[api]

ChaCha is in many ways better, but so far AES tends to win on most chips due to the existence of AES acceleration hardware. Without acceleration ChaCha is a lot faster, but with acceleration AES beats it quite a bit in both raw performance and power consumption.

Security-wise they are roughly equivalent in practice if they are used properly.

[miloignis]

I'm curious if there are any good benchmarks of ChaCha8 (as advocated for in the "Too Much Crypto" paper https://eprint.iacr.org/2019/1492.pdf ) vs hardware-accelerated AES.

The best I could find was a rough 2.5x speedup of ChaCha8 vs ChaCha20 in the "Too Much Crypto" paper and https://github.com/jedisct1/rust-aegis#benchmarks that benchmarks ChaCha20 and various AES implementations in addition to AEGIS, where it looks like ChaCha8 might be competitive with hardware-accelerated AES on some platforms (AMD) but not others (M1).

[redcannon218]

My benchmarks are not public, but on AMD EPYC processors ChaCha12 (5 GB / s) is faster than hardware-accelerated AES-256-GCM (3.5 GB / s).

Unfortunately, this is comparing apples to oranges because AES-256-GCM is authenticated, so you will need a MAC with ChaCha12 (usually Poly1305) which finally makes ChaCha12 in AEAD mode slower than AES-256-GCM.

But the real question is: What is fast enough?

I believe that between 1 and 2 GB / s per core for an AEAD is fast enough as I/O will be your bottleneck way before that.

This is why I will always favor a ChaCha20/ChaCha12-based AEAD over AES and its many footguns.

[api]

AES itself doesn't have many footguns. GCM has footguns if not used carefully.

[commandersaki]

IIRC AES GCM does about 40-70 MB/s per core on Pi4, and ChaPoly does 150-200MB/s.

On Pi5 AES GCM does 1.5-2GB/s per core, and ChaPoly is still something like 150-300MB/s.

You can do experiments yourself with `openssl speed`.