Google has offered encryption mechanism drives Adiantum, which can be used on low-powered devices, which you can’t use the block cipher algorithm AES because of too much overhead. In particular, Google intends to use Adiantum to encrypt the drives of the younger models of smartphones based on the platform Android, equipped with ARM processors do not provide instructions for hardware acceleration of AES encryption. The reference implementation of the algorithm published under the MIT license, the implementation-level subsystems of the Linux kernel dm-crypt is published under the GPLv2 license (the patches are prepared for both versions of the kernel for Android, and for plain vanilla Linux kernels).
As AES-128-CBC-ESSIV and AES-XTS Adiantum method does not change the resulting size of the data that allows you to use it to encrypt data on the drives. Adiantum also allows the generation of the blocks with a different ciphertext for a duplicate of the original data. Implementation of Adiantum based on the application of a fast hash function NH, algorithm, message authentication (MAC) and Poly1305 stream cipher XChaCha12, as well as one-off operations on the basis of the block cipher AES-256 to 16 bytes in each block (including the block size at 4096 bytes, this operation is not critical from the performance point of view). To improve the performance of the ChaCha algorithm is applied in the 12 rounds instead of the 20 usually used, but this is quite enough, as ChaCha 12 roudani provides higher resistance to attacks than AES-256.
Poly1305 and XChaCha12 positioned as a faster and more secure counterparts HMAC and AES software implementation which allows to achieve a fixed run-time without requiring special hardware support. Processor-ARM Cortex-A7 implementation Adiantum spends on the operation of the decoding 10.6 CPU cycles for each byte (if the block size is 4096 bytes), which is five times faster than AES-256-XTS.
On CPUs with hardware AES acceleration, such as ARMv8 instructions A64, A32 and T32 (Cryptography Extensions) and x86 with AES-NI instructions, it is recommended to use drive encryption on the basis of AES, as in this case, hardware-accelerated AES is faster in software implementation Adiantum. While Adiantum provides higher resistance to attacks, as in AES-XTS changing one byte of the original data leads to a change of only 16 bytes of ciphertext, while in Adiantum change the whole unit, equal to the sector size (512 or 4096 bytes).
According to the materials: www.opennet.ru