'AES-NI intrinsics enabled by default?

Oracle has this to say about Java 8 with regards to AES-NI:

Hardware intrinsics were added to use Advanced Encryption Standard (AES). The UseAES and UseAESIntrinsics flags are available to enable the hardware-based AES intrinsics for Intel hardware. The hardware must be 2010 or newer Westmere hardware. For example, to enable hardware AES, use the following flags:

-XX:+UseAES -XX:+UseAESIntrinsics

To disable hardware AES use the following flags:

-XX:-UseAES -XX:-UseAESIntrinsics

But it does not indicate if AES intrinsics are enabled by default (for processors that support it). So the question is simple: if the processor supports AES-NI, are AES intrinsics used?

Bonus question: is there any way to test if AES-NI is being used? I guess you can guess based on performance, but that's not an optimal or sure fire way of testing.

For readerS that are not familiar with AES-NI intrinsics: it's replacing byte code with pre-compiled machine code, using the AES-NI instruction set. This happens by the JVM, so it does not show up in the API of the Java runtime or bytecode.

javacryptographyaescpujvm-hotspot


Solution 1:[1]

This mailthread from openjdk says, all AES intrinsics are enabled by default. Although I'm not certain how much of the Oracle core VM code shares with openjdk. If you read the whole thread, they also discuss about challenges on 32-bit VMs, that probably explains your problem with your second test run.

  • Regarding your test, don't you think the differences in the CPUs make a big difference? Core i7's are quadcore and have better clock speeds in general. Wouldn't that have made a difference ? I guess that shift from 21s (core i5, 32bitVM, AES-NI off) to 8s (core i7, 64bitVM, AES-NI off) is the difference between i5 and i7.
  • The improvement from 8s to 3s, although not 7 fold, is indeed worth a 'Yipes'! :)
  • Regarding the detection mechanism - there doesn't seem to be a straightforward way. JVM throws a warning "AES intrinsics not available on this CPU" if you enabled the flags, and if it cannot find AES support - as per this bug report.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Dave Newton

Related Questions