What AES ciphers to use between CBC, GCM, CCM, Chacha-Poly?


TL;DR If you only have 5 seconds to pick only one, go with AES-GCM. Most systems/libraries do both AES-GCM and ChaCha20-Poly1305 out-of-the-box.

AES-GCM (Galois Counter Mode)

ChaCha20-Poly1305

  • A separate cipher algorithm. No relation to AES.
  • Designed to be fast, using operations and general construction that are efficient to execute on CPU.
  • Widely used and widely adopted.
  • Was pushed and adopted remarkably quickly, notably by CloudFlare, to improve mobile performance.
  • Can be 3-5 times faster than AES-GCM on processors (ARM/mobile) that do not have dedicated AES instructions (see performance section).
  • RFC 7905 year 2016 https://tools.ietf.org/html/rfc7905

AES-CCM (Counter with CBC-MAC)

  • Alternative to GCM mode.
  • Available in OpenSSL as of TLS 1.3 (2018), but disabled by default.
  • Two AES computations per block, thus expected to be somewhat slower than AES-GCM.
  • RFC 6655 year 2012 https://tools.ietf.org/html/rfc6655
  • Much lower adoption, probably because it came after GCM and offer no significant benefit.

AES-CBC

  • First historic block cipher for AES.
  • CBC mode is insecure and must not be used. It’s been progressively deprecated and removed from SSL libraries.
  • Introduced with TLS 1.0 year 2002. Superseded by GCM in TLS 1.2 year 2008. Removed in TLS 1.3 year 2018.
  • RFC 3268 year 2002 https://tools.ietf.org/html/rfc3268

Performance considerations (rough numbers)

  • A stream cypher can typically encrypt at 100 Mbps to 1000 Mbps of data, pinning a core at 100% usage.
  • Vary with CPU speed, implementation, AES128 vs AES256. Bear in mind that application have application code to run, besides encryption.
  • A server typically handles multiple connections in parallel over multiple cores (thread/process pool), so maximum capacity is a multiple of the number above.
  • TLS performance is a real world concern for any system doing 1 Gbps and upward.
  • Recent x64 CPU (from Intel core 4xxx [*] / AMD Bulldozer) have dedicated hardware instructions (AES-NI) computing AES-GCM 2-10 times faster.
  • ChaCha20-Poly1305 is much faster than AES on systems that do not have AES hardware (anything mobile or ARM).

[*] Intel heavily segments features (AES-NI) by market range (i7 high-end, i3 low-end, M laptops, etc…) so check the datasheet for support in older CPU. https://ark.intel.com/content/www/us/en/ark.html