“Even though Adiantum is very new, we are in a position to have high confidence in its security.”
Google has unveiled a new form of storage encryption for mobile devices that is aimed at plugging the security gap in low-cost devices.
The encryption format Adiantum has been specifically designed by Google to bring encryption to low-process power devices.
Currently there is a manufacturing requirement that any android device after 6.0 in 2015 must have storage encryption in place. However an exemption was given to handset makers when it comes to low-cost devices with low processing power. Low-cost devices are missing the specialised hardware that supports the Advanced Encryption Standard or AES.
To keep costs low device manufactures often use low-end processors such as the ARM Cortex-A7 which cannot support AES. If AES was to be used on these devices users would experience serious delays in applications and the device would feel sluggish.
Adiantum gets around the lack of specialised hardware by using a different encryption method, the ChaCha stream cipher, which is much faster than AES when hardware acceleration is not an option. ChaCha relies on operations that are already present in most low-end CPU’s.
“Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag,” commented Eugene Liderman Director of Mobile Security Strategy at Android.
Adiantum Encryption Technical Challenge
Storage on devices is generally organised into sectors which are normally 4096 bytes in size. As a request is received by the device to access a sector in order to read or write, it must first pass through the encryption layer which coverts between plaintext and ciphertext.
In order to use ChaCha encryption the ciphertext must be slightly larger than the plaintext, this is in order to accommodate the space needed for cryptographic nonce and message integrity information.
Android Security & Privacy Team members Paul Crowley and Eric Biggers wrote in a security blog that: “Where AES is used, the conventional solution for disk encryption is to use the XTS or CBC-ESSIV modes of operation, which are length-preserving.”
“Currently Android supports AES-128-CBC-ESSIV for full-disk encryption and AES-256-XTS for file-based encryption. However, when AES performance is insufficient there is no widely accepted alternative that has sufficient performance on lower-end ARM processors.”
They believe that the solution to the problem is their new encryption mode Adiantum which adapts ideas from AES-based length-preserving encryption proposals like HCTR and HCH.
“On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is about 10.6 cycles per byte, around 5x faster than AES-256-XTS.”
“Even though Adiantum is very new, we are in a position to have high confidence in its security,” they state.