ChaCha8/12/20 and GEOM ELI tests

rozhuk.im at gmail.com rozhuk.im at gmail.com
Sat Jan 17 03:36:44 UTC 2015 

> > Options I have not so much.
> > 1. Drink vodka and use slow AES-XTS :) 2. Use ChaCha GELI private
> > patch 3. Write Geom node.
> 
> 4. Look at GBDE.

Already looked. Do not like it.

 
> > Cipher = ChaCha/XChaCha
> > Hash = Blake2 - https://blake2.net/
> > Key1 = key for cipher
> > Key2 = key hor HMAC
> > IV = HMAC(Key2, ('plain text data' + 'sector num')) = (8/24 bytes)
> >
> > IV stored on disk in two tables: main and back up
> > 1 GB (4kb sector) require 2097152 / 6291456 bytes per IV table or
> > 16777216 for full 512 bit hmac
> >
> > +:
> > 1. optional data integrity verification (authentication) 2.
> > cache-timing attack resistant 3. keys can be changed without
> > transferring data to other media and minimal risk
> >
> > -:
> > 1. very slow write: it is necessary to calculate the hmac and update
> > two tables with IV data 2. slow reading: IV need to get from the
> table
> > (+ optional hmac calc) 3. the risk of damage IV table on disk
> hardware
> > problems 4. part of the disk is busy service data (IV tables)
> 
> This would be very hard to implement correctly, because writing the
> data and updating your tables are not atomic on disk. How do you handle
> the case where you write new data, but your system crash or you have a
> power outage before updating the table?
> 
> I came into conclusion that data authentication doesn't belong in the
> layer of disk encryption, because of lack of atomicity. GBDE has this
> problem and GELI data authentication has similar problem. This problem
> is mitigated by ZFS, which is transactional, copy-on-write file system
> that never overwrites existing data. I personally use ZFS with SHA256
> checksum on top of GELI.
 
That's why I wrote 2 tables and a very slow write: write IV in the main
table, write the data in the sector, IV write back table.
After entering key need to check both tables, even if they differ then try
to decrypt the data from the sector using both IV thus determine which one
is correct and update is not correct IV.

It's all like me much less than private patch with ChaCha or slow AES-XTS.
I try to make Threefish-XTS there any objections?


PS:
AMD 5350
AES-XTS-256
1 core                 =  38781004 bytes/sec
1 core AES-NI          = 418601975 bytes/sec
4 core                 = 143620811 bytes/sec
4 core AES-NI          = 652957361 bytes/sec

ChaCha8-256-1-core     = 243108762 bytes/sec
ChaCha8-256-4-core     = 544313467 bytes/sec
ChaCha12-256-1-core    = 197178668 bytes/sec
ChaCha12-256-4-core    = 480021949 bytes/sec

More information about the freebsd-geom mailing list