Google unveiled today the new Adiantium storage encryption method for devices without cryptographic acceleration and running Android 9 or later on processors which do not support AES or other crypto instructions.
Currently, users can encrypt their Android devices using Advanced Encryption Standard (AES) which is very fast on newer processors which support AES via the ARMv8 Cryptography Extensions.
The problem Adiantium solves stems from entry-level Android devices such as Android Go phones, as well as smart TVs and smartwatches which, more often than not, come with low-end CPUs such as ARM’s Cortex-A7, a processor that does not have built-in hardware support for AES.
According to Google:
On these devices, AES is so slow that it would result in a poor user experience; apps would take much longer to launch, and the device would generally feel much slower. So while storage encryption has been required for most devices since Android 6.0 in 2015, devices with poor AES performance (50 MiB/s and below) are exempt. We’ve been working to change this because we believe that encryption is for everyone.
In these cases, the storage encryption feature is either completely removed from the Android OS build or disabled by default to avoid issues “that it would result in a poor user experience; apps would take much longer to launch, and the device would generally feel much slower.”
This is where Adiantum comes in to save the day, allowing users of underpowered Android devices that come with lower-end ARM processors to also encrypt their data.
For users curious about the inner workings of Adiantum and benchmarking numbers, Google provides access to the Adiantum paper.
Google’s Paul Crowley and Eric Biggers describe in the paper abstract the algorithms used by Adiantum, as well as its speed:
Our composition Adiantum uses NH, Poly1305, XChaCha12, anda single AES invocation. On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages at 10.6 cycles per byte, over five times faster than AES-256-XTS, with a constant-time implementation.
Last, but not least, Google says that device manufacturers which”are shipping an ARM-based device with ARMv8 Cryptography Extensions or an x86-based device with AES-NI, you should not use Adiantum. AES is faster on those platforms.”