On Thu, 16 Oct 2025 05:14:44 GMT, Shawn M Emery <[email protected]> wrote:
>> General: >> ----------- >> i) This work is to replace the existing AES cipher under the Cryptix license. >> >> ii) The lookup tables are employed for performance, but also for operating >> in constant time. >> >> iii) Several loops have been unrolled for optimization purposes, but are >> harder to read and don't meet coding style guidelines. >> >> iv) None of the AES related intrinsics has been modified in this PR, but the >> new code has been updated to use the intrinsics related hooks for the AES >> block and key table arguments. >> >> Note: I've purposefully not seen the original Cryptix code, so when making a >> code review comment please don't quote the code in the AESCrypt.java file. >> >> Correctness: >> ----------------- >> The following AES-specific regression tests have passed in intrinsics >> (default) and non-intrinsic (-Xint) modes: >> >> i) test/jdk/com/sun/crypto/provider/Cipher/AES: all 27 tests pass >> >> -intrinsics mode for: >> >> ii) test/hotspot/jtreg/compiler/codegen/aes: all 4 tests pass >> >> iii) jck:api/java_security, jck:api/javax_crypto, jck:api/javax_net, >> jck:api/javax_security, jck:api/org_ietf, and jck:api/javax_xml/crypto: >> passed, with 10 known failures >> >> iv) jdk_security_infra: passed, with 48 known failures >> >> v) tier1 and tier2: all 110257 tests pass >> >> Security: >> ----------- >> In order to prevent side-channel (timing and differential power analysis) >> attacks the code has been constructed to operate in constant time and does >> not use conditionals based on the key or key expansion table. This is >> accomplished by using lookup tables in both the cipher and inverse cipher of >> AES. >> >> Performance: >> ------------------ >> All AES related benchmarks have been executed against the new and original >> Cryptix code: >> >> micro:org.openjdk.bench.javax.crypto.AES >> >> micro:org.openjdk.bench.javax.crypto.full.AESBench >> >> micro:org.openjdk.bench.javax.crypto.full.AESExtraBench >> >> micro:org.openjdk.bench.javax.crypto.full.AESGCMBench >> >> micro:org.openjdk.bench.javax.crypto.full.AESGCMByteBuffer >> >> micro:org.openjdk.bench.javax.crypto.full.AESGCMCipherInputStream >> >> micro:org.openjdk.bench.javax.crypto.full.AESGCMCipherOutputStream >> >> micro:org.openjdk.bench.javax.crypto.full.AESKeyWrapBench. >> >> micro:org.openjdk.bench.java.security.CipherSuiteBench (AES) >> >> The benchmarks were executed in different compiler modes (default (no >> compiler options), -Xint, and -Xcomp) and on two different architectures >> (x86 and arm64) with the following encryption re... > > Shawn M Emery has updated the pull request incrementally with one additional > commit since the last revision: > > Updates for code review comments from @valeriepeng src/java.base/share/classes/com/sun/crypto/provider/AES_Crypt.java line 1040: > 1038: * @param p [in] the plaintext to be encrypted. > 1039: * @param po [in] the plaintext offset in the array of bytes. > 1040: * @param c [out] the encrypted ciphertext output. nit: ciphertext already implied to be encrypted. Maybe no need for the "encrypted" adj. src/java.base/share/classes/com/sun/crypto/provider/AES_Crypt.java line 1157: > 1155: ti3 = T0[a3 >>> 24] ^ T1[(a0 >> 16) & 0xFF] > 1156: ^ T2[(a1 >> 8) & 0xFF] ^ T3[a2 & 0xFF] ^ K[w + 7]; > 1157: w += 8; No need for w, since you already checked the `rounds` value, you can directly reference K inside this block, i.e. K[40] - K[47]. Same goes for the next block for AES-256, i.e. directly reference K[48]-K[55]. src/java.base/share/classes/com/sun/crypto/provider/AES_Crypt.java line 1195: > 1193: ^ T3[(ti0 >> 16) & 0xFF] & 0xFF0000 > 1194: ^ T0[(ti1 >> 8) & 0xFF] & 0xFF00 > 1195: ^ T1[ti2 & 0xFF] & 0xFF ^ K[w+3]; Here you always use the last 4 elements of `K`, so you can just use `w = K.length - 4` and no need to keep tracking it in the earlier 2 blocks. src/java.base/share/classes/com/sun/crypto/provider/AES_Crypt.java line 1220: > 1218: * @param c [in] the ciphertext to be decrypted. > 1219: * @param co [in] the ciphertext offset in the array of bytes. > 1220: * @param p [out] the decrypted plaintext output. nit: same comment for removing "decrypted" adj. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27807#discussion_r2437316942 PR Review Comment: https://git.openjdk.org/jdk/pull/27807#discussion_r2437308268 PR Review Comment: https://git.openjdk.org/jdk/pull/27807#discussion_r2437313179 PR Review Comment: https://git.openjdk.org/jdk/pull/27807#discussion_r2437325831
