com.sun.crypto.provider.GHASH performance fix

Anthony Scarpino anthony.scarpino at oracle.com
Thu Jan 15 20:14:03 UTC 2015


Florian had posted months back about it giving 10x improvement. 

Hardware acceleration is an separate project as it is mostly changes to hotspot. 

Tony

> On Jan 15, 2015, at 11:31 AM, Michael StJohns <mstjohns at comcast.net> wrote:
> 
> Just for curiosity, what was the improvement in performance?
> 
> I'm wondering if it might be worthwhile to see if its possible to add a plugin to use the hardware instructions:
> 
> http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/communications-ia-galois-counter-mode-paper.pdf
> 
> Mike
> 
> At 06:10 AM 1/15/2015, Florian Weimer wrote:
>>> On 08/18/2014 02:32 PM, Florian Weimer wrote:
>>> This change addresses a severe performance regression, first introduced
>>> in JDK 8, triggered by the negotiation of a GCM cipher suite in the TLS
>>> implementation.  This regression is a result of the poor performance of
>>> the implementation of the GHASH function.
>>> 
>>> I first tried to eliminate just the allocations in blockMult while still
>>> retaining the byte arrays.  This did not substantially increase
>>> performance in my micro-benchmark.  I then replaced the 16-byte arrays
>>> with longs, replaced the inner loops with direct bit fiddling on the
>>> longs, eliminated data-dependent conditionals (which are generally
>>> frowned upon in cryptographic algorithms due to the risk of timing
>>> attacks), and split the main loop in two, one for each half of the hash
>>> state.  This is the result:
>>> 
>>>  <https://fweimer.fedorapeople.org/openjdk/ghash-performance/>
>> 
>> Updated webrev: <http://cr.openjdk.java.net/~fweimer/ghash/webrev.00/>
>> 
>> Anthony, could you file a bug so that I can include its number?  Thanks.
>> 
>> -- 
>> Florian Weimer / Red Hat Product Security
> 
> 


More information about the security-dev mailing list