Google launches Adiantum encryption algorithm for low-end Android Pie devices

Adiantum encryption algorithm

Image: googleblog

Smartphones have become an indispensable part of our daily lives, and our mobile phones may also store a large amount of our private content. If the phone is accidentally lost or falls into the wrong hands, it may pose a security risk, so it is necessary to securely encrypt the smartphone. Many high-end Android devices now use the high-intensity AES algorithm to provide storage encryption, but low-end devices have weak performance and are not suitable for AES algorithms.

The Chacha20 algorithm can be used in the field of HTTPS encryption to solve the problem that hardware encryption is not available, and the security of the algorithm is also very good. As early as 2014, Google chose Chacha20 / Poly1305 for verification. Currently, the above algorithm has been used for HTTPS connection TLS cipher suite. At the same time, the Chacha20-Poly1305 algorithm has also become the RFC7539 standard, which greatly improves the speed of devices lacking AES hardware support.

Although the Chacha20 algorithm is excellent, there are still adjustments in the field of disk and file encryption, where data is organized into sectors for storage. The sectors storage is typically 4096 bytes. When the file system requests a device to read or write to a sector, the encryption layer intercepts and converts between plaintext ciphertext. This means that the encryption conversion must be between 4096 bytes of plaintext and 4096 bytes of ciphertext, while RFC7539 requires that ciphertext must be larger than plaintext. Because the random number password and message integrity information also require very little extra space, although it can be stored in other sectors, it will reduce efficiency.

In the case of using the AES encryption algorithm, the traditional disk encryption solution uses the XTS or CBC-ESSIV mode of operation and the length is reserved. The Android system itself already supports the use of AES-128-CBC-ESSIV for full disk encryption and the AES-256-XTS algorithm for file-based encryption. However, there is no extensive alternative to complete fast encryption and decryption operations on low-end ARM processors in the event of insufficient device performance. This means that users may experience slow loading of applications during daily use, which is a technical problem caused by insufficient encryption and decryption performance.

Image: googleblog

To address this security issue, Google developed and designed the Adiantum encryption algorithm called Adiantum using the ChaCha20 algorithm in length retention mode. “On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is about 10.6 cycles per byte, around 5x faster than AES-256-XTS“, which means that even if the device uses full disk encryption, it does not affect performance. Unlike the XTS and CBC-ESSIV modes of operation, the Adiantum algorithm uses a true wide block mode, and the ciphertext cannot be changed by changing the position of the plaintext. The same position change of the same ciphertext cannot change the plaintext. This working principle is mainly done by using the keyed hash of the Poly1305 algorithm and the NH function.

The main purpose of the Adiantum algorithm is to provide encryption services equally for all Android devices, rather than only mid- to high-end devices. A number of papers published by researchers at Google have confirmed the safety of the Adiantum algorithm, and interested researchers can click here to view the algorithm.