Adiantum is a new encryption algorithm for low-end smartphones, smartwatches, and other Android Pie devices that are too slow to use the Advanced Encryption Standard (AES) standard for storage encryption.

According to Google, using AES on older, ARMv7-based devices does not provide the performance required for encrypting storage without impairing the user experience. For this reason those devices have been exempted from implementing storage encryption altogether, which is otherwise a requirement for all Android devices. Adiantum aims to change that by providing a cipher that only uses operations that all CPUs natively support, such as additions, rotations, and XORs.

Adiantum is a new form of encryption that we built specifically to run on phones and smart devices that don’t have the specialized hardware to use current methods to encrypt locally stored data efficiently. […] Adiantum will help secure our connected world by allowing everything from smartwatches to Internet-connected medical devices to encrypt sensitive data.

It is worth stressing out that, to overcome AES limitations, Google has been using the ChaCha20 stream cipher for HTTPS on low-end devices. Now, ChaCha is much faster than AES but cannot be directly used for disk encryption. This is due to the peculiarities of data storage and specifically the requirement of preserving the length of the data, since we want that each disk sector be encrypted exactly in a disk sector. So, Google designed Adiantum as an evolution of the ChaCha cipher supporting a length-preserving mode. In particular, Adiantum relies on a 12-round variant of ChaCha, where each round adds more confidence, instead of the 20-round variant that is more frequently used. Interestingly, ChaCha7, ChaCha 7-round variant, was broken in 2008, but no attack on ChaCha8 is known as of today. As Google remarks, the ratio of rounds used to rounds broken is better for ChaCha12 than it is for AES-256, which, along with the formal proof it has good security properties, make Adiantum developers highly confident in its security.

Speaking of performance, Adiantum has been measured being around 5x faster than AES-256-XTS on CPUs not providing hardware support for AES. But, AES is faster than Adiantum when running on newer CPUs with support for it. So, Google rule of thumb is using Adiantum on devices with AES performance <= 50 MiB/sec.