Google announces for encryption on slower devices
Google has announced Adiantum, a new cipher that aims to bring robust encryption even on devices with more limited specifications that cannot use AES for performance limits.
Providing a solid cryptographic system on all devices has long since become a necessity for manufacturers. The use of state-of-the-art technology is not always possible due to the hardware requirements imposed by the latter. This is the case of the AES cipher, widely used for the encryption of both content coming from the Web (for example: example for TLS) and to encrypt the contents on the file system.
This cipher requires specific hardware instructions to be used effectively (ie without excessive performance repercussions) on the devices; in the absence of these, the penalties in terms of speed are considerable. Since most devices that use cost-effective processors, such as the Cortex-A7, do not have instructions for encryption, Google has developed Adiantum to enable data to be encrypted efficiently even on lower-end devices.
Adiantum is not an entirely new cipher, but makes use of portions already present in other ciphers. Specifically, when encrypting a 4,096 byte block (typical sector size of a file system), it uses a combination of hashing with Poly1305, encryption of the last 16 bytes via AES-256 (which does not impact performance significantly) and moreover through ChaCha12.
This last cipher is used because it does not require specific instructions and works with the normal operations of addition, rotation and XOR; it is implementable in software with good overall performance. Adiantum was created because it allows to preserve the length of the blocks keeping the ability to completely alter the ciphertext if any bit is changed in the original text.
Like DES and AES, ChaCha also works in rounds: each round increases security, at the cost of lower performance. So far, up to seven rounds of ChaCha have been found: the seven-round variant was punctured in 2008, but no attacks for the eight-round variant have yet been found. Google chose the 12 round variant for Adiantum (ChaCha12).
Adiantum will become part of Android specifications starting from Android Q. It must be used for all devices that are not able to provide performance equal to at least 50 MiB/s, while above this, threshold will be mandatory to use AES-256.
In the language of flowers, the capillus-veneris (part of the Adiantaceae, hence the name of the Google project) means discretion and sincerity: qualities that are hoped to be confirmed by the analysis of Adiantum and the proof of the facts. Further information and a more technical explanation of the operation are available on the Google blog.