Google has created an alternative disk and file encryption mode for low-end Android devices that don’t have enough computation power to use the Advanced Encryption Standard (AES).
For the new encryption scheme, dubbed Adiantum, Google used existing standards, ciphers and hashing functions, but combined them in a more efficient way.
Paul Crowley and Eric Biggers from the Android Security & Privacy Team noted that they have high confidence in the security of the scheme, which they laid out in this paper, along with the proof of security. (A more layman-friendly description of how the scheme works is provided in this blog post.)
“Today, Android offers storage encryption using the Advanced Encryption Standard (AES). Most new Android devices have hardware support for AES via the ARMv8 Cryptography Extensions. However, Android runs on a wide range of devices. This includes not just the latest flagship and mid-range phones, but also entry-level Android Go phones sold primarily in developing countries, along with smart watches and TVs,” Crowley and Biggers explained.
“In order to offer low cost options, device manufacturers sometimes use low-end processors such as the ARM Cortex-A7, which does not have hardware support for AES. On these devices, AES is so slow that it would result in a poor user experience; apps would take much longer to launch, and the device would generally feel much slower. So while storage encryption has been required for most devices since Android 6.0 in 2015, devices with poor AES performance (50 MiB/s and below) are exempt. We’ve been working to change this because we believe that encryption is for everyone.”
On ARM Cortex-A7 processors, Adiantum encryption and decryption is expected to be 5 times faster than AES-256-XTS. Still, AES is to be preferred on those devices that have hardware support for it.
“Generic and ARM-optimized implementations of Adiantum are available in the Android common kernels v4.9 and higher, and in the mainline Linux kernel v5.0 and higher,” the two concluded.
It is now on manufacturers to implement Adiantium in future releases of their low-end devices and, perhaps, to back-port it to existing devices that are already widely used.