While Safer Internet Day was on Tuesday, Google has turned the event into a week-long affair of new features and tools. Today, it is focusing on Android with Adiantum to bring encryption to low-powered devices like entry-level phones and other smart devices that don’t run on processors optimized for AES.
Adiantum — named after a fern to represent “sincerity and discretion” — is a new form of storage encryption by Google to run on devices that don’t leverage the latest ARMv8 processors and therefore do not support Advanced Encryption Standard (AES).
The company is specifically targeting processors based on ARM Cortex-A7, which includes smartwatches and TVs, that don’t feature the specialized hardware. On these entry-level devices, AES is “so slow that it would result in a poor user experience; apps would take much longer to launch, and the device would generally feel much slower.” As such, Google has provided an exemption on the Android 6.0+ rule to require storage encryption.
To solve this problem, we have designed a new encryption mode called Adiantum. Adiantum allows us to use the ChaCha stream cipher in a length-preserving mode, by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH. On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is about 10.6 cycles per byte, around 5x faster than AES-256-XTS.
Adiantum is new and builds on work used to provide HTTPS on all devices, but Google has “high confidence in its security.” The company details this in a new research paper, and has a full blog post detailing how it works. Adiantum aims to address the performance trade-offs associated with security on the upcoming wave of IoT smart devices that will be low-powered by design.
In our paper, we prove that it has good security properties, under the assumption that ChaCha12 and AES-256 are secure. This is standard practice in cryptography; from “primitives” like ChaCha and AES, we build “constructions” like XTS, GCM, or Adiantum. Very often we can offer strong arguments but not a proof that the primitives are secure, while we can prove that if the primitives are secure, the constructions we build from them are too. We don’t have to make assumptions about NH or the Poly1305 hash function; these are proven to have the cryptographic property (“ε-almost-∆-universality”) we rely on.
Reference code, test vectors, and a benchmarking suite is available now on Github, with OEMs able to use Adiantum for full-disk or file-based encryption on Android Pie devices that don’t meet the usual AES performance requirement.
Moving forward, Adiantum will be part of the platform with Android Q. Google also plans to update the Android Compatibility Definition Document (CDD) to “require that all new Android devices be encrypted using one of the allowed encryption algorithms.”
This will make the next generation of devices more secure than their predecessors, and allow the next billion people coming online for the first time to do so safely. Adiantum will help secure our connected world by allowing everything from smart watches to internet-connected medical devices to encrypt sensitive data.