Credit to Author: Lily Hay Newman| Date: Thu, 07 Feb 2019 17:00:00 +0000
One of the easiest ways to protect your privacy and security on a smartphone is to set a passcode or biometric lock to enable disk encryption. That way if your phone gets lost or stolen, no one can take data off the device in a readable form. But not all smartphones—and tablets, and smartwatches, and so on—offer that protection. They don’t have the processing power to deal with resource-intensive encryption. So Google researchers have created a new encryption approach that’s faster and more efficient—and aims to bring data encryption protections to billions of Android users around the world.
The scheme, dubbed Adiantum, takes established cryptographic tools and principles that have been vetted by experts and implements them in a new, more efficient way. It aims to get full disk encryption running seamlessly on embedded devices without the latest and greatest hardware, giving users added security without slowing down apps or making the whole experience buggy.
“Privacy really shouldn’t be a luxury. It’s something that all users for all products of all shapes and sizes should be able to have,” says Dave Kleidermacher, who heads Android security. “There are many people for whom an expensive flagship phone is not an option, but to protect against an attacker or a thief getting access to your private information you have to encrypt that data.”
Since Android is open source and can be adapted for all sorts of devices, the Google researchers who worked on Adiantum say that they’re excited to see where the approach ends up. Google has already released versions of Adiantum in the Android kernel and Linux kernel (which Android is based on), plus a tailored version for ARM processors. All of which makes it easy to bake into not just phones but also a multitude of IoT devices that run versions of Android.
Android has required that smartphones support storage encryption since Android 6 in 2015, but low-end devices have remained exempt because the demand would significantly impact performance. And while robust encryption for low-resource devices was a largely ignored problem for a long time, standards bodies like the National Institute of Standards and Technology have recently started to take an interest in codifying new strategies.
It will be up to device manufacturers, though, to actually adopt Google's solution. The encryption exemption for low-resource IoT devices will remain for now. And manufacturers who implement Adiantum will likely largely focus on new devices going forward, though it could potentially be possible to add it retroactively to existing devices.
Adiantum is inspired by the ubiquitous Advanced Encryption Standard but is designed to reimagine some of AES’s labor-intensive aspects. Phone chips that can handle AES encryption currently all have a dedicated coprocessor, or cryptographic accelerator, specifically there for encryption computations. To speed things up, Adiantum largely leans on a different, but still widely known and vetted, encryption algorithm called ChaCha12.
Underneath the complicated technical details lie real gains; researchers say that Adiantum has proved to be about five times faster than Android's standard AES-256 implementation.
“We started work on this in late 2017 and published an initial paper in August," says Paul Crowley, a Google senior software engineer who led the development of Adiantum. "We know a lot about how secure these algorithms like ChaCha and AES are. They've been around for decades; they’ve had amazingly intense scrutiny. So we have a mathematical guarantee that if ChaCha is secure and AES is secure, then Adiantum is secure. We don’t have the same sort of worries as if we were designing a new process ourselves."
"The composition uses a well-understood approach and standard building blocks."
Cryptographer Steve Weis
Adiantum has gotten so far already because of Google's reputation, influence, and reach, but the work will receive more intense scrutiny and vetting now that it was officially published in a symmetric cryptology journal in December and will be presented at a major conference in March. Initial reactions to the paper are largely positive, though.
"The Google engineers did not reinvent the wheel by creating new low-level algorithms but instead found an efficient way to combine established algorithms in order to address an engineering problem," says Jean-Philippe Aumasson, CEO of the Swiss IoT encryption company Teserakt AG. "The design is solid, based on trusted components, and likely to adequately protect users of the products integrating this new algorithm."
The Google researchers says that they are confident in Adiantum's integrity, and they hope it will help call attention to the importance of storage encryption for IoT and other low-resource devices. In true Google fashion, they call Adiantum "encryption for the next billion users."
"The composition uses a well-understood approach and standard building blocks," says Steve Weis, an applied cryptographer who formerly worked at Facebook and Google. "I think after some battle testing, it will be a good, performant option."