The subject of this test is authenticated symmetric encryption. For libraries that support modes with integrated authentication, such as AES-GCM or AES-CCM, these modes are used*. Otherwise the non-authenticated mode AES-CBC is used along with HMAC for authentication.
* Although asmcrypto supports AES-GCM, performance is significantly worse than AES-CBC + HMAC. The WebCrypto standard supports AES-GCM, but it is not implemented in WebKit based browsers. Therefore, AES-CBC + HMAC is tested for compatibility reasons.
- sjcl (both GCM bitArray and CCM typed array implementations)
Platforms tested were:
- Intel i5–4200U based laptop
- Apple iPad Air 2
- Tegra 3 T30L based Android tablet
- Qualcomm MSM8610 based Android phone
Tests are available on jperf.
The performance advantage would be even greater if not for the lack of WebCrypto AES-GCM support in WebKit based browsers. While performance of AES-CGM and the non-authenticated AES-CBC is comparable, requiring authentication results in five times faster encryption and three times faster decryption with AES-GCM than with AES-CBC-HMAC-256.
AES-GCM is not hardware accelerated on the current Apple CPUs and not supported in CommonCrypto, the iOS/OSX low level cryptography library. Therefore it is unlikely that fast AES-GCM implementation will be added to WebKit in the near future and, in my opinion, any applications that require compatibility with WebKit based browsers and/or iOS devices should use AES-CBC-HMAC.
Edit: I was asked about emscripten compiled crypto performance. Emscripten compiled NaCl Xsalsa20-Poly1305 does about 8MB/sec on Chrome i5–4200U. While the comparison is not exactly apples to apples, performance is poor compared to WebCrypto.
- SimpleCrypto.js, a library I developed to simplify the interface and deal with various incompatibilities between WebCrypto implementations.
- Can I use WebCrypto
- WebCrypto examples
- Charles Engelke’s Blog