AEAD encryption (again!?) #22
Description
Hi! I know I'm not the first bringing this up, but almost 6 years have passed since that thread was created. What's the case against AES-GCM at this point? I wrote a PoC and a simple benchmark (it's in the PR), and the results on my Ryzen 5900X reveal a significant performance improvement:
Warming up --------------------------------------
v1 encrypt 2.991k i/100ms
v2 encrypt 3.756k i/100ms
Calculating -------------------------------------
v1 encrypt 29.661k (± 1.6%) i/s - 149.550k in 5.043342s
v2 encrypt 37.928k (± 1.7%) i/s - 191.556k in 5.052004s
Comparison:
v2 encrypt: 37927.9 i/s
v1 encrypt: 29660.9 i/s - 1.28x slower
Warming up --------------------------------------
v1 decrypt 2.999k i/100ms
v2 decrypt 4.857k i/100ms
Calculating -------------------------------------
v1 decrypt 31.843k (± 0.9%) i/s - 161.946k in 5.086207s
v2 decrypt 50.303k (± 3.1%) i/s - 252.564k in 5.025839s
Comparison:
v2 decrypt: 50302.8 i/s
v1 decrypt: 31842.9 i/s - 1.58x slower
Warming up --------------------------------------
v1 decrypt tampered 10.339k i/100ms
v2 decrypt tampered 24.053k i/100ms
Calculating -------------------------------------
v1 decrypt tampered 103.586k (± 0.6%) i/s - 527.289k in 5.090543s
v2 decrypt tampered 240.950k (± 0.4%) i/s - 1.227M in 5.091206s
Comparison:
v2 decrypt tampered: 240949.6 i/s
v1 decrypt tampered: 103585.8 i/s - 2.33x slower
I tried tampering with the version, IV, salt, ciphertext, and authentication tag, and got similar results. I.e., it's still faster to attempt to decrypt the ciphertext than to HMAC the message.
Is there interest in a new encryption envelope? I know that this is a highly sensitive part of this library.