"SJ" == Simon Josefsson simon@josefsson.org writes:
SJ> The speed of 20 rounds Salsa20 and ChaCha is high.
To give an example of how high, openssh's C implementation of chacha20 with poly1305 is faster than openssl's non-aesni amd64 assembly for aes128-gcm, and both significantly outperform ssh's use of openssl's aes128-ctr or -ccb assembly with openssh's umac-64.
On top of that, the sse2 assembly code for chacha20 at:
https://github.com/floodyberry/chacha-opt
is 3-4 times as fast as pure C, and the avx and avx2 assembly is about 50% faster still.
All for a cipher which is inherently easier securely to code than gcm and, like gcm, safer than most current usage of separate macs. (Given the various known attacks on TLS and the widely repeated statements that gcm is hard to code w/o timing leaks, et alia.)
-JimC -- James Cloos cloos@jhcloos.com OpenPGP: 1024D/ED7DAEA6