Consider adding ChaCha as alternate encryption cipher to AES

[ghost]

Feature request: Would you consider adding ChaCha as an alternate cipher to AES for message encryption??

Marcin Krzyżanowski's CryptoSwift library implements this and suggests that this cipher is now starting to be used by Apple and Google in his presentation here.

[henrinormak]

I wouldn't mind using it (either as the only solution or as an alternative), but as long as there is no underlying iOS support for this, I would prefer not to use it. Mainly to keep any the number of dependencies low and to not implement a crypto-algorithm myself (copy-paste from CryptoSwift would still need to be maintained).

Of course if you are willing to swap out AES for ChaCha, I would definitely pull the code in (if not to master, then to a separate branch).

[ghost]

Note that CryptoSwift is completely written in Swift and while I do not have timings for ChaCha the timings I have dome for AES show it to be over 1000 times slower than Common Crypto, that is probably a deal breaker.

[ghost]

AES if fast on iPhones because of hardware support - and I presume CommonCrypto uses this AES hardware support. From the iOS Security—White Paper | June 2015:

Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient.

I'm not suggesting that the Heimdall implementation of AES should change to use the CryptoSwift AES software implementation. Rather, I was suggesting that it may be useful to implement Cha Cha as an additional cipher option given suggestions that it is becoming more popular and possibly more secure (even if it is software implementation).

There is an interesting article on the Cloudflare Blog about ChaCha performance vs AES which is interesting - Do the ChaCha: better mobile performance with cryptography.

Depending on the application, we may need to consider the performance of decryption on the other end (rather than just on the iPhone).

[Lafihh]

On older phones chacha20 is much faster and is used by chrome on Android, but Google engineer tweeted that on newer phones with ARMv8 chip AES GCM is faster than Chacha20 (due to hardware support for AES) and Chrome switches to AES GCM in such cases

https://twitter.com/agl__/status/664579979724763136

[ghost]

I have done some timings of Common Crypto AES vs CryptoSwift AES and CryptoSwift ChaCha20:

iPhone 6S: Data length: 1,000,000 bytes Common Crypto AES : 2.3 mSec CryptoSwift AES : 2274.5 mSec CryptoSwift ChaCha: 1073.9 mSec Ratio of Common Crypto AES to CryptoSwift AES : 998 Ratio of Common Crypto AES to CryptoSwift ChaCha: 471

iPhone 5S: Data length: 1,000,000 bytes Common Crypto AES : 6.0 mSec CryptoSwift AES : 4,703.1 mSec CryptoSwift ChaCha: 2,265.5 mSec Ratio of Common Crypto AES to CryptoSwift AES : 785 Ratio of Common Crypto AES to CryptoSwift ChaCha: 378

iPhone 4S: Data length: 1,000,000 bytes Common Crypto AES : 31.8 mSec CryptoSwift AES : 11,870.2 mSec CryptoSwift ChaCha: 6,662.8 mSec Ratio of Common Crypto AES to CryptoSwift AES : 373 Ratio of Common Crypto AES to CryptoSwift ChaCha: 209

Conclusions:

• CryptoSwift ChaCha is over twice as fast as CryptoSwift AES but 200 to 400 times slower than Common Crypto AES. • The iPhone crypto engine has become about 13 times faster over the last 4 years and it's improvement over ARM code is about 3 times over the same 4 years.