This project has moved and is read-only. For the latest updates, please go here.

Newer Encryption standards and Co-Processor/GPU Acceleration

Topics: Feature Requests
Nov 20, 2014 at 10:03 PM
I wanted to know if you plan on adding three-fish and the other newer generation of encryption along with adding support for Xeon Phi and GPU acceleration.
Nov 20, 2014 at 10:43 PM
Nothing is planned yet on this. It is not always a good idea to include every brand new algorithm (Threefish is quiet young and some interesting attacks on its reduced form were found lately). It is important to give some time for additional reviews and studies, especially knowing that the current algorithms offer a very good level of security.

As for the hardware side, adding support for new CPU capabilities will be added depending on the real need and its popularity. Usually, this kind of hardware integration can take up to a year to complete, so it's necessity to study all potential benefits before investing so much time and effort. The case of the AES integration is a good example as it was clear at the time that the benefits will be huge and Intel decided to include it in most of its recent CPUs.

The GPU acceleration for disk encryption has been studied long time ago (This 2009 paper is the most popular) and while it certainly will bring a huge performance gain, it is something difficult to implement in a robust and reliable way and the hardware compatibility is a big headache. At this stage, I don't think GPU support will ever be included but we keep the door open especially with regards to external contributions on this.
Nov 20, 2014 at 11:09 PM
Edited Nov 20, 2014 at 11:11 PM
What about Intel Xeon Phi co-processor? shouldn't that be easy to implement? In the next year or so, I personally would be interested using PCI-E SSDs as encrypted volumes but the speed would still be throttled with cascading encryption on a dual socket HEDT


Does the fact that its x86/64bit not make it easy to implement?
Nov 20, 2014 at 11:40 PM
Indeed the Xeon Phi coprocessor is very interesting for parallel programming and vectorization. I'm no expert on this CPU and I never had one but my understanding is that the logic of a program should be modified to be more vector friendly and to change the memory handling in order to benefit from all the capabilities of this CPU. This would me an overhaul of the current internal architecture to accommodate these constraints which will force us to have two different sets of the internal engine depending on the hardware. At this stage, it seems far more costly to develop and maintain than let's say the support of the AES instruction.

Of course, I may be wrong in my assessment so don't hesitate, you or any reader, to correct me or propose other arguments.

Anyway, the cascade encryption comes with a big performance price and we certainly need to think of way to optimize it.
Nov 21, 2014 at 12:15 AM
Even any support would really help performance in my eyes. A Xeon Phi would be multitudes better then a standard 8 core CPU. Is one of the larger issues with adding support is not having access to one? I bet you could get Intel to send you one for testing. Worse case if your serious on adding Xeon Phi to your support I might considering just lending you one down the road if it means you'll actually support it.
Nov 21, 2014 at 10:03 PM
Thank you for your proposal.
The issue is the limited development resources compared to all needed features. So, we have to manage priorities.
The top most needed feature now is the support of UEFI and GPT partitions. Without it, full system encryption can't be used on all recent machines. This is a very challenging technically and it is difficult to say when it will be completely supported.

Adding support for new CPU features like in Xeon Phi is also important and we will eventually work on it.
Nov 21, 2014 at 10:42 PM
no problem at all. I understand exactly the issue. I just wanted to make sure there wasn't anything I could do. I didn't even know UEFI and GPT were not even supported at the moment. That definitely is a higher priority :) I would assume then the new command line stuff i have read about being worked on for PCI-E cards is not even available? Is it MVE or something like that?