Huge performance optimizations by reusing cipher instances within the same thread.

Author: overheadhunter

README.md

@@ -24,9 +24,9 @@ public void encrypt() {
   byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted);
 }
 
-public void encryptWithAdditionalData() {
-  byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes(), "additional".getBytes(), "data".getBytes());
-  byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted, "additional".getBytes(), "data".getBytes());
+public void encryptWithAssociatedData() {
+  byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes(), "associated".getBytes(), "data".getBytes());
+  byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted, "associated".getBytes(), "data".getBytes());
 }
 ```
 
@@ -37,7 +37,7 @@ public void encryptWithAdditionalData() {
   <dependency>
     <groupId>org.cryptomator</groupId>
     <artifactId>siv-mode</artifactId>
-    <version>1.1.0</version>
+    <version>1.1.1</version>
   </dependency>
 </dependencies>
 ```

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>siv-mode</artifactId>
-	<version>1.1.0</version>
+	<version>1.1.1</version>
 
 	<name>SIV Mode</name>
 	<description>RFC 5297 SIV mode: deterministic authenticated encryption</description>

src/main/java/org/cryptomator/siv/SivMode.java

@@ -31,7 +31,7 @@ public final class SivMode {
 	private static final byte[] BYTES_ZERO = new byte[16];
 	private static final byte DOUBLING_CONST = (byte) 0x87;
 
-	private final BlockCipherFactory cipherFactory;
+	private final ThreadLocal<BlockCipher> threadLocalCipher;
 
 	/**
 	 * Creates an AES-SIV instance using JCE's cipher implementation, which should normally be the best choice.<br>
@@ -52,18 +52,25 @@ public BlockCipher create() {
 	}
 
 	/**
-	 * Creates an instance using a specific BlockCipher. If you want to use AES, just use the default constructor.
+	 * Creates an instance using a specific Blockcipher.get(). If you want to use AES, just use the default constructor.
 	 * 
-	 * @param cipherFactory A factory method creating a BlockCipher. Must use a block size of 128 bits (16 bytes).
+	 * @param cipherFactory A factory method creating a Blockcipher.get(). Must use a block size of 128 bits (16 bytes).
 	 */
-	public SivMode(BlockCipherFactory cipherFactory) {
+	public SivMode(final BlockCipherFactory cipherFactory) {
 		// Try using cipherFactory to check that the block size is valid.
 		// We assume here that the block size will not vary across calls to .create().
 		if (cipherFactory.create().getBlockSize() != 16) {
 			throw new IllegalArgumentException("cipherFactory must create BlockCipher objects with a 16-byte block size");
 		}
 
-		this.cipherFactory = cipherFactory;
+		this.threadLocalCipher = new ThreadLocal<BlockCipher>() {
+
+			@Override
+			protected BlockCipher initialValue() {
+				return cipherFactory.create();
+			}
+
+		};
 	}
 
 	/**
@@ -79,18 +86,18 @@ public static interface BlockCipherFactory {
 	 * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param macKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param plaintext Your plaintext, which shall be encrypted.
-	 * @param additionalData Optional additional data, which gets authenticated but not encrypted.
+	 * @param associatedData Optional associated data, which gets authenticated but not encrypted.
 	 * @return IV + Ciphertext as a concatenated byte array.
 	 * @throws IllegalArgumentException if keys are invalid or {@link SecretKey#getEncoded()} is not supported.
 	 */
-	public byte[] encrypt(SecretKey ctrKey, SecretKey macKey, byte[] plaintext, byte[]... additionalData) {
+	public byte[] encrypt(SecretKey ctrKey, SecretKey macKey, byte[] plaintext, byte[]... associatedData) {
 		final byte[] ctrKeyBytes = ctrKey.getEncoded();
 		final byte[] macKeyBytes = macKey.getEncoded();
 		if (ctrKeyBytes == null || macKeyBytes == null) {
 			throw new IllegalArgumentException("Can't get bytes of given key.");
 		}
 		try {
-			return encrypt(ctrKeyBytes, macKeyBytes, plaintext, additionalData);
+			return encrypt(ctrKeyBytes, macKeyBytes, plaintext, associatedData);
 		} finally {
 			Arrays.fill(ctrKeyBytes, (byte) 0);
 			Arrays.fill(macKeyBytes, (byte) 0);
@@ -103,12 +110,12 @@ public byte[] encrypt(SecretKey ctrKey, SecretKey macKey, byte[] plaintext, byte
 	 * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param macKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param plaintext Your plaintext, which shall be encrypted.
-	 * @param additionalData Optional additional data, which gets authenticated but not encrypted.
+	 * @param associatedData Optional associated data, which gets authenticated but not encrypted.
 	 * @return IV + Ciphertext as a concatenated byte array.
 	 * @throws IllegalArgumentException if the either of the two keys is of invalid length for the used {@link BlockCipher}.
 	 */
-	public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]... additionalData) {
-		final byte[] iv = s2v(macKey, plaintext, additionalData);
+	public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]... associatedData) {
+		final byte[] iv = s2v(macKey, plaintext, associatedData);
 
 		// Check if plaintext length will cause overflows
 		if (plaintext.length > (Integer.MAX_VALUE - 16)) {
@@ -125,7 +132,7 @@ public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]...
 		final long initialCtrVal = ctrBuf.getLong(8);
 
 		final byte[] x = new byte[numBlocks * 16];
-		final BlockCipher cipher = cipherFactory.create();
+		final BlockCipher cipher = threadLocalCipher.get();
 		cipher.init(true, new KeyParameter(ctrKey));
 		for (int i = 0; i < numBlocks; i++) {
 			final long ctrVal = initialCtrVal + i;
@@ -149,20 +156,20 @@ public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]...
 	 * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param macKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param ciphertext Your cipehrtext, which shall be decrypted.
-	 * @param additionalData Optional additional data, which needs to be authenticated during decryption.
+	 * @param associatedData Optional associated data, which needs to be authenticated during decryption.
 	 * @return Plaintext byte array.
 	 * @throws IllegalArgumentException If keys are invalid or {@link SecretKey#getEncoded()} is not supported.
-	 * @throws AEADBadTagException If the authentication failed, e.g. because ciphertext and/or additionalData are corrupted.
+	 * @throws AEADBadTagException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted.
 	 * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length.
 	 */
-	public byte[] decrypt(SecretKey ctrKey, SecretKey macKey, byte[] ciphertext, byte[]... additionalData) throws AEADBadTagException, IllegalBlockSizeException {
+	public byte[] decrypt(SecretKey ctrKey, SecretKey macKey, byte[] ciphertext, byte[]... associatedData) throws AEADBadTagException, IllegalBlockSizeException {
 		final byte[] ctrKeyBytes = ctrKey.getEncoded();
 		final byte[] macKeyBytes = macKey.getEncoded();
 		if (ctrKeyBytes == null || macKeyBytes == null) {
 			throw new IllegalArgumentException("Can't get bytes of given key.");
 		}
 		try {
-			return decrypt(ctrKeyBytes, macKeyBytes, ciphertext, additionalData);
+			return decrypt(ctrKeyBytes, macKeyBytes, ciphertext, associatedData);
 		} finally {
 			Arrays.fill(ctrKeyBytes, (byte) 0);
 			Arrays.fill(macKeyBytes, (byte) 0);
@@ -175,13 +182,13 @@ public byte[] decrypt(SecretKey ctrKey, SecretKey macKey, byte[] ciphertext, byt
 	 * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param macKey SIV mode requires two separate keys. You can use one long key, which is splitted in half. See https://tools.ietf.org/html/rfc5297#section-2.2
 	 * @param ciphertext Your ciphertext, which shall be encrypted.
-	 * @param additionalData Optional additional data, which needs to be authenticated during decryption.
+	 * @param associatedData Optional associated data, which needs to be authenticated during decryption.
 	 * @return Plaintext byte array.
 	 * @throws IllegalArgumentException If the either of the two keys is of invalid length for the used {@link BlockCipher}.
-	 * @throws AEADBadTagException If the authentication failed, e.g. because ciphertext and/or additionalData are corrupted.
+	 * @throws AEADBadTagException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted.
 	 * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length.
 	 */
-	public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]... additionalData) throws AEADBadTagException, IllegalBlockSizeException {
+	public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]... associatedData) throws AEADBadTagException, IllegalBlockSizeException {
 		if (ciphertext.length < 16) {
 			throw new IllegalBlockSizeException("Input length must be greater than or equal 16.");
 		}
@@ -200,7 +207,7 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 		final long initialCtrVal = ctrBuf.getLong(8);
 
 		final byte[] x = new byte[numBlocks * 16];
-		final BlockCipher cipher = cipherFactory.create();
+		final BlockCipher cipher = threadLocalCipher.get();
 		cipher.init(true, new KeyParameter(ctrKey));
 		for (int i = 0; i < numBlocks; i++) {
 			final long ctrVal = initialCtrVal + i;
@@ -211,7 +218,7 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 
 		final byte[] plaintext = xor(actualCiphertext, x);
 
-		final byte[] control = s2v(macKey, plaintext, additionalData);
+		final byte[] control = s2v(macKey, plaintext, associatedData);
 
 		// time-constant comparison (taken from MessageDigest.isEqual in JDK8)
 		assert iv.length == control.length;
@@ -228,21 +235,20 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 	}
 
 	// Visible for testing, throws IllegalArgumentException if key is not accepted by CMac#init(CipherParameters)
-	byte[] s2v(byte[] macKey, byte[] plaintext, byte[]... additionalData) {
+	byte[] s2v(byte[] macKey, byte[] plaintext, byte[]... associatedData) {
 		// Maximum permitted AD length is the block size in bits - 2
-		if (additionalData.length > 126) {
+		if (associatedData.length > 126) {
 			// SIV mode cannot be used safely with this many AD fields
-			throw new IllegalArgumentException("too many Additional Data fields");
+			throw new IllegalArgumentException("too many Associated Data fields");
 		}
 
 		final CipherParameters params = new KeyParameter(macKey);
-		final BlockCipher cipher = cipherFactory.create();
-		final CMac mac = new CMac(cipher);
+		final CMac mac = new CMac(threadLocalCipher.get());
 		mac.init(params);
 
 		byte[] d = mac(mac, BYTES_ZERO);
 
-		for (byte[] s : additionalData) {
+		for (byte[] s : associatedData) {
 			d = xor(dbl(d), mac(mac, s));
 		}
 

src/test/java/org/cryptomator/siv/BenchmarkTest.java

@@ -23,7 +23,7 @@ public void runBenchmarks() throws RunnerException {
 				// Specify which benchmarks to run
 				.include(getClass().getPackage().getName() + ".*Benchmark.*")
 				// Set the following options as needed
-				.threads(2).forks(1) //
+				.threads(2).forks(2) //
 				.shouldFailOnError(true).shouldDoGC(true)
 				// .jvmArgs("-XX:+UnlockDiagnosticVMOptions", "-XX:+PrintInlining")
 				// .addProfiler(WinPerfAsmProfiler.class)

src/test/java/org/cryptomator/siv/EncryptionTestCase.java

@@ -75,7 +75,7 @@ public byte[] getPlaintext() {
 		return Arrays.copyOf(plaintext, plaintext.length);
 	}
 
-	public byte[][] getAdditionalData() {
+	public byte[][] getAssociatedData() {
 		final byte[][] result = new byte[additionalData.length][];
 
 		for (int i = 0; i < additionalData.length; i++) {

src/test/java/org/cryptomator/siv/SivModeBenchmark.java

@@ -11,10 +11,14 @@
 import java.util.Arrays;
 import java.util.concurrent.TimeUnit;
 
+import javax.crypto.AEADBadTagException;
+import javax.crypto.IllegalBlockSizeException;
+
 import org.bouncycastle.crypto.BlockCipher;
 import org.bouncycastle.crypto.engines.AESFastEngine;
 import org.bouncycastle.crypto.engines.AESLightEngine;
 import org.cryptomator.siv.SivMode.BlockCipherFactory;
+import org.junit.Assert;
 import org.openjdk.jmh.annotations.Benchmark;
 import org.openjdk.jmh.annotations.BenchmarkMode;
 import org.openjdk.jmh.annotations.Level;
@@ -25,22 +29,23 @@
 import org.openjdk.jmh.annotations.Setup;
 import org.openjdk.jmh.annotations.State;
 import org.openjdk.jmh.annotations.Warmup;
+import org.openjdk.jmh.infra.Blackhole;
 
 /**
  * Needs to be compiled via maven as the JMH annotation processor needs to do stuff...
  */
 @State(Scope.Thread)
-@Warmup(iterations = 2, time = 500, timeUnit = TimeUnit.MILLISECONDS)
+@Warmup(iterations = 3, time = 300, timeUnit = TimeUnit.MILLISECONDS)
 @Measurement(iterations = 2, time = 500, timeUnit = TimeUnit.MILLISECONDS)
 @BenchmarkMode(value = {Mode.AverageTime})
 @OutputTimeUnit(TimeUnit.MICROSECONDS)
 public class SivModeBenchmark {
 
 	private int run;
-	private final byte[] encKeyBuf = new byte[16];
-	private final byte[] macKeyBuf = new byte[16];
-	private final byte[] testData = new byte[8 * 1024];
-	private final byte[] adData = new byte[1024];
+	private final byte[] encKey = new byte[16];
+	private final byte[] macKey = new byte[16];
+	private final byte[] cleartextData = new byte[1000];
+	private final byte[] associatedData = new byte[100];
 
 	private final SivMode jceSivMode = new SivMode();
 	private final SivMode bcFastSivMode = new SivMode(new BlockCipherFactory() {
@@ -63,25 +68,37 @@ public BlockCipher create() {
 	@Setup(Level.Trial)
 	public void shuffleData() {
 		run++;
-		Arrays.fill(encKeyBuf, (byte) (run & 0xFF));
-		Arrays.fill(macKeyBuf, (byte) (run & 0xFF));
-		Arrays.fill(testData, (byte) (run & 0xFF));
-		Arrays.fill(adData, (byte) (run & 0xFF));
+		Arrays.fill(encKey, (byte) (run & 0xFF));
+		Arrays.fill(macKey, (byte) (run & 0xFF));
+		Arrays.fill(cleartextData, (byte) (run & 0xFF));
+		Arrays.fill(associatedData, (byte) (run & 0xFF));
 	}
 
 	@Benchmark
-	public void benchmarkJce() {
-		jceSivMode.encrypt(encKeyBuf, macKeyBuf, testData, adData);
+	public void benchmarkJce(Blackhole bh) throws AEADBadTagException, IllegalBlockSizeException {
+		byte[] encrypted = jceSivMode.encrypt(encKey, macKey, cleartextData, associatedData);
+		byte[] decrypted = jceSivMode.decrypt(encKey, macKey, encrypted, associatedData);
+		Assert.assertArrayEquals(cleartextData, decrypted);
+		bh.consume(encrypted);
+		bh.consume(decrypted);
 	}
 
 	@Benchmark
-	public void benchmarkBcFast() {
-		bcFastSivMode.encrypt(encKeyBuf, macKeyBuf, testData, adData);
+	public void benchmarkBcFast(Blackhole bh) throws AEADBadTagException, IllegalBlockSizeException {
+		byte[] encrypted = bcFastSivMode.encrypt(encKey, macKey, cleartextData, associatedData);
+		byte[] decrypted = bcFastSivMode.decrypt(encKey, macKey, encrypted, associatedData);
+		Assert.assertArrayEquals(cleartextData, decrypted);
+		bh.consume(encrypted);
+		bh.consume(decrypted);
 	}
 
 	@Benchmark
-	public void benchmarkBcLight() {
-		bcLightSivMode.encrypt(encKeyBuf, macKeyBuf, testData, adData);
+	public void benchmarkBcLight(Blackhole bh) throws AEADBadTagException, IllegalBlockSizeException {
+		byte[] encrypted = bcLightSivMode.encrypt(encKey, macKey, cleartextData, associatedData);
+		byte[] decrypted = bcLightSivMode.decrypt(encKey, macKey, encrypted, associatedData);
+		Assert.assertArrayEquals(cleartextData, decrypted);
+		bh.consume(encrypted);
+		bh.consume(decrypted);
 	}
 
 }

src/test/java/org/cryptomator/siv/SivModeTest.java

@@ -105,7 +105,7 @@ public void testDecryptWithInvalidBlockSize() throws AEADBadTagException, Illega
 	}
 
 	@Test(expected = IllegalArgumentException.class)
-	public void testEncryptAdditionalDataLimit() {
+	public void testEncryptAssociatedDataLimit() {
 		final byte[] ctrKey = new byte[16];
 		final byte[] macKey = new byte[16];
 		final byte[] plaintext = new byte[30];
@@ -114,7 +114,7 @@ public void testEncryptAdditionalDataLimit() {
 	}
 
 	@Test(expected = IllegalArgumentException.class)
-	public void testDecryptAdditionalDataLimit() throws AEADBadTagException, IllegalBlockSizeException {
+	public void testDecryptAssociatedDataLimit() throws AEADBadTagException, IllegalBlockSizeException {
 		final byte[] ctrKey = new byte[16];
 		final byte[] macKey = new byte[16];
 		final byte[] plaintext = new byte[80];
@@ -438,7 +438,7 @@ public void testGeneratedTestCases() throws IOException, AEADBadTagException, Il
 			macKey[tamperedByteIndex] ^= 0x10;
 
 			try {
-				new SivMode().decrypt(testCase.getCtrKey(), macKey, testCase.getCiphertext(), testCase.getAdditionalData());
+				new SivMode().decrypt(testCase.getCtrKey(), macKey, testCase.getCiphertext(), testCase.getAssociatedData());
 				Assert.fail();
 			} catch (AEADBadTagException ex) {
 				// Test case passed.
@@ -458,19 +458,19 @@ public void testGeneratedTestCases() throws IOException, AEADBadTagException, Il
 			ciphertext[tamperedByteIndex] ^= 0x10;
 
 			try {
-				new SivMode().decrypt(testCase.getCtrKey(), testCase.getMacKey(), ciphertext, testCase.getAdditionalData());
+				new SivMode().decrypt(testCase.getCtrKey(), testCase.getMacKey(), ciphertext, testCase.getAssociatedData());
 				Assert.fail();
 			} catch (AEADBadTagException ex) {
 				// Test case passed.
 			}
 		}
 
-		// Check that decryption fails if additional data is tampered with
+		// Check that decryption fails if associated data is tampered with
 		for (int testCaseIdx = 0; testCaseIdx < allTestCases.length; testCaseIdx++) {
 			EncryptionTestCase testCase = allTestCases[testCaseIdx];
-			byte[][] ad = testCase.getAdditionalData();
+			byte[][] ad = testCase.getAssociatedData();
 
-			// Try flipping bits in the additional data elements
+			// Try flipping bits in the associated data elements
 			for (int adIdx = 0; adIdx < ad.length; adIdx++) {
 				// Skip if this ad element is empty
 				if (ad[adIdx].length == 0) {
@@ -522,13 +522,13 @@ public void testGeneratedTestCases() throws IOException, AEADBadTagException, Il
 
 		// Check that ciphertexts/IVs are produced correctly
 		for (EncryptionTestCase testCase : allTestCases) {
-			final byte[] actualCiphertext = new SivMode().encrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getPlaintext(), testCase.getAdditionalData());
+			final byte[] actualCiphertext = new SivMode().encrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getPlaintext(), testCase.getAssociatedData());
 			Assert.assertArrayEquals(testCase.getCiphertext(), actualCiphertext);
 		}
 
 		// Check that ciphertexts are decrypted correctly
 		for (EncryptionTestCase testCase : allTestCases) {
-			final byte[] actualPlaintext = new SivMode().decrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getCiphertext(), testCase.getAdditionalData());
+			final byte[] actualPlaintext = new SivMode().decrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getCiphertext(), testCase.getAssociatedData());
 			Assert.assertArrayEquals(testCase.getPlaintext(), actualPlaintext);
 		}
 	}