Hi guys,
I was seeing some very poor performance in AES-GCM mode. I tried profiling the code but want into a wall (posted on stackoverflow at http://stackoverflow.com/questions/14573972/code-profiling-to-improve-perfor mance-see-cpu-cycles-inside-mscorlib-dll) In particular, it seems that AES-GCM should be faster than AES-CBC; at least based on literature: "The Galois/Counter Mode of Operation (GCM)" paper by David A. McGrew, I read "Multiplication in a binary field can use a variety of time-memory tradeoffs. It can be implemented with no key-dependent memory, in which case it will generally run several times slower than AES. Implementations that are willing to sacrifice modest amounts of memory can easily realize speeds greater than that of AES." To test that theory, I tried the same on OpenSSL. I found AES-GCM is about 2x the speed of AES-CBC. What I did was measure (100 times=> average it) * Time to only in invoking OpenSSL (=15ms) * Time to OpenSSL AES-GCM encrypt a 10MB file (=32ms = > just encrypt = 17ms) * Time to OpenSSL AES-CBC encrypt a 10MB file (=45ms => just encrypt = 30ms) The code itself is rough but tiny - listed at https://gist.github.com/4661615. This experiment seems to corroborate the theory in that paper. However in BouncyCastle (C#, 1.7) I'm finding the opposite. AES-GCM is about 18x slower compared to AES-CBC mode! Altogether, the difference is about 2x fast in OpenSSL + 18x slow in BouncyCastle => 36x slow from it's potential! Question: Does anyone know why that is the case? Is anyone interested in poking deeper? I think there might be a lot of room for improvement. Unfortunately, I don't think I'm qualified to implement any such improvement (not without substantial investment of time!) Thanks Sid
