11

Solution

  • MessageDigest => create new instances as often as needed
  • KeyFactory => use a single shared instance
  • SecureRandom => use a StackObjectPool
  • Cipher => use a StackObjectPool

Question

I face a regular dilemna while coding security frameworks : "to pool or not to pool"

Basically this question is divided on two "groups" :

  1. Group 1 : SecureRandom because the call to nextBytes(...) is synchronized and it could become a bottleneck for a WebApp / a multi-threaded app

  2. Group 2 : Crypto service providers like MessageDigest, Signature, Cipher, KeyFactory, ... (because of the cost of the getInstance() ?)

What is your opinion ?

What are you habits on such questions?

Edit 09/07/2013

I finally took time to test @Qwerky Share class by myself and I find the result quite ... surprising.

The class was lacking my main concern : Pools like GenericObjectPool or StackObjectPool.

So I've reworked the class to test all 4 alternatives :

  • Single shared instance with synchronisation gist
  • new instances inside each loops (I'm not interested in the case when you can pull the digest creation outside the loop) gist
  • GenericObjectPool : gist
  • StackObjectPool : gist

I had to lower the number of loops to 100000 since 1M was taking too much time with pools.

I also added a Thread.yield() at the end of each loop to give the load a nicer shape.

Results (cummulative runtime):

  • MessageDigest
    • new instances : 420 s
    • Single instance : 550 s
    • StackObjectPool : 800 s
    • GenericObjectPool : 1900 s
  • KeyFactory
    • new instances : 400s
    • Single instance : 350 s
    • StackObjectPool : 2900 s
    • GenericObjectPool : 3500 s
  • SecureRandom
    • StackObjectPool : 1600 s
    • new instances : 2300 s
    • GenericObjectPool : 2300s
    • Single instance : 2800 s
  • Cipher
    • StackObjectPool : 2800 s
    • GenericObjectPool : 3500 s
    • Single instance : 5100 s
    • new instances : 8000 s

Conclusion

For MessageDigest and KeyFactory, pools are perf killers and are even worse than a single instance with a synchronisation bottleneck, whereas they are really usefull when it comes to SecureRandom and Cipher

Cerber
  • 2,889
  • 4
  • 27
  • 43
  • Reuse comes down to a trade off between the overhead of expensive creation and synchronized access. Only you can choose and it depends on your usage profile. Note that there is no difference between the two groups, you must sync access to `MessageDigest` etc if you share an instance between threads. – Qwerky Dec 17 '12 at 12:02
  • Of course @Qwerky any option requires synchronisation between threads / usage block. The question is rather how do you handle thoses classes in your apps ? – Cerber Dec 17 '12 at 12:12
  • 1
    This is great---I wish information like this were more readily available for all sorts of classes. Really, I wish it were in the standard Javadoc. – Robert Tupelo-Schneck Sep 28 '13 at 04:45

2 Answers2

6

If you give 100 threads access to a shared MessageDigest and get them to calculate 1,000,000 hashes each then on my machine the first thread finishes in 70,160ms and the last finishes in 98,748ms.

If the threads create a new instance of MessageDigest each time, then the first thread finishes in 43,392ms and the last 58,691ms.

Edit:
In fact with this example, with only two threads the example creating new instances runs quicker.

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

public class Share {

  final byte[] bytes = new byte[100];
  final MessageDigest sharedDigest;
  final ExecutorService pool;
  int threads = 100;

  Share() throws NoSuchAlgorithmException {
    sharedDigest = MessageDigest.getInstance("MD5");
    pool = Executors.newFixedThreadPool(threads);
  }

  void go() {

    for (int i=0; i<threads; i++) {
      pool.execute(new Runnable() {
        public void run() {
          long start = System.currentTimeMillis();
          for (int i=0; i<1000000; i++) {
            /*
            synchronized (sharedDigest) {
              sharedDigest.reset();
              sharedDigest.update(bytes);
              sharedDigest.digest();
            }*/
            try {
              MessageDigest digest = MessageDigest.getInstance("MD5");
              digest.reset();
              digest.update(bytes);
              digest.digest();
            } catch (Exception ex) {
              ex.printStackTrace();
            }
          }
          long end = System.currentTimeMillis();
          System.out.println(end-start);
          pool.shutdown();
        }
      });
    }

  }

  public static void main(String[] args) throws Exception {
    Share share = new Share();
    share.go();
  }

}
Qwerky
  • 18,217
  • 6
  • 44
  • 80
-1

This test seems to be in favour of caching 

long t0 = System.currentTimeMillis();
byte[] bytes = new byte[100];
MessageDigest md = MessageDigest.getInstance("MD5");
for(int i = 0; i < 1000000; i++) {
    //MessageDigest md = MessageDigest.getInstance("MD5");
    md.reset();
    md.update(bytes);
    md.digest();
}
System.out.println(System.currentTimeMillis() - t0);

When md is outside the loop it prints 579, when inside - 953.

Evgeniy Dorofeev
  • 133,369
  • 30
  • 199
  • 275
  • All that shows is `MessageDigest` has an overhead for creation. In a single thread situation reuse will always be faster. – Qwerky Dec 17 '12 at 12:06