Any interest in implementing AES-GCM-SIV (RFC8452) ?

[wtarreau]

Hello,

I intend to implement gocryptfs on my local backup server to synchronize it with a remote one via rsync and reverse-mode. However, the AES-SIV performance is abysmal on such a machine (5-8 MB/s on armhf machines), which for now is postponing my deployment until I find a more suitable machine to replace my setup. I measured the performance on a more modern CPU (RK3399 at 2 GHz-- arm64 A72 with crypto), and it's much better but there's still a 10x factor between AES-GCM and AES-SIV:

$ taskset -c 4 ./gocryptfs-arm64-nossl -speed
gocryptfs v2.2.1-35-ge9ecff7 without_openssl; go-fuse v2.1.1-0.20211219085202-934a183ed914; 2022-08-15 go1.17.5 linux/arm64
cpu: unknown; with AES acceleration
AES-GCM-256-OpenSSL                 N/A
AES-GCM-256-Go                  1015.97 MB/s    (selected in auto mode)
AES-SIV-512-Go                   101.39 MB/s
XChaCha20-Poly1305-OpenSSL          N/A
XChaCha20-Poly1305-Go            197.15 MB/s    (selected in auto mode)

While reading some info online about the reasons why AES-SIV is slower, I came across the very recent RFC8452 that presents AES-GCM-SIV which combines the benefits of GCM for speed (claims 2/3 of GCM) and SIV for the synthetic initial vector, and which even claims to be more resistant against birthday attacks. Thus I was wondering if you were aware of this new algo and if you had any plans for trying it (note that I'm not a Go developer so I'm afraid I won't be of much help here beyond participating in tests).

The RFC is here: https://datatracker.ietf.org/doc/html/rfc8452

[rfjakob]

Absolutely, once https://github.com/golang/go/issues/54364 is merged.

[wtarreau]

Ah I didn't notice. Perfect, thank you!