Google has a new mode of storage encryption called Adiantum that is made specifically to run on phones and smart devices that don’t have the specialised hardware to use current methods to encrypt locally stored data efficiently.
Google says that Adiantum allows it to use the ChaCha stream cipher in a length-preserving mode that adapts ideas from AES-based proposals for length-preserving encryption, such as HCTR and HCH.
Encryption is incredibly important. It underpins our digital security. Encryption encodes data so that it can only be read by individuals with a key. With encryption, you are in complete control of this key, and you can store sensitive information such as personal data securely.
But encryption isn’t always practical, since it would slow some computers, smartphones and other devices to the point of being unusable.
Adiantum is designed to run efficiently without specialised hardware. This will make the next generation of devices more secure than their predecessors, and allow the next billion people coming online for the first time to do so safely.
Adiantum will help secure our connected world by allowing everything from smart watches to internet-connected medical devices to encrypt sensitive data.
Google’s hope is that Adiantum will democratise encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag.
Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa. It works by first hashing almost the entire plaintext using a keyed hash based on Poly1305 and another very fast keyed hashing function called NH.
Google also hash a value called the “tweak” which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, it is hashed again, so that we have the same strength in the decryption direction as the encryption direction.
This is arranged in a configuration known as a Feistel network, so that we can decrypt what we’ve encrypted. A single AES-256 invocation on a 16-byte block is also required, but for 4096-byte inputs this part is not performance-critical
Android device manufacturers can enable Adiantum for either full-disk or file-based encryption on devices with AES performance <= 50 MiB/sec and launching with Android Pie. Where hardware support for AES exists, AES is faster than Adiantum; AES must still be used where its performance is above 50 MiB/s.
In Android Q, Adiantum will be part of the Android platform, and we intend to update the Android Compatibility Definition Document (CDD) to require that all new Android devices be encrypted using one of the allowed encryption algorithms.
