K 10
svn:author
V 6
obrien
K 8
svn:date
V 27
2022-02-12T22:59:24.039669Z
K 7
svn:log
V 1138
Fortuna: Add Chacha20 as an alternative stream cipher

Chacha20 with a 256 bit key and 128 bit counter size is a good match for an
AES256-ICM replacement.

In userspace, Chacha20 is typically marginally slower than AES-ICM on
machines with AESNI intrinsics, but typically much faster than AES on
machines without special intrinsics.  ChaCha20 does well on typical modern
architectures with SIMD instructions, which includes most types of machines
FreeBSD runs on.

In the kernel, we can't (or don't) make use of AESNI intrinsics for
random(4) anyway.  So even on amd64, using Chacha provides a modest
performance improvement in random device throughput today.

This change makes the stream cipher used by random(4) configurable at boot
time with the 'kern.random.use_chacha20_cipher' tunable.

Very rough, non-scientific measurements at the /dev/random device, on a
GENERIC-NODEBUG amd64 VM with 'pv', show a factor of 2.2x higher throughput
for Chacha20 over the existing AES-ICM mode.

(cherry picked from commit ab69c4858cb7237623cb8dddb8cfe101f50ad3d8)

Git Hash:   bc36a0d1df83e42659e7224e3838ef1a0ab4bfcd
Git Author: cem@FreeBSD.org
END