D. J. Bernstein
Hash functions and ciphers
Notes on the ECRYPT Stream Cipher Project (eSTREAM)

Software timings

Old-style graphs
Old-style database
Generating old-style data and graphs
New-style graphs
New-style database
Generating new-style data and graphs
Comparing median-cycle-count graphs
Future timings
Credits

Old-style graphs

The following graphs report cycle counts for encryption. There are several important limitations in the information conveyed by these old-style graphs, compared to the new-style graphs shown below:






I've omitted broken ciphers (including RC4) from these graphs.

Some additional ciphers were "archived" by the eSTREAM committee at the end of Phase 2 of eSTREAM, even though they have not been broken:

These "archived" ciphers are omitted from the following graphs:






I presented graphs of this type at the SASC 2006 workshop, comparing the speeds (and other features) of the 256-bit ciphers:

I also used an interactive tool to move around graphs similar to the graphs in the paper. Here's how to download and use the tool:
     wget https://cr.yp.to/streamciphers/timings/estreamdraw.c.20070120
     wget https://cr.yp.to/streamciphers/timings/machines.txt
     wget https://cr.yp.to/streamciphers/timings/ciphers-tograph.txt
     wget https://cr.yp.to/streamciphers/timings/olddatabase.txt
     cp estreamdraw.c.20070120 estreamdraw.c
     gcc -o estreamdraw estreamdraw.c \
     -I/usr/X11R6/include -L/usr/X11R6/lib -lXm -lX11 -lm
     cat machines.txt ciphers-tograph.txt olddatabase.txt | ./estreamdraw
Keyboard commands: q to quit, h and l to move x positions, j and k to select other ciphers, = and - to select or deselect a second cipher, o and O to add or subtract overhead, [ and ] and space to switch among graphs.

Here is an updated comparison paper for the phase-3 software ciphers:

Old-style database

The old-style database is in a format designed for easy computer processing. Each line in the database has four space-separated words:
  1. Operation measured; e.g., cipher1500 for setting up a nonce and encrypting 1500 bytes.
  2. Computer; e.g., katana.
  3. Key bits and cipher, separated by a dot; e.g., 128.ABCv3.
  4. Cycles per byte; e.g., 2.76.

The old-style database was extracted from a collection of old-style reports. The old-style reports were designed for web-browser viewing rather than computer processing.

See the official eSTREAM web site for additional reports collected by Christophe De Canniere.

Generating old-style reports, data, and graphs

To generate reports on one machine using the old toolkit:
     wget https://cr.yp.to/streamciphers/timings/estreambench-20080905.tar.bz2
     bunzip2 < estreambench-20080905.tar.bz2 | tar -xf -
     cd estreambench-20080905
     chmod +x start scripts/*
     (echo '';echo '';echo '';echo '';echo '') | scripts/configure
     cd reports-`hostname`
     (../scripts/run; echo y|../scripts/collect) > run.log 2>&1 </dev/null &
Several machines sharing a network filesystem can run simultaneously inside the same trunk-* directory, each using its own reports directory.

To convert reports into data and graphs (on a system with gnuplot and netpbm installed), first download my conversion tools and cipher list into the directory that contains the trunk-* directory:

     wget https://cr.yp.to/streamciphers/timings/ciphers-tograph.txt
     wget https://cr.yp.to/streamciphers/timings/ciphers-focus.txt
     wget https://cr.yp.to/streamciphers/timings/machines.txt.do
     wget https://cr.yp.to/streamciphers/timings/olddatabase.txt.do
     wget https://cr.yp.to/streamciphers/timings/machinespeed.txt.do
     wget https://cr.yp.to/streamciphers/timings/machinedesc.txt
     wget https://cr.yp.to/streamciphers/timings/cipherspeed.txt.do
     wget https://cr.yp.to/streamciphers/timings/onegraph.do
     wget https://cr.yp.to/streamciphers/timings/oldgraphs.do
     wget https://cr.yp.to/streamciphers/timings/oldgraphs-focus.do
Then convert the reports into data, build sorted lists of machines and ciphers, and convert the data into graphs:
     sh machines.txt.do
     sh olddatabase.txt.do
     sh machinespeed.txt.do
     sh cipherspeed.txt.do
     sh oldgraphs.do
     sh oldgraphs-focus.do

Here are various versions of the old toolkit:

New-style graphs

The following array of graphs reports cycle counts for secret-key cryptography: specifically, for (authenticated) encryption of packets, (verified) decryption of packets, and rejection of forged packets.

Rows in the array are authenticated-encryption systems. Columns in the array are computers. Within each graph, the horizontal axis is packet length, between 0 bytes and 8192 bytes. The vertical axis is time, between 0 cycles and 98304 cycles. The diagonal from the lower left corner of the graph to the upper right corner is 12 cycles per byte.

For most ciphers, there are two visible black lines stretching across each graph. The higher line shows the time for encryption and decryption. The lower line shows the time for rejection. This separation is not visible for unified systems where rejection and decryption take the same amount of time, such as phelix:256,128,128.

Each system is timed repeatedly, with the results superimposed on the same graph. Faint "shadow" lines above the original lines often indicate cache misses in the initial timings. "Blurry" lines often indicate time variability from data-dependent array indexing.

For some ciphers, multiple colors spread from the higher line up to a curve strecthing partway across the graph. These points indicate the time for encrypting packets of {0,1,...,2048} bytes using a random key from a pool of 8192 active keys; the time for encrypting packets of {0,1,...,1920} bytes using a random key from a pool of 4096 active keys; the time for encrypting packets of {0,1,...,1792} bytes using a random key from a pool of 2048 active keys; etc.

Broken graph links and empty graphs can be produced by systems that have no working implementations, by systems where all the working implementations were too slow, by systems where the fastest apparently-working implementation turned out not to work, or by systems that were added later to the benchmark suite.

amd64 2000MHz (one of two CPU cores) AMD Athlon 64 X2 (15,75,2) owned by UIC named mace amd64 2137MHz (one of two CPU cores) Intel Core 2 Duo (6f6) owned by UIC named katana amd64 3000MHz Intel Pentium 4 (f43) owned by TU/e named pclin153 ia64 1600MHz (one of two CPUs) HP Itanium II owned by HP named td160 ppc32 533MHz (one of two CPUs) Motorola PowerPC G4 7410 owned by UIC named gggg sparcv9 900MHz (one of eight CPUs) Sun UltraSPARC III owned by UIC named icarus x86 900MHz AMD Athlon (622) owned by UIC named thoth x86 1000MHz Intel Pentium III (68a) owned by UIC named neumann x86 1400MHz (one of two CPUs) Intel Pentium III (6b1) owned by HP named td158 x86 2137MHz (one of two CPU cores) Intel Core 2 Duo (6f6) owned by UIC named katana-x86 x86 2800MHz (one of two CPUs) Intel Xeon (f29) owned by TU/e named poema x86 3000MHz (one of eight CPUs) Intel Xeon (f26) owned by HP named td185 x86 3000MHz Intel Pentium 4 (f41) owned by TU/e named pclin118 x86 3400MHz Intel Pentium 4 (f29) owned by UIC named shellold
abc-v3-hmacmd5:128,128 abc-v3-hmacmd5:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-128-hmacmd5:128,128 aes-128-hmacmd5:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-256-hmacmd5:256,128 aes-256-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
cryptmt-v2-hmacmd5:256,128 cryptmt-v2-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dicing-v2-hmacmd5:256,128 dicing-v2-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dragon-hmacmd5:256,128 dragon-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-v1-hmacmd5:80,64 grain-v1-hmacmd5:80,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-128-hmacmd5:128,96 grain-128-hmacmd5:128,96
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-128-hmacmd5:128,128 hc-128-hmacmd5:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-256-hmacmd5:256,128 hc-256-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
lex-v1-hmacmd5:128,128 lex-v1-hmacmd5:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
mir-1-hmacmd5:128,64 mir-1-hmacmd5:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls:128,128,128 nls:128,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls-hmacmd5:128,128 nls-hmacmd5:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
phelix:256,128,128 phelix:256,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py6-hmacmd5:256,128 py6-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py-hmacmd5:256,128 py-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
pypy-hmacmd5:256,128 pypy-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
rabbit-hmacmd5:128,64 rabbit-hmacmd5:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-8-hmacmd5:256,64 salsa20-8-hmacmd5:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-12-hmacmd5:256,64 salsa20-12-hmacmd5:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-hmacmd5:256,64 salsa20-hmacmd5:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
snow-2.0-hmacmd5:256,128 snow-2.0-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
sosemanuk-hmacmd5:256,128 sosemanuk-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
trivium-hmacmd5:80,80 trivium-hmacmd5:80,80
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
yamb-hmacmd5:256,128 yamb-hmacmd5:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
abc-v3-poly1305:128,128 abc-v3-poly1305:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-128-poly1305:128,128 aes-128-poly1305:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-256-poly1305:256,128 aes-256-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
cryptmt-v2-poly1305:256,128 cryptmt-v2-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dicing-v2-poly1305:256,128 dicing-v2-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dragon-poly1305:256,128 dragon-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-v1-poly1305:80,64 grain-v1-poly1305:80,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-128-poly1305:128,96 grain-128-poly1305:128,96
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-128-poly1305:128,128 hc-128-poly1305:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-256-poly1305:256,128 hc-256-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
lex-v1-poly1305:128,128 lex-v1-poly1305:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
mir-1-poly1305:128,64 mir-1-poly1305:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls:128,128,128 nls:128,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls-poly1305:128,128 nls-poly1305:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
phelix:256,128,128 phelix:256,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py6-poly1305:256,128 py6-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py-poly1305:256,128 py-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
pypy-poly1305:256,128 pypy-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
rabbit-poly1305:128,64 rabbit-poly1305:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
rc4-poly1305:256,0 rc4-poly1305:256,0
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-8-poly1305:256,64 salsa20-8-poly1305:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-12-poly1305:256,64 salsa20-12-poly1305:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-poly1305:256,64 salsa20-poly1305:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
snow-2.0-poly1305:256,128 snow-2.0-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
sosemanuk-poly1305:256,128 sosemanuk-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
trivium-poly1305:80,80 trivium-poly1305:80,80
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
yamb-poly1305:256,128 yamb-poly1305:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
abc-v3-umac128:128,128 abc-v3-umac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-128-umac128:128,128 aes-128-umac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-256-umac128:256,128 aes-256-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
cryptmt-v2-umac128:256,128 cryptmt-v2-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dicing-v2-umac128:256,128 dicing-v2-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dragon-umac128:256,128 dragon-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-v1-umac128:80,64 grain-v1-umac128:80,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-128-umac128:128,96 grain-128-umac128:128,96
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-128-umac128:128,128 hc-128-umac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-256-umac128:256,128 hc-256-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
lex-v1-umac128:128,128 lex-v1-umac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
mir-1-umac128:128,64 mir-1-umac128:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls:128,128,128 nls:128,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls-umac128:128,128 nls-umac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
phelix:256,128,128 phelix:256,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py6-umac128:256,128 py6-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py-umac128:256,128 py-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
pypy-umac128:256,128 pypy-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
rabbit-umac128:128,64 rabbit-umac128:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-8-umac128:256,64 salsa20-8-umac128:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-12-umac128:256,64 salsa20-12-umac128:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-umac128:256,64 salsa20-umac128:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
snow-2.0-umac128:256,128 snow-2.0-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
sosemanuk-umac128:256,128 sosemanuk-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
trivium-umac128:80,80 trivium-umac128:80,80
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
yamb-umac128:256,128 yamb-umac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
abc-v3-vmac128:128,128 abc-v3-vmac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-128-vmac128:128,128 aes-128-vmac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
aes-256-vmac128:256,128 aes-256-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
cryptmt-v2-vmac128:256,128 cryptmt-v2-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dicing-v2-vmac128:256,128 dicing-v2-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
dragon-vmac128:256,128 dragon-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-v1-vmac128:80,64 grain-v1-vmac128:80,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
grain-128-vmac128:128,96 grain-128-vmac128:128,96
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-128-vmac128:128,128 hc-128-vmac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
hc-256-vmac128:256,128 hc-256-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
lex-v1-vmac128:128,128 lex-v1-vmac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
mir-1-vmac128:128,64 mir-1-vmac128:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls:128,128,128 nls:128,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
nls-vmac128:128,128 nls-vmac128:128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
phelix:256,128,128 phelix:256,128,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py6-vmac128:256,128 py6-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
py-vmac128:256,128 py-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
pypy-vmac128:256,128 pypy-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
rabbit-vmac128:128,64 rabbit-vmac128:128,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-8-vmac128:256,64 salsa20-8-vmac128:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-12-vmac128:256,64 salsa20-12-vmac128:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
salsa20-vmac128:256,64 salsa20-vmac128:256,64
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
snow-2.0-vmac128:256,128 snow-2.0-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
sosemanuk-vmac128:256,128 sosemanuk-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
trivium-vmac128:80,80 trivium-vmac128:80,80
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell
yamb-vmac128:256,128 yamb-vmac128:256,128
mace katana pclin153 td160 gggg icarus thoth neumann td158 katana-x86 poema td185 pclin118 shell

My SASC 2007 paper presented some of these graphs:

Comparing median-cycle-count graphs

At SASC 2007 I used a fast graphing tool to superimpose and compare median-cycle-count graphs. The median-cycle-count graphs don't show how cycle counts are distributed around the median but are otherwise similar to the new-style graphs shown above. Here's a sample screenshot from the tool:

The tool requires a local copy of the median-cycle-count database (a few hundred megabytes). Here's how to download the database, download the graphing tool, and use the graphing tool:

     wget https://cr.yp.to/streamciphers/timings/viz/median2ram.c
     wget https://cr.yp.to/streamciphers/timings/viz/rams.do
     wget https://cr.yp.to/streamciphers/timings/viz/AESCHEMES
     wget https://cr.yp.to/streamciphers/timings/viz/MACHINES
     wget https://cr.yp.to/streamciphers/timings/viz/viz.c
     wget https://cr.yp.to/streamciphers/timings/viz/font.h
     wget https://cr.yp.to/streamciphers/timings/viz/font.c
     wget https://cr.yp.to/streamciphers/timings/medians.tar
     tar -xf medians.tar
     gcc -o median2ram median2ram.c -O3 -fomit-frame-pointer
     gcc -o viz viz.c font.c -O3 -fomit-frame-pointer -lX11 -lm
     sh rams.do
     cat AESCHEMES MACHINES | ./viz

New-style database

The new-style database is in a format designed for easy computer processing. Each line in the database has the following series of space-separated words:
  1. Version of the ciphercycles toolkit; e.g., 20070116.
  2. Computer; e.g., katana.
  3. Date when the timings were collected; e.g., 20070117.
  4. Authenticated-encryption system; e.g., aes-128-poly1305.
  5. System version; e.g., 1.
  6. System parameters; e.g., 128,128.
  7. System tuning; e.g., amd64-2.
  8. Compiler; e.g., gcc_-O3_-fomit-frame-pointer.
  9. Compiler version; e.g., 4.0.3_(Ubuntu_4.0.3-1ubuntu5).
  10. Poly1305 tuning; e.g., poly1305_53x.
  11. Operation measured; e.g., encrypt.
  12. Plaintext bytes; e.g., 2048.
  13. Number of active keys; e.g., 16384.
  14. Type of measurement; e.g., cycles.
  15. Implementation of cpucycles; e.g., amd64cpuinfo.
  16. Median measurement; e.g., 41112.
  17. All measurements; e.g., 42416 41112 41152 41064 40536 41152 41168 41160 40984 41008 41208 41264 41112 41048 41008.

The new-style database is large (several gigabytes). A relatively small median-cycle-count database (a few hundred megabytes) was extracted from the new-style database and is now available for download:

     wget https://cr.yp.to/streamciphers/timings/medians.tar
     tar -xf medians.tar
The extract is in a format designed for easy computer processing. Each line in the extract has the following series of space-separated words:
  1. Operation measured; e.g., encrypt.
  2. Plaintext bytes; e.g., 576.
  3. Number of active keys; e.g., 8192. Can also be - for a single-key test.
  4. Median cycle count; e.g., 10272.
The extract is split across many files in several directories. Directories are labelled by toolkit version and computer. Files are labelled by computer, authenticated-encryption system, and system parameters.

Generating new-style data and graphs

To generate data and graphs on one machine using the new toolkit:
     wget https://cr.yp.to/streamciphers/timings/ciphercycles-20070205.tar.bz2
     bunzip2 < ciphercycles-20070205.tar.bz2 | tar -xf -
     cd ciphercycles-20070205
     ./do &
Output is in the 20070205-host directory: *:output.gz for the data (one file for each cipher), *.png for graphs (assuming that the pnmtopng program from the netpbm package is installed), *:notes.gz for cipher-specific notes, and :notes for general notes.

Notes on resource use: Version 20070128 takes 610 minutes on katana; 738 minutes on shellold; 769 minutes on td160; 781 minutes on mace; 878 minutes on pclin153; 1567 minutes on neumann; 1726 minutes on poema; 1929 minutes on pclin118; and 3210 minutes on icarus. Version 20070205 is faster; it omits broken ciphers.

Here are all versions of the new toolkit:

Future timings

More CPUs. The existing benchmark toolkit should be run on more machines.

More levels of instruction-cache competition. The toolkit should systematically measure encryption times with different amounts of competition for instruction-cache space. Instruction-cache misses are expensive; a cipher that doesn't leave room in cache for the rest of the network stack might do well on benchmarks but will do badly in real-world tests. Right now the toolkit doesn't even do a crude code-size measurement.

More communication costs. The current benchmarks show that some ciphers are dramatically slowed down when many keys are active. The obvious explanation is the cache-miss cost of loading an expanded key that isn't in cache. What about the cache-miss cost of loading a message that isn't in cache? This should be measured even if it doesn't interact with the choice of cipher.

Cipher software for more platforms. eSTREAM has done a fantastic job of encouraging authors to write and publish stream-cipher implementations suitable for benchmarking. But these are implementations for big CPUs (e.g., a Pentium) used in laptops, servers, etc.; most of them won't work on small CPUs (e.g., an 8051) used in embedded systems. The performance picture for small CPUs, like the performance picture for FPGAs and ASICs, is horribly unclear.

I can easily imagine a benchmarking toolkit aimed at small CPUs, built on top of a cycle-accurate small-CPU simulator. But who will implement all the stream ciphers for all these CPUs? Maybe an automatic code translator would work for small ciphers, but fitting large ciphers into limited RAM will be a struggle.

Cipher software for additional security requirements. Users who aren't happy with 80-bit security can easily find encryption software labelled as providing 128-bit security. Users who aren't happy with 128-bit security can easily find encryption software labelled as providing 256-bit security. But what about users who aren't happy with timing leaks? There's a limited selection of software protected against timing attacks. Nobody has written Py software protected against timing attacks, for example, so it isn't possible to see how much slowdown is caused by this protection.

Automatic benchmarking of new and updated software. Cipher authors can and generally do write software that fits the API of the benchmarking toolkit. It would be nice to have the software magically timed on a wide variety of machines.

What happens today falls far short of this goal. The toolkit author manually includes the new software in the toolkit and posts the new toolkit. Someone manually starts the new toolkit on each of the benchmark machines. Manual intervention means considerable latency: benchmark reports are often months or years out of date.

There's no reason for this manual effort. The benchmark machines should automatically run new software, subject to security constraints (each cipher should be confined to its own sandbox) and resource limits.

Credits

There have been several efforts to unify stream-cipher implementations under a common API for benchmarking. Markus Dichtl and Eli Biham specified an API in 2002 as an official part of the NESSIE project. Christophe De Canniere specified a revised API in 2005 as an official part of ECRYPT's eSTREAM project. I specified a new API in 2007 as a contribution to eSTREAM.

Each of us wrote a corresponding toolkit for benchmarking ciphers that matched the API. The NESSIE and eSTREAM toolkits produced old-style reports; I wrote tools to convert the old-style reports into the old-style database and the old-style graphs. My toolkit, ciphercycles, produces the new-style database and new-style graphs.

Almost all of the eSTREAM submissions were accompanied by reference implementations within the official eSTREAM API. Quite a few improved implementations were added later. Most of the implementations were written by the cipher authors. Some exceptions: the original AES implementation was from Brian Gladman; I contributed faster AES code; I'm aware of contributions from Christophe De Canniere to quite a few cipher implementations.