Lightweight Cryptography Primitives
|
This page is a copy of the main 32-bit performance page as at 18 Septeber 2020. That date was the NIST cut-off for status updates from the Round 2 candidate submission teams, leading up to the selection of Round 2 finalists in December 2020.
The original page contains updated figures for changes that were made by myself and others since the cut-off. Some submissions were received by me before the cut-off but I didn't have time to integrate them.
The source code for the baseline versions can be found in the round2_baseline branch of the repository. The master branch contains the more up to date versions of each algorithm.
All baseline versions are implemented in C for 32-bit platforms. Some of the more recently implementations use assembly code to accelerate the algorithms on ARM Cortex M* microprocessors.
There is a lot of variation in the capabilities of embedded microprocessors. Some are superscalar; others are not. Some have specialised vector instructions; others do not. Clock speeds can also vary considerably. All this means that "cycles per byte" or "megabytes per second" are pretty meaningless when trying to rank the algorithms on relative performance on any given microprocessor.
The approach I take here is "ChaChaPoly Units". The library contains a reasonably efficient 32-bit non-vectorized implementation of the ChaChaPoly AEAD scheme from my Arduino cryptography library. This makes it a known quanitity to compare with other algorithms side by side.
If an algorithm is measured at 0.8 ChaChaPoly Units on a specific embedded microprocessor at a specific clock speed, then that means that it is slower than ChaChaPoly by a factor of 0.8 on that microprocessor. If the algorithm is instead measured at 2 ChaChaPoly Units, then it is twice as fast as ChaChaPoly on the same microprocessor. The higher the number of units, the better the algorithm.
The number of ChaChaPoly Units for each algorithm will vary for each microprocessor that is tested and for different choices of optimisation options. The figures below should be used as a rough guide to the relative performance of the algorithms, not an absolute measurement.
For hash algorithms we use BLAKE2s as the basic unit. BLAKE2s is based on ChaCha20 so it is the most logical hashing counterpart to ChaChaPoly.
This page details the performance results for 32-bit platforms. A separate page that details preliminary results for the 8-bit AVR platform can be found here.
The masking performance page contains comparisons of masked versions of the algorithms with their baseline versions.
All tests were run on an Arduino Due which is an ARM Cortex M3 running at 84MHz. The code was optimised for size rather than speed, which is the default optimisation option for the Arduino IDE. I found that "-Os" size optimisation often did better on the Due than "-O2" or "-O3" with the compiler that I had. Your own results may vary.
Each algorithm was tested with two packet sizes: 128 and 16 bytes. Some algorithms can have better performance on small packet sizes. The associated data is always zero-length.
The value in the table below indicates the number of times faster than ChaChaPoly on the same packet. Higher numbers mean better performance. The table is ordered from best average performance down.
Where a NIST submission contains multiple algorithms in a family, bold italics indicates the primary algorithm in the family.
Algorithm | Key Bits | Nonce Bits | Tag Bits | Encrypt 128 bytes | Decrypt 128 bytes | Encrypt 16 bytes | Decrypt 16 bytes | Average |
SATURNIN-Short1 | 256 | 128 | 256 | 1.62 | 1.69 | 1.66 | ||
COMET-128_CHAM-128/1282 | 128 | 128 | 128 | 1.22 | 1.25 | 2.20 | 2.08 | 1.61 |
COMET-64_SPECK-64/128 | 128 | 120 | 128 | 1.16 | 1.14 | 2.31 | 2.24 | 1.58 |
Schwaemm128-128 (SPARKLE) | 128 | 128 | 128 | 1.17 | 1.15 | 1.93 | 1.80 | 1.46 |
ASCON-128a | 128 | 128 | 128 | 1.29 | 1.26 | 1.33 | 1.32 | 1.30 |
ASCON-80pq | 160 | 128 | 128 | 0.99 | 1.02 | 1.22 | 1.23 | 1.12 |
ASCON-128 | 128 | 128 | 128 | 0.99 | 1.02 | 1.22 | 1.23 | 1.11 |
Schwaemm256-128 (SPARKLE) | 128 | 256 | 128 | 1.08 | 1.12 | 1.08 | 1.10 | 1.09 |
GIFT-COFB | 128 | 128 | 128 | 1.02 | 1.01 | 1.09 | 1.09 | 1.05 |
Schwaemm192-192 (SPARKLE) | 192 | 192 | 192 | 0.90 | 0.92 | 1.04 | 1.07 | 0.99 |
Spook-128-384-su | 128 | 128 | 128 | 0.78 | 0.79 | 1.11 | 1.09 | 0.93 |
Spook-128-384-mu | 128 | 128 | 128 | 0.78 | 0.79 | 1.10 | 1.09 | 0.93 |
GIMLI-24 | 256 | 128 | 128 | 0.84 | 0.85 | 0.97 | 0.98 | 0.91 |
Spook-128-512-su | 256 | 128 | 128 | 0.92 | 0.93 | 0.88 | 0.89 | 0.90 |
Spook-128-512-mu | 256 | 128 | 128 | 0.92 | 0.93 | 0.88 | 0.88 | 0.90 |
Xoodyak | 128 | 128 | 128 | 0.85 | 0.87 | 0.84 | 0.85 | 0.86 |
SpoC-128 | 128 | 128 | 128 | 0.59 | 0.62 | 1.14 | 1.14 | 0.82 |
TinyJAMBU-128 | 128 | 96 | 64 | 0.59 | 0.62 | 1.10 | 1.11 | 0.81 |
SUNDAE-GIFT-0 | 128 | 0 | 128 | 0.59 | 0.63 | 1.05 | 1.06 | 0.80 |
Schwaemm256-256 (SPARKLE) | 256 | 256 | 256 | 0.79 | 0.80 | 0.74 | 0.72 | 0.76 |
TinyJAMBU-192 | 192 | 96 | 64 | 0.54 | 0.57 | 1.01 | 1.03 | 0.74 |
HYENA | 128 | 96 | 128 | 0.62 | 0.65 | 0.81 | 0.84 | 0.73 |
SUNDAE-GIFT-64 | 128 | 64 | 128 | 0.56 | 0.60 | 0.85 | 0.87 | 0.71 |
SUNDAE-GIFT-96 | 128 | 96 | 128 | 0.56 | 0.60 | 0.85 | 0.86 | 0.70 |
SUNDAE-GIFT-128 | 128 | 128 | 128 | 0.56 | 0.59 | 0.83 | 0.85 | 0.70 |
TinyJAMBU-256 | 256 | 96 | 64 | 0.49 | 0.52 | 0.94 | 0.96 | 0.68 |
ESTATE_TweGIFT-1282 | 128 | 128 | 128 | 0.48 | 0.52 | 0.91 | 0.92 | 0.66 |
COMET-64_CHAM-64/128 | 128 | 120 | 128 | 0.40 | 0.43 | 0.79 | 0.81 | 0.57 |
SPIX | 128 | 128 | 128 | 0.41 | 0.44 | 0.38 | 0.39 | 0.40 |
LOTUS-AEAD | 128 | 128 | 64 | 0.29 | 0.31 | 0.56 | 0.58 | 0.40 |
LOCUS-AEAD | 128 | 128 | 64 | 0.28 | 0.29 | 0.56 | 0.57 | 0.39 |
KNOT-AEAD-128-256 | 128 | 128 | 128 | 0.29 | 0.31 | 0.47 | 0.49 | 0.38 |
Grain-128AEAD | 128 | 96 | 64 | 0.26 | 0.26 | 0.56 | 0.56 | 0.37 |
SATURNIN-CTR-Cascade | 256 | 128 | 256 | 0.34 | 0.36 | 0.37 | 0.38 | 0.36 |
KNOT-AEAD-128-384 | 128 | 128 | 128 | 0.31 | 0.33 | 0.30 | 0.32 | 0.31 |
SpoC-64 | 128 | 128 | 64 | 0.22 | 0.24 | 0.42 | 0.44 | 0.31 |
SKINNY-AEAD-M6 | 128 | 96 | 64 | 0.19 | 0.20 | 0.33 | 0.34 | 0.25 |
SKINNY-AEAD-M5 | 128 | 96 | 128 | 0.19 | 0.20 | 0.33 | 0.34 | 0.25 |
Romulus-N3 | 128 | 96 | 128 | 0.19 | 0.20 | 0.30 | 0.31 | 0.24 |
ACE | 128 | 128 | 128 | 0.20 | 0.22 | 0.23 | 0.24 | 0.22 |
DryGASCON128k16 | 128 | 128 | 128 | 0.16 | 0.18 | 0.28 | 0.30 | 0.22 |
SKINNY-AEAD-M4 | 128 | 96 | 64 | 0.16 | 0.17 | 0.26 | 0.27 | 0.21 |
SKINNY-AEAD-M3 | 128 | 128 | 64 | 0.16 | 0.17 | 0.26 | 0.27 | 0.21 |
SKINNY-AEAD-M2 | 128 | 96 | 128 | 0.16 | 0.17 | 0.26 | 0.27 | 0.21 |
SKINNY-AEAD-M1 | 128 | 128 | 128 | 0.16 | 0.17 | 0.26 | 0.27 | 0.21 |
Romulus-N2 | 128 | 96 | 128 | 0.15 | 0.17 | 0.23 | 0.24 | 0.19 |
Romulus-N1 | 128 | 128 | 128 | 0.15 | 0.17 | 0.21 | 0.22 | 0.19 |
KNOT-AEAD-192-384 | 192 | 192 | 192 | 0.15 | 0.17 | 0.21 | 0.22 | 0.18 |
DryGASCON256k32 | 256 | 128 | 256 | 0.13 | 0.14 | 0.19 | 0.20 | 0.16 |
Oribatida-256-64 | 128 | 128 | 128 | 0.12 | 0.13 | 0.22 | 0.23 | 0.16 |
Romulus-M3 | 128 | 96 | 128 | 0.12 | 0.13 | 0.20 | 0.22 | 0.16 |
Subterranean | 128 | 128 | 128 | 0.16 | 0.18 | 0.13 | 0.14 | 0.15 |
PAEF-ForkSkinny-128-256 | 128 | 112 | 128 | 0.10 | 0.09 | 0.32 | 0.28 | 0.15 |
PAEF-ForkSkinny-128-192 | 128 | 48 | 128 | 0.10 | 0.09 | 0.32 | 0.28 | 0.15 |
SAEF-ForkSkinny-128-256 | 128 | 120 | 128 | 0.10 | 0.09 | 0.32 | 0.28 | 0.15 |
SAEF-ForkSkinny-128-192 | 128 | 56 | 128 | 0.10 | 0.09 | 0.32 | 0.28 | 0.15 |
Romulus-M2 | 128 | 96 | 128 | 0.10 | 0.11 | 0.17 | 0.18 | 0.14 |
ISAP-A-128A | 128 | 128 | 128 | 0.17 | 0.19 | 0.10 | 0.11 | 0.13 |
Romulus-M1 | 128 | 128 | 128 | 0.10 | 0.11 | 0.15 | 0.16 | 0.13 |
KNOT-AEAD-256-512 | 256 | 256 | 256 | 0.10 | 0.12 | 0.12 | 0.13 | 0.12 |
ORANGE-Zest | 128 | 128 | 128 | 0.11 | 0.12 | 0.11 | 0.12 | 0.11 |
PAEF-ForkSkinny-128-288 | 128 | 104 | 128 | 0.07 | 0.06 | 0.24 | 0.20 | 0.11 |
Oribatida-192-96 | 128 | 64 | 96 | 0.07 | 0.08 | 0.12 | 0.13 | 0.10 |
PHOTON-Beetle-AEAD-ENC-128 | 128 | 128 | 128 | 0.06 | 0.07 | 0.11 | 0.12 | 0.08 |
Pyjamask-96-AEAD | 128 | 64 | 96 | 0.07 | 0.07 | 0.07 | 0.08 | 0.07 |
Pyjamask-128-AEAD | 128 | 96 | 128 | 0.06 | 0.07 | 0.07 | 0.07 | 0.07 |
PAEF-ForkSkinny-64-192 | 128 | 48 | 64 | 0.05 | 0.05 | 0.18 | 0.14 | 0.08 |
Delirium (Elephant) | 128 | 96 | 128 | 0.04 | 0.05 | 0.06 | 0.07 | 0.05 |
ISAP-A-128 | 128 | 128 | 128 | 0.05 | 0.05 | 0.02 | 0.02 | 0.03 |
WAGE | 128 | 128 | 128 | 0.03 | 0.03 | 0.03 | 0.03 | 0.03 |
PHOTON-Beetle-AEAD-ENC-32 | 128 | 128 | 128 | 0.02 | 0.02 | 0.05 | 0.05 | 0.03 |
ISAP-K-128A | 128 | 128 | 128 | 0.02 | 0.02 | 0.01 | 0.01 | 0.02 |
Dumbo (Elephant) | 128 | 96 | 64 | 0.01 | 0.02 | 0.03 | 0.03 | 0.02 |
Jumbo (Elephant) | 128 | 96 | 64 | 0.01 | 0.02 | 0.02 | 0.02 | 0.02 |
ISAP-K-128 | 128 | 128 | 128 | 0.0034 | 0.0038 | 0.0015 | 0.0016 | 0.0021 |
Note 1. SATURNIN-Short is limited to no more than 15 bytes of payload, so there are no performance figures for 128-byte packets, and the 16-byte columns report the results for 15 bytes of payload instead.
Note 2. COMET-128_CHAM-128/128 and ESTATE_TweGIFT-128 are not the primary members from the algorithm authors. Instead, the authors recommend AES-based versions of COMET and ESTATE, which are not implemented in this libary.
The hash algorithms are compared against BLAKE2s instead of ChaChaPoly:
Algorithm | Hash Bits | 1024 bytes | 128 bytes | 16 bytes | Average |
Xoodyak | 256 | 0.38 | 0.35 | 0.79 | 0.51 |
GIMLI-24-HASH | 256 | 0.45 | 0.35 | 0.61 | 0.46 |
Esch256 (SPARKLE) | 256 | 0.38 | 0.34 | 0.65 | 0.46 |
SATURNIN-Hash | 256 | 0.24 | 0.20 | 0.49 | 0.31 |
ASCON-HASH | 256 | 0.29 | 0.24 | 0.37 | 0.30 |
Esch384 (SPARKLE) | 384 | 0.26 | 0.21 | 0.33 | 0.26 |
DryGASCON128-HASH | 256 | 0.08 | 0.07 | 0.25 | 0.13 |
ACE-HASH | 256 | 0.10 | 0.09 | 0.15 | 0.11 |
DryGASCON256-HASH | 512 | 0.06 | 0.05 | 0.11 | 0.08 |
KNOT-HASH-256-384 | 256 | 0.05 | 0.04 | 0.07 | 0.05 |
KNOT-HASH-256-256 | 256 | 0.03 | 0.03 | 0.08 | 0.04 |
Subterranean-Hash | 256 | 0.02 | 0.02 | 0.05 | 0.03 |
ORANGISH | 256 | 0.02 | 0.02 | 0.03 | 0.02 |
KNOT-HASH-384-384 | 384 | 0.01 | 0.01 | 0.04 | 0.02 |
PHOTON-Beetle-HASH | 256 | 0.01 | 0.01 | 0.05 | 0.02 |
SKINNY-tk3-HASH | 256 | 0.02 | 0.01 | 0.02 | 0.02 |
KNOT-HASH-512-512 | 512 | 0.01 | 0.01 | 0.02 | 0.01 |
SKINNY-tk2-HASH | 256 | 0.01 | 0.01 | 0.02 | 0.01 |
The tests below were run on an ESP32 Dev Module running at 240MHz. The ordering is mostly the same as ARM Cortext M3 with a few reversals where the architectural differences gives some algorithms an added advantage.
Algorithm | Key Bits | Nonce Bits | Tag Bits | Encrypt 128 bytes | Decrypt 128 bytes | Encrypt 16 bytes | Decrypt 16 bytes | Average |
SATURNIN-Short | 256 | 128 | 256 | 1.61 | 1.61 | 1.61 | ||
COMET-128_CHAM-128/128 | 128 | 128 | 128 | 1.17 | 1.11 | 1.88 | 1.73 | 1.43 |
COMET-64_SPECK-64/128 | 128 | 120 | 128 | 1.02 | 1.02 | 2.04 | 1.94 | 1.39 |
Schwaemm128-128 (SPARKLE) | 128 | 128 | 128 | 1.07 | 1.06 | 1.68 | 1.60 | 1.32 |
Schwaemm256-128 (SPARKLE) | 128 | 256 | 128 | 1.11 | 1.09 | 1.04 | 1.04 | 1.06 |
Schwaemm192-192 (SPARKLE) | 192 | 192 | 192 | 0.87 | 0.90 | 1.02 | 1.00 | 0.95 |
ASCON-128a | 128 | 128 | 128 | 0.86 | 0.88 | 0.92 | 0.93 | 0.90 |
GIFT-COFB | 128 | 128 | 128 | 0.80 | 0.83 | 0.90 | 0.90 | 0.86 |
Xoodyak | 128 | 128 | 128 | 0.84 | 0.86 | 0.80 | 0.82 | 0.83 |
Schwaemm256-256 (SPARKLE) | 256 | 256 | 256 | 0.77 | 0.78 | 0.70 | 0.70 | 0.73 |
GIMLI-24 | 256 | 128 | 128 | 0.65 | 0.69 | 0.79 | 0.81 | 0.74 |
TinyJAMBU-128 | 128 | 96 | 64 | 0.51 | 0.55 | 0.98 | 0.99 | 0.71 |
Spook-128-384-su | 128 | 128 | 128 | 0.58 | 0.62 | 0.80 | 0.81 | 0.70 |
Spook-128-384-mu | 128 | 128 | 128 | 0.58 | 0.62 | 0.80 | 0.80 | 0.70 |
Spook-128-512-su | 256 | 128 | 128 | 0.71 | 0.74 | 0.63 | 0.65 | 0.68 |
Spook-128-512-mu | 256 | 128 | 128 | 0.71 | 0.74 | 0.63 | 0.65 | 0.67 |
TinyJAMBU-192 | 192 | 96 | 64 | 0.46 | 0.50 | 0.91 | 0.92 | 0.65 |
HYENA | 128 | 96 | 128 | 0.55 | 0.60 | 0.70 | 0.72 | 0.64 |
SUNDAE-GIFT-0 | 128 | 0 | 128 | 0.47 | 0.52 | 0.85 | 0.87 | 0.64 |
ASCON-128 | 128 | 128 | 128 | 0.67 | 0.46 | 0.86 | 0.66 | 0.63 |
ASCON-80pq | 160 | 128 | 128 | 0.67 | 0.44 | 0.84 | 0.61 | 0.61 |
TinyJAMBU-256 | 256 | 96 | 64 | 0.42 | 0.46 | 0.84 | 0.86 | 0.60 |
COMET-64_CHAM-64/128 | 128 | 120 | 128 | 0.42 | 0.46 | 0.82 | 0.84 | 0.59 |
KNOT-AEAD-128-384 | 128 | 128 | 128 | 0.57 | 0.61 | 0.57 | 0.59 | 0.59 |
KNOT-AEAD-128-256 | 128 | 128 | 128 | 0.45 | 0.49 | 0.73 | 0.75 | 0.59 |
SUNDAE-GIFT-64 | 128 | 64 | 128 | 0.44 | 0.49 | 0.69 | 0.71 | 0.57 |
SUNDAE-GIFT-96 | 128 | 96 | 128 | 0.44 | 0.49 | 0.68 | 0.70 | 0.57 |
SUNDAE-GIFT-128 | 128 | 128 | 128 | 0.44 | 0.49 | 0.67 | 0.70 | 0.57 |
SpoC-128 | 128 | 128 | 128 | 0.40 | 0.44 | 0.77 | 0.78 | 0.56 |
ESTATE_TweGIFT-128 | 128 | 128 | 128 | 0.38 | 0.42 | 0.74 | 0.76 | 0.54 |
Grain-128AEAD | 128 | 96 | 64 | 0.33 | 0.30 | 0.65 | 0.59 | 0.43 |
SATURNIN-CTR-Cascade | 256 | 128 | 256 | 0.34 | 0.37 | 0.38 | 0.39 | 0.37 |
DryGASCON128k16 | 128 | 128 | 128 | 0.23 | 0.25 | 0.40 | 0.42 | 0.31 |
SpoC-64 | 128 | 128 | 64 | 0.22 | 0.25 | 0.41 | 0.43 | 0.31 |
LOTUS-AEAD | 128 | 128 | 64 | 0.20 | 0.22 | 0.40 | 0.42 | 0.29 |
LOCUS-AEAD | 128 | 128 | 64 | 0.19 | 0.22 | 0.39 | 0.41 | 0.28 |
SPIX | 128 | 128 | 128 | 0.27 | 0.30 | 0.24 | 0.26 | 0.26 |
KNOT-AEAD-192-384 | 192 | 192 | 192 | 0.28 | 0.32 | 0.39 | 0.41 | 0.25 |
Oribatida-256-64 | 128 | 128 | 128 | 0.17 | 0.19 | 0.34 | 0.35 | 0.25 |
Oribatida-192-96 | 128 | 64 | 96 | 0.17 | 0.19 | 0.28 | 0.30 | 0.22 |
KNOT-AEAD-256-512 | 256 | 256 | 256 | 0.18 | 0.21 | 0.21 | 0.23 | 0.21 |
DryGASCON256k32 | 256 | 128 | 256 | 0.16 | 0.18 | 0.25 | 0.27 | 0.21 |
ACE | 128 | 128 | 128 | 0.13 | 0.15 | 0.15 | 0.16 | 0.15 |
SKINNY-AEAD-M6 | 128 | 96 | 64 | 0.11 | 0.12 | 0.19 | 0.20 | 0.15 |
SKINNY-AEAD-M5 | 128 | 96 | 128 | 0.11 | 0.12 | 0.19 | 0.20 | 0.15 |
Romulus-N3 | 128 | 96 | 128 | 0.10 | 0.12 | 0.17 | 0.19 | 0.14 |
SKINNY-AEAD-M4 | 128 | 96 | 64 | 0.09 | 0.10 | 0.15 | 0.16 | 0.12 |
SKINNY-AEAD-M3 | 128 | 128 | 64 | 0.09 | 0.10 | 0.14 | 0.16 | 0.12 |
SKINNY-AEAD-M2 | 128 | 96 | 128 | 0.09 | 0.10 | 0.14 | 0.15 | 0.12 |
SKINNY-AEAD-M1 | 128 | 128 | 128 | 0.09 | 0.10 | 0.14 | 0.15 | 0.12 |
Subterranean | 128 | 128 | 128 | 0.12 | 0.14 | 0.10 | 0.11 | 0.12 |
Romulus-N2 | 128 | 96 | 128 | 0.09 | 1.10 | 0.13 | 0.14 | 0.11 |
Romulus-N1 | 128 | 128 | 128 | 0.09 | 0.10 | 0.12 | 0.13 | 0.11 |
ISAP-A-128A | 128 | 128 | 128 | 0.13 | 0.15 | 0.08 | 0.09 | 0.10 |
ORANGE-Zest | 128 | 128 | 128 | 0.09 | 0.11 | 0.10 | 0.11 | 0.10 |
Pyjamask-96-AEAD | 128 | 64 | 96 | 0.09 | 0.10 | 0.10 | 0.11 | 0.10 |
PAEF-ForkSkinny-128-256 | 128 | 112 | 128 | 0.06 | 0.07 | 0.21 | 0.20 | 0.10 |
SAEF-ForkSkinny-128-256 | 128 | 120 | 128 | 0.06 | 0.06 | 0.21 | 0.20 | 0.10 |
PAEF-ForkSkinny-128-192 | 128 | 48 | 128 | 0.06 | 0.07 | 0.21 | 0.20 | 0.10 |
SAEF-ForkSkinny-128-192 | 128 | 56 | 128 | 0.06 | 0.06 | 0.21 | 0.20 | 0.10 |
Romulus-M3 | 128 | 96 | 128 | 0.07 | 0.08 | 0.12 | 0.13 | 0.09 |
Pyjamask-128-AEAD | 128 | 96 | 128 | 0.08 | 0.10 | 0.09 | 0.10 | 0.09 |
Romulus-M2 | 128 | 96 | 128 | 0.06 | 0.07 | 0.09 | 0.10 | 0.08 |
Romulus-M1 | 128 | 128 | 128 | 0.06 | 0.07 | 0.09 | 0.10 | 0.08 |
PHOTON-Beetle-AEAD-ENC-128 | 128 | 128 | 128 | 0.05 | 0.06 | 0.10 | 0.11 | 0.08 |
PAEF-ForkSkinny-128-288 | 128 | 104 | 128 | 0.05 | 0.05 | 0.16 | 0.14 | 0.08 |
PAEF-ForkSkinny-64-192 | 128 | 48 | 64 | 0.04 | 0.04 | 0.14 | 0.12 | 0.07 |
Delirium (Elephant) | 128 | 96 | 128 | 0.05 | 0.06 | 0.07 | 0.08 | 0.06 |
WAGE | 128 | 128 | 128 | 0.03 | 0.04 | 0.04 | 0.04 | 0.04 |
ISAP-K-128A | 128 | 128 | 128 | 0.03 | 0.03 | 0.02 | 0.02 | 0.02 |
ISAP-A-128 | 128 | 128 | 128 | 0.03 | 0.03 | 0.01 | 0.02 | 0.02 |
PHOTON-Beetle-AEAD-ENC-32 | 128 | 128 | 128 | 0.01 | 0.02 | 0.04 | 0.04 | 0.02 |
Dumbo (Elephant) | 128 | 96 | 64 | 0.01 | 0.01 | 0.02 | 0.02 | 0.02 |
Jumbo (Elephant) | 128 | 96 | 64 | 0.01 | 0.01 | 0.01 | 0.02 | 0.01 |
ISAP-K-128 | 128 | 128 | 128 | 0.0040 | 0.0047 | 0.0018 | 0.0020 | 0.0025 |
Hash algorithms:
Algorithm | Hash Bits | 1024 bytes | 128 bytes | 16 bytes | Average |
Xoodyak | 256 | 0.35 | 0.33 | 0.73 | 0.47 |
Esch256 (SPARKLE) | 256 | 0.38 | 0.34 | 0.64 | 0.45 |
GIMLI-24-HASH | 256 | 0.35 | 0.29 | 0.50 | 0.38 |
SATURNIN-Hash | 256 | 0.23 | 0.19 | 0.48 | 0.30 |
Esch384 (SPARKLE) | 384 | 0.24 | 0.20 | 0.30 | 0.25 |
ASCON-HASH | 256 | 0.19 | 0.16 | 0.25 | 0.20 |
DryGASCON128-HASH | 256 | 0.10 | 0.10 | 0.34 | 0.18 |
KNOT-HASH-256-384 | 256 | 0.09 | 0.07 | 0.13 | 0.10 |
DryGASCON256-HASH | 512 | 0.08 | 0.07 | 0.15 | 0.10 |
ACE-HASH | 256 | 0.07 | 0.06 | 0.10 | 0.07 |
KNOT-HASH-256-256 | 256 | 0.04 | 0.04 | 0.13 | 0.07 |
KNOT-HASH-384-384 | 384 | 0.03 | 0.03 | 0.07 | 0.04 |
SKINNY-tk3-HASH | 256 | 0.07 | 0.01 | 0.01 | 0.03 |
SKINNY-tk2-HASH | 256 | 0.05 | 0.03 | 0.01 | 0.03 |
ORANGISH | 256 | 0.02 | 0.02 | 0.03 | 0.02 |
KNOT-HASH-512-512 | 512 | 0.02 | 0.02 | 0.04 | 0.02 |
PHOTON-Beetle-HASH | 256 | 0.01 | 0.01 | 0.05 | 0.02 |
Subterranean-Hash | 256 | 0.01 | 0.01 | 0.04 | 0.02 |
Based on the above data, the NIST submissions can be roughly grouped with those of similar performance. Changes in CPU, optimisation options, loop unrolling, or assembly code replacement might modify the rank of an algorithm.
Only the primary algorithm in each family is considered for this ranking. I took the average of the ARM Cortex M3 and ESP32 figures from the above tables to compute an average across different architectures. I then grouped the algorithms into 0.1-wide buckets; for example everything with rank 3 has an average between 0.30 and 0.39 ChaChaPoly units.
AEAD algorithm rankings:
Rank | Algorithms |
15 | COMET |
10 | SPARKLE |
9 | GIFT-COFB |
8 | ASCON, Gimli, Xoodyak |
7 | TinyJAMBU, Spook |
6 | ESTATE, HYENA, SUNDAE-GIFT |
4 | Grain128-AEAD, KNOT |
3 | LOTUS, Saturnin, SPIX, SpoC |
2 | DryGASCON, Oribatida |
1 | ACE, ORANGE, Romulus, SKINNY-AEAD, Subterranean |
0 | Elephant, ForkAE, ISAP, PHOTON-Beetle, Pyjamask, WAGE |
Hash algorithm rankings:
Rank | Algorithms |
4 | Gimli, SPARKLE, Xoodyak |
3 | Saturnin |
2 | ASCON |
1 | DryGASCON |
0 | ACE, KNOT, ORANGE, PHOTON-Beetle, SKINNY-AEAD, Subterranean |