Fast cipher without needing hardware support (like ChaCha20) for disk encryption

Question

On my old laptop, ChaCha20 is quite a bit faster than AES as there is no hardware acceleration for AES. But for disk encryption AES based schemes seem to be the only option, as a stream cipher like ChaCha20 cannot directly be used for disk encryption. Is it possible to use ChaCha20 in some other way/mode to make it suitable for disk encryption? Or are there any good block ciphers (maybe ARX ciphers?) around that are as fast as ChaCha20 without hardware support that could be used to accelerate the disk encryption?

Answer 1

Adiantum¹ is a wide-block cipher built out of ChaCha12, NH-Poly1305, and—for only a small part of the computation—AES. Being a wide-block cipher, Adiantum can encrypt, for example, entire 512-byte or 4096-byte disk sectors at a time. For each disk sector, Adiantum calls the AES permutation only once, so even constant-time software AES takes a small fraction of the Adiantum computation time.

Adiantum is reasonably fast, many times faster than constant-time software AES-XTS or AES-CBC on many machines; see the paper for performance measurements. The security of Adiantum as a tweakable block cipher is proven to be related to the security of ChaCha12 as a PRF and AES as a PRP, with additional advantage quadratic in the number of blocks (due to possible internal Poly1305 collisions), and is safe for exabytes of data in 4096-byte blocks under a single key; see Theorem 1 for the details and Sec. 6.5 for specific usage limits.¹

Android and NetBSD have adopted Adiantum for disk encryption on machines without hardware AES acceleration.^2,3,4 In the NetBSD kernel, AES is computed using constant-time software on machines without hardware AES acceleration.^4,5

Caveat: Adiantum is designed for disk encryption, which reuses the same key over a long period of time for many sectors being rewritten. Unlike the ChaCha or Poly1305 components it uses, Adiantum incurs a high cost to changing keys or handling many keys at once—not relevant to disk encryption. So it's not very general-purpose. (The same authors proposed HPolyC, at lower throughput but cheaper key agility by using just Poly1305 and not NH.) The disk encryption threat model is also very weak—it is only designed to protect secrets against theft or recycling of your disk, so it does nothing to detect forgery.

(Disclosure: I wrote NetBSD's Adiantum and AES code and made the proposal to adopt Adiantum.)

---

_{¹ Paul Crowley and Eric Biggers, Adiantum: length-preserving encryption for entry-level processors. IACR Transactions on Symmetric Cryptology, 2018(4), 39–61.
https://doi.org/10.13154/tosc.v2018.i4.39-61}

_{² Paul Crowley and Eric Biggers, Introducing Adiantum: Encryption for the Next Billion Users. Google Security Blog, 2019-02-07.
https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html}

_{³ NetBSD Manual Pages: cgd(4) -- cryptographic disk driver. NetBSD 10.0_BETA, August 16, 2020.
https://man.netbsd.org/NetBSD-10.0-STABLE/cgd.4}

_{⁴ Taylor R Campbell, AES leaks, cgd ciphers, and vector units in the kernel. NetBSD tech-kern mailing list, 2020-06-17, message-id ⟨20200617233616.C8AE2603CD@jupiter.mumble.net⟩.
https://mail-index.netbsd.org/tech-kern/2020/06/18/msg026505.html}

_{⁵ Taylor R Campbell, Rework AES in kernel to finally address CVE-2005-1797. NetBSD commit: src/sys, 2020-06-29.
https://mail-index.netbsd.org/source-changes/2020/08/14/msg120525.html}

Answer 2

@TaylorRCampbell Your answer is incredible! Not only does it answer the question, but Adiantum is already available on my Linux laptop, ready to be used, I don't even have to install anything. Someone just had to tell me about it (because cryptsetup benchmark does not show all the useful ciphers by default). And adiantum is strictly more secure than AES-XTS because a single ciphertext bit flip randomizes the entire disk sector.

On my old Core i3 CPU @ 2.53GHz I have these benchmarks with for ci in xchacha12,aes-adiantum-plain64 xchacha20,aes-adiantum-plain64 aes-xts-plain64; cryptsetup benchmark -c $ci; end (output edited for readability)

# Tests are approximate using memory only (no storage IO).
#            Algorithm |       Key |      Encryption |      Decryption
xchacha12,aes-adiantum        256b       532,5 MiB/s       538,9 MiB/s
xchacha20,aes-adiantum        256b       441,2 MiB/s       447,0 MiB/s
               aes-xts        256b       124,7 MiB/s       125,2 MiB/s

On my more modern Core i7 @ 2.70 GHz: (highest numbers from multiple runs)

# Tests are approximate using memory only (no storage IO).
#            Algorithm |       Key |      Encryption |      Decryption
xchacha12,aes-adiantum        256b      1066,9 MiB/s      1107,6 MiB/s
xchacha20,aes-adiantum        256b       935,8 MiB/s       951,5 MiB/s
               aes-xts        256b      2189,9 MiB/s      2213,3 MiB/s

(For anyone considering using adiantum for disk encryption, the xchacha20 variant uses more rounds for the chacha cipher and thus has more of a security margin. It is recommended unless you absolutely can't tolerate its performance over the xchacha12 variant, e.g. on a smartwatch. Currently both are secure, but new discoveries in cryptanalysis would potentially break xchacha12 earlier if it ever came to that.)

Now I also want to use adiantum with AES instead of ChaCha on my newer computers for the better security it gives. Guess I'll need to ask on unix.stackexchange about that, as aes-ctr,aes-adiantum-plain64 or something similar doesn't seem to exist in my kernel yet.

edit: The hardware accelerated version of a wide block cipher also exists, it's called HCTR2, and is available in Linux kernel 6. Thanks @PaulCrowley!