Adiantum Is Taking Shape As Google's Speck Replacement For Low-End Device Encryption
Adiantum enhances the ChaCha12 cipher so it's suitable for disk encryption. Adiantum is based upon an improved version of HPolyC that pairs ChaCha with two passes of a hash function and one AES-256 encryption of a single 16-byte block. The Adiantum patches for the Linux kernel are currently up to their third public revision.
On low-end ARM devices of similar speed to Android Go hardware, Adiantum is indeed much faster. "Adiantum is about 4x faster than AES-256-XTS (about 5x for decryption), and about 30% faster than Speck128/256-XTS...Adiantum is ~20% faster than HPolyC, with no loss of security; in fact, Adiantum's security bound is slightly better than HPolyC's."
The updated patches are re-based against the newly minted Linux 4.20-rc1 kernel. The code enables Adiantum within the kernel's crypto subsystem and subsequently wires it up into the fscrypt mechanism so it can be used by the likes of F2FS and EXT4.
So in the end they are capable of getting even faster results than their original Speck plans while not having to worry whether there could be a backdoor by the National Security Agency. And indeed, Speck is removed with Linux 4.20 currently in development. We'll see if Adiantum is ready to be merged by the time of the Linux 4.21 kernel cycle kicking off in early January.