Adiantum: The New Standard For Smart Phone and Disk Encryption?

Google just doesn’t quite see AES as the future of security on the Internet. It generally sees it as a relatively slow cipher. Within block encryption, the length of the cipherblock is around the same size as the plaintext. In a disk system, this does not work well, and where we need either 512 bytes or 4KB. Overall the solution for this is AES-XTS, and which optimizes for disk size blocks. Unfortunately, it is relatively slow and where a single bit change in the plaintext results in only a 16-byte change in the ciphertext — and which can reveal information.

Google now propose Adiantum and HPolyC as a fast method to encrypt disks [here]:

With this, Google defines a fast version of ChaCha20 (XChaCha20) for the core encryption, which can be easily matched to the disk data sizes. The hashing method involved (NH and Poly1305). It can then encrypt an entire sector in a single processing element, and the decryption method has been benchmarked at over five times faster than AES-XTS. Along with this, it has been proven to produce random permutations on the disk, and where a change in a single bit cannot be recognized within the resulting disk…