12642 shaares
316 private links
316 private links
And here is the problem: the encryption performs 2 passes over the data: first to encrypt, then to compute the authentication tag.
As we've seen before, it's bad because you will pay huge penalties when loading / unloading your data to / from memory to / from SIMD registers multiple times, even if you AES-CTR and GHash implementation are optimized to the mooooon.