Problems with AES-GCM native acceleration

Anthony Scarpino anthony.scarpino at oracle.com
Thu Nov 15 01:33:27 UTC 2018 

I agree with Adam that this is more of a tuning issue and not a problem 
with the crypto.  Sending multiple updates is a hack.

I've been aware of this bug for a while and I do not understand why this 
is a significant problem.  The stackoverflow comments say it takes 50 
seconds to trigger the intrinsic.  If this is a long running server 
application slowness for the first 50 seconds is trivial.  For smaller 
operations, those are commonly small transactions, not decrypting a 3GB 
file.

If it cannot be resolved by commandline options and this is occurring in 
a real world situation, please explain it fully.  If this is only for 
benchmarking, then that's not a real world situation.

Tony

On 11/14/18 8:41 AM, Adam Petcher wrote:
> I'm adding back in hotspot-dev, because this is a somewhat tricky topic 
> related to intrinsics and JIT. Hopefully, a Hotspot expert can correct 
> anything that I say below that is wrong, and suggest any solutions that 
> I missed.
> 
> The AES acceleration is implemented in a HotSpot intrinsic. In order for 
> it to kick in, the code must be JIT compiled by the VM. As I understand 
> it, this only happens to some particular method after it has been called 
> a certain number of times. The rules that determine this number are 
> somewhat complicated, but I think you can guarantee JIT in the default 
> configuration by calling a method 10,000 times.
> 
> The doFinal method calls the update method, so either one should trigger 
> the acceleration as long as you call it enough. Breaking the message up 
> into smaller chunks and calling update on each one works only because it 
> ends up calling the update method more. You should be able to trigger 
> the acceleration by calling doFinal more, too.
> 
> The reason why the workaround doesn't work with decryption is that the 
> decryption routine buffers the ciphertext and then decrypts it all at 
> the end. So calling update multiple times and then calling doFinal at 
> the end is essentially the same as calling doFinal once with the entire 
> ciphertext.
> 
> So here are some solutions that you may want to try:
> 
> 1) In your benchmark, run at least 10,000 "warmup" iterations of 
> whatever you are trying to do at the beginning, without timing it. This 
> is a good idea for benchmarks, anyway. If it helps, you can try using 
> smaller buffers in your "warmup" phase in order to get it to complete 
> faster.
> 
> 2) Try -XX:CompileThreshold=(some number smaller than 10000) as an 
> argument to java. This will make JIT kick in sooner across the board. 
> Obviously, this should be done carefully in production, since it will 
> impact the performance of the entire program.
> 
> 3) I haven't tried this, but running with an AOTed java.base module may 
> also help. See the section titled "Steps to generate and use an AOT 
> library for the java.base module" in the AOT JEP[1].
> 
> "Fixing" this issue in the JDK is non-trivial, because it gets into the 
> behavior of the VM and JIT. I don't really like the idea of modifying 
> doFinal (to break up the operation into multiple update calls) or 
> modifying the decryption operation (to decrypt immediately and buffer 
> plaintext) in order to work around this issue. Perhaps there is a better 
> way for the VM to handle cases like this, in which a method is not 
> called often, but the interpreted execution takes a long time to 
> complete when it is called. Perhaps a VM expert will have some 
> additional thoughts here.
> 
> [1] https://openjdk.java.net/jeps/295
> 
> On 11/14/2018 9:49 AM, Severin Gehwolf wrote:
>> Dropping hotspot-dev and adding security-dev.
>>
>> On Wed, 2018-11-14 at 14:39 +0200, Gidon Gershinsky wrote:
>>> Hi,
>>>
>>> We are working on an encryption mechanism at the Apache Parquet -
>>> that will enable efficient analytics on encrypted data by frameworks
>>> such as Apache Spark.
>>> https://github.com/apache/parquet-format/blob/encryption/Encryption.md
>>> https://www.slideshare.net/databricks/efficient-spark-analytics-on-encrypted-data-with-gidon-gershinsky 
>>>
>>>
>>> We came across an AES-related issue in the Java HostSpot engine that
>>> looks like a substantial problem for us in both Spark and Parquet
>>> workloads. The bug report had been accepted a while ago:
>>> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8201633
>>>
>>> The fix should hopefully be rather straightforward though.
>>> Could you help us with that? I have a couple of small samples
>>> reproducing the problem.
>>>
>>> (If I'm writing to a wrong mailing list - I apologize, please point
>>> me in the right direction).
>>>
>>> Cheers, Gidon.

More information about the hotspot-dev mailing list