds per byte
(All measurements done by crypting a 10 MB string and then dividing by
10,000,000.)
Therefore XSalsa20⊕AES-128 would probably cost about 375 nanoseconds
per byte, or 3.75 seconds to crypt a 10 MB file, and XSalsa20⊕AES-256
would probably cost about 451 nanoseconds per byte, or about 4.51
seconds to crypt a 10 MB file.
By the way, on the same machine Ed25519 key generation takes 32
milliseconds, signing takes 34 milliseconds, and verification takes
105 milliseconds.
(But before anyone is relying on Ed25519 in practice, we'll probably
upgrade the implementation of Ed25519 in pycryptopp to a newer
implementation that takes 5 to 9 times fewer CPU cycles!)
Regards,
Zooko
More information about the tahoe-dev
mailing list