Intel® Advanced Encryption Standard Instructions (AES-NI)

Submit New Article

retweet
October 9, 2010 11:00 PM PDT


Introduction

AES (Advanced Encryption Standard) is an encryption standard adopted by the U.S. government starting in 2001. It is widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructure. AES is a symmetric block cipher that encrypts/decrypts data through several rounds. The new 2010 Intel® Core™ processor family (code name Westmere) includes a set of new instructions, Intel® Advanced Encryption Standard (AES) New Instructions (AES-NI). The instructions were designed to implement some of the complex and performance intensive steps of the AES algorithm using hardware and thus accelerating the execution of the AES algorithms. AES-NI can be used to accelerate the performance of an implementation of AES by 3 to 10x over a completely software implementation.

The AES algorithm works by encrypting a fixed block size of 128 bits of plain text in several rounds to produce the final encrypted cipher text. The number of rounds (10, 12, or 14) used depends on the key length (128b, 192b, or 256b). Each round performs a sequence of steps on the input state, which is then fed into the following round. Each round is encrypted using a subkey that is generated using a key schedule. For more details on AES please refer to [1].

The new AES-NI instruction set is comprised of six new instructions that perform several compute intensive parts of the AES algorithm. These instructions can execute using significantly less clock cycles than a software solution. Four of the new instructions are for accelerating the encryption/decryption of a round and two new instructions are for round key generation. The following is a description of the new instructions.

  • AESENC. This instruction performs a single round of encryption. The instruction combines the four steps of the AES algorithm - ShiftRows, SubBytes, MixColumns & AddRoundKey into a single instruction.
  • AESENCLAST. Instruction for the last round of encryption. Combines the ShiftRows, SubBytes, & AddRoundKey steps into one instruction.
  • AESDEC. Instruction for a single round of decryption. This combines the four steps of AES - InvShiftRows, InvSubBytes, InvMixColumns, AddRoundKey into a single instruction
  • AESDECLAST. Performs last round of decryption. It combines InvShiftRows, InvSubBytes, AddRoundKey into one instruction.
  • AESKEYGENASSIST is used for generating the round keys used for encryption.
  • AESIMC is used for converting the encryption round keys to a form usable for decryption using the Equivalent Inverse Cipher.
For details on these instructions and their usage please refer to the white paper [3];

Benefits of using AES-NI

Performance Improvement

The performance improvement expected with the use of AES-NI would depend on the applications and how much of the application time is spent in encryption and decryption. At the algorithm level, using AES-NI can provide significant speedup of AES. For non-parallel modes of AES operation such as CBC-encrypt AES-NI can provide a 2-3 fold gain in performance over a completely software approach. For parallelizable modes such as CBC-decrypt and CTR, AES-NI can provide a 10x improvement over software solutions. For details on performance please refer to [3].

Intel continues to provide leadership in developing instruction- set extensions with recently released ISA support for Advanced Encryption Standard (AES). This paper presents the excellent performance of the AES algorithm on the Intel® Core™ i7 Processor Extreme Edition, i7-980X, using the AES New Instructions (AES-NI). Performance results for serial and parallel modes of operation are provided for all key sizes, for variable numbers of cores and threads. These results have been achieved using highly optimized implementations of the AES functions that can achieve ~1.3 cycles/byte on a single-core Intel® Core™ i7 Processor Extreme Edition, i7-980X for AES-128 in parallel modes. The paper also has a brief description of how to code to achieve these results and a reference to the complete source code. (Read "Breakthrough AES Performance with Intel® AES New Instructions" White Paper in its entirety.)

Improved Security

Beyond improving performance, the new instructions help address recently discovered side channel attacks on AES. AES-NI instructions perform the decryption and encryption completely in hardware without the need for software lookup tables. Therefore using AES-NI can lower the risk of side-channel attacks as well as greatly improve AES performance. For details please refer to [3].

Using AES-NI

AES-NI instructions can be used in any application that uses AES for encryption. AES is very widely used in several applications such as network encryption, disk and file encryption applications. File-level and disk encryption applications use AES to protect data stored on a disk. Networking applications use encryption to protect data in flight with protocols encompassing SSL, TLS, IPsec, HTTPS, FTP, SSH, etc.

There are several ways to take advantage of AES-NI in your applications, whether you are starting from scratch or optimizing existing applications. The following shows several methods for using AES-NI.

Using Standard Libraries

If you are using existing crypto libraries that provide the crypto functionalities including AES, all you need to do is recompile your applications to include the latest libraries. The following table shows the list of libraries and versions that are optimized to take advantage of AES-NI.

Library Description Version supporting AES-NI
Open SSL Open source library implementation of SSL and TLS. Supports several cryptographic functions including AES Direct support in V1.0 (experimental version)

0.9.8k or later via patch
Intel ® Integrated Performance Primitives (IPP) crypto Extensive library of multicore-ready, highly optimized implementations of several cryptographic algorithms including AES. V6.1 or later
Microsoft* Cryptography API: Next Generation1 APIs included with Microsoft* Operating systems provides cryptographic services to applications. Windows 7


Using C/C++ or assembly

If you have existing C/C++ or assembly implementations of AES algorithms you can take advantage of the support provided in most of the standard compiler development tools. You will need to modify your code to replace code blocks with the equivalent AES-NI instructions. AES-NI instructions can be called from C/C++ either using inline assembly or using special functions know as intrinsics. Each intrinsic maps to one of the new instructions. Using intrinsics allows you to develop code using the syntax of C/C++ function calls and variables instead of inline assembly language.

To use AES-NI in assembly language you can directly call the relevant instruction from your code.

The following compilers provide C/C++ as well assembly support for AES-NI.

Compiler Description Version supporting AES-NI
Gcc/g++ Open source GNU compiler for C/C++ 4.4 or later
Intel® C/C++ compiler Intel compiler tools for C/C+ 11.1 or later
Microsoft* Visual C++ C/C++ compiler tools for Windows* operating systems 2008 SP1 or later


Additional Links

[1] Advanced Encryption Standard (AES) - http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

[2] Intel ® Performance Primitives (IPP) web page - http://software.intel.com/en-us/intel-ipp/

[3] White Paper on AES-NI - http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set/

[4] Intel® C/C++ compiler - http://software.intel.com/en-us/intel-compilers/

[5] Download the Intel® AES-NI Sample Library v1.2

[6] OpenSSL libraries - http://www.openssl.org/

[7] White Paper - "Securing the Enterprise with Intel® AES-NI" - http://www.intel.com/Assets/en_US/PDF/whitepaper/323587.pdf

[8] White Paper - "Breakthrough AES Performance with Intel® AES New Instructions" - http://software.intel.com/file/27067/



1 Note the Microsoft* Crypto API that preceded the Microsoft* Crypto API: Next Generation is not optimized for AES-NI.