Adiantum Is Taking Shape As Google's Speck Replacement For Low-End Device Encryption

Earlier this year when Google added Speck-based file-system encryption support to the Linux kernel they intended it to be used by low-end Android phones/smartwatches with older ARM processors lacking the dedicated ARM cryptography extensions. Speck is fast enough to provide disk encryption on the low-end hardware, but ultimately they decided against Speck due to public outcry with the algorithm potentially being compromised by the US NSA. Instead Google engineers decided to pursue HPolyC as their new means of encryption on low-end hardware while now that has evolved into a new technology dubbed Adiantum.

Adiantum enhances the ChaCha12 cipher so it's suitable for disk encryption. Adiantum is based upon an improved version of HPolyC that pairs ChaCha with two passes of a hash function and one AES-256 encryption of a single 16-byte block. The Adiantum patches for the Linux kernel are currently up to their third public revision.

On low-end ARM devices of similar speed to Android Go hardware, Adiantum is indeed much faster. "Adiantum is about 4x faster than AES-256-XTS (about 5x for decryption), and about 30% faster than Speck128/256-XTS...Adiantum is ~20% faster than HPolyC, with no loss of security; in fact, Adiantum's security bound is slightly better than HPolyC's."

The updated patches are re-based against the newly minted Linux 4.20-rc1 kernel. The code enables Adiantum within the kernel's crypto subsystem and subsequently wires it up into the fscrypt mechanism so it can be used by the likes of F2FS and EXT4.

So in the end they are capable of getting even faster results than their original Speck plans while not having to worry whether there could be a backdoor by the National Security Agency. And indeed, Speck is removed with Linux 4.20 currently in development. We'll see if Adiantum is ready to be merged by the time of the Linux 4.21 kernel cycle kicking off in early January.