th4s
commented
3 months ago The j0 blocks are part of the keystream, which is already preprocessed. What is not preprocessed is the circuit which adds one time pads to get shares of these blocks. Relevant issue: https://github.com/privacy-scaling-explorations/mpz/issues/160
Our AES-GCM impl should preprocess J0 blocks instead of doing so in the online phase.