[redcannon218]

My benchmarks are not public, but on AMD EPYC processors ChaCha12 (5 GB / s) is faster than hardware-accelerated AES-256-GCM (3.5 GB / s).

Unfortunately, this is comparing apples to oranges because AES-256-GCM is authenticated, so you will need a MAC with ChaCha12 (usually Poly1305) which finally makes ChaCha12 in AEAD mode slower than AES-256-GCM.

But the real question is: What is fast enough?

I believe that between 1 and 2 GB / s per core for an AEAD is fast enough as I/O will be your bottleneck way before that.

This is why I will always favor a ChaCha20/ChaCha12-based AEAD over AES and its many footguns.

[api]

AES itself doesn't have many footguns. GCM has footguns if not used carefully.

[commandersaki]

IIRC AES GCM does about 40-70 MB/s per core on Pi4, and ChaPoly does 150-200MB/s.

On Pi5 AES GCM does 1.5-2GB/s per core, and ChaPoly is still something like 150-300MB/s.

You can do experiments yourself with `openssl speed`.