[Semi-]off-line encryption

Michael StJohns mstjohns at comcast.net
Thu Sep 29 16:49:48 UTC 2016

On 9/29/2016 11:28 AM, Andrew Haley wrote:
> GCM allows most of the work in an encryption to be done offline (and
> ahead of time) by other processors, reducing latency and increasing
> throughput.  It'd be lovely if we could do this in Java, but I can't
> really see a way to fit this in to the platform security framework.
> We don't want to do this eagerly, because we don't know that more data
> will be encrypted and we don't want to speculate.
> However, if we had a hint that (say) a large stream would need to
> encrypt a megabyte of data at some time in the future we could
> precompute a megabyte of keystream.  Has anyone considered this?
> Andrew.

Um.  No.   You can make this work with CTR, but you can't with GCM.  
With CTR, you just encrypt a stream of zeroes to get an encryption 
stream and then XOR the encryption stream later with your actual plain 
text.  GCM (and CCM) tend to compute the integrity tag in parallel with 
calculating the encryption stream. You'd have to still process all of 
the plain text (or cipher text) to get the integrity tag.


More information about the security-dev mailing list