AES-GCM Acceleration with Intel® Integrated Performance Primitives Cryptography

Get the Latest on All Things CODE

Sign Up
author-image

By

Oleg Pervushkin

Math Algorithm Engineer

Elena Tyuleneva

Math Algorithm Engineer

Shibani Nataraja

Software Product Manager

Pavel Dyakov

Math Algorithm Engineering Manager

Rob Mueller-Albrecht

Software Marketing Manager

 

Intel Corporation

What is AES-GCM? 

AES-GCM stands for Advanced Encryption Standard-– Galois Counter Mode. It is used in various applications that require secure communication and data authentication. While GCM is the mode of operation, AES is the encryption standard. Together, AES-GCM makes a symmetric cryptography algorithm used in various cryptography protocols. AES-GCM provides both authenticated encryption (confidentiality and authentication) and the ability to check the integrity and authentication of additional authenticated data (AAD) that is not encrypted. AES-GCM is one of the recommended block cipher modes of operation, per NIST Special Publication 800-38D [1].

The mode is widely used in practice and is part of many standards.

AES-GCM implementation is complex ([2]). Since AES architecture uses a lookup table (S-Box) indexed by secret data, one must use some side-channel attacks resistant techniques to achieve both performance and security.

Below, you can find a high-level flow diagram of the AES-GCM algorithm (more details about implementation can be found in [2][3]):

Figure 1. AES-GCM authenticated encryption diagram.

 

 

AES-GCM Support in Intel® IPP Cryptography and OpenSSL Libraries

Due to the complexity of the AES-GCM algorithm, it is more convenient to use it as out of the box implementation from the software libraries instead of implementing it yourself. 

As good examples of performant and highly functional verification tested implementations of this algorithm, you can refer to the following libraries:

  • OpenSSL - a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication. [4] 
  • Intel® Integrated Performance Primitives Cryptography (Intel® IPP Cryptography) - a secure, fast, and lightweight library of building blocks for cryptography, highly optimized for various Intel® CPUs. [5] 

Below is an example demonstrating how to use the AES-GCM algorithm in OpenSSL [6] and Intel IPP Cryptography. 

OpenSSL and Intel IPP Cryptography AES-GCM Code Example

OpenSSL Example Intel IPP Cryptography Example 
/* Initialize parameters */
EVP_CIPHER_CTX *ctx  = NULL;
EVP_CIPHER *cipher   = NULL;
OSSL_LIB_CTX *libctx = NULL;
const char *propq = NULL;

OSSL_PARAM params[2] = {
    OSSL_PARAM_END, OSSL_PARAM_END
};

int outLen, tmpLen;
int inpLen, keyLen, aadLen, ivLen, tagLen = 16;
unsigned char inpText[inpLen], outText[inpLen], key[keyLen], aad[aadLen], iv[ivLen], tag[tagLen];

/* Initialize parameters*/
TestResult res = resOK;
IppStatus sts = ippStsNoErr;
int ctxSize;
int inpLen, keyLen, aadLen, ivLen, tagLen = 16;
Ipp8u inpText[inpLen], outText[inpLen], key[keyLen], aad[aadLen], iv[ivLen], tag[tagLen];

/* Create a context for the encrypt operation */
if ((ctx = EVP_CIPHER_CTX_new()) == NULL) goto err;

/* Fetch the cipher implementation */
if ((cipher = EVP_CIPHER_fetch(libctx, "AES-128-GCM", 
    propq)) == NULL) goto err;

/* Create a context for the encrypt operation */
sts = ippsAES_GCMGetSize(&ctxSize);
res = CheckStatus("ippsAES_GCMGetSize", ippStsNoErr, sts);
if(resOK!=res) goto err;
IppsAES_GCMState* pAESGCM = (IppsAES_GCMState*)( new Ipp8u [ctxSize]);

/* Set IV length */
params[0] = OSSL_PARAM_construct_size_t(
OSSL_CIPHER_PARAM_AEAD_IVLEN, &ivLen);
  
/* Initialize parameters of encryption operation. */
if (!EVP_EncryptInit_ex2(ctx, cipher, key, 
    iv, params)) goto err;

if (!EVP_EncryptUpdate(ctx, NULL, &outLen, 
    aad, aadLen)) goto err;

/* Initialize parameters of encryption operation. */
sts = ippsAES_GCMInit(key, keyLen, pAESGCM, ctxSize);
res = CheckStatus("ippsAES_GCMInit", ippStsNoErr, sts);
if(resOK!=res) goto err;

sts = ippsAES_GCMStart(iv, ivLen, aad, aadLen, pAESGCM);
res = CheckStatus("ippsAES_GCMStart", ippStsNoErr, sts);
if(resOK!=res) goto err;
 
/* Encrypt plaintext */
if (!EVP_EncryptUpdate(ctx, outText, &outLen, 
    inpText, inpLen)) goto err;

/* Encrypt plaintext */
sts = ippsAES_GCMEncrypt(inpText, outText, inpLen, pAESGCM);
res = CheckStatus("ippsAES_GCMEncrypt", ippStsNoErr, sts);
if(resOK!=res) goto err;

/* Finalize: note get no output for GCM */
if (!EVP_EncryptFinal_ex(ctx, outText, &tmpLen)) 
    goto err;
  
/* Get tag */
params[0] = OSSL_PARAM_construct_octet_string
    (OSSL_CIPHER_PARAM_AEAD_TAG, tag, tagLen);

if (!EVP_CIPHER_CTX_get_params(ctx, params)) goto err;

/* Get tag */
sts = ippsAES_GCMGetTag(tag, tagLen, pAESGCM);
res = CheckStatus("ippsAES_GCMGetTag", ippStsNoErr, sts);
if(resOK!=res) goto err;

delete [] (Ipp8u*)pAESGCM;

 

As we can see, OpenSSL and Intel IPP Cryptography API are easy to use with clear calling conventions. Using 3rd party libraries allows the users not to spend extra time and resources on AES-GCM implementation, optimization, and testing.  Instead, they can complete their software using ready-to-use algorithms as part of an out-of-the-box solution.

AES-GCM Performance

Intel IPP Cryptography contains implementations of the AES-GCM algorithm that are highly optimized for Intel CPUs by utilizing 

  • Intel® AES New Instructions (Intel® AES-NI)
  • Intel® Vector Extension for AES-NI
  • Intel® PCLMULQDQ
  • Intel® Vector Extension for PCLMULQDQ

Below, you can see the performance comparison between OpenSSL and IPP Cryptography for the message size 16384 bits on 4th Generation Intel Xeon Scalable Processors. 

Figure 2. OpenSSL vs. Intel IPP Cryptography performance comparison for AES-GCM algorithm

 

Intel IPP Cryptography continues to work on additional optimizations of the cryptography algorithms. The recently released Intel IPP Cryptography 2021.9 version contains additional optimizations based on Intel® Advanced Vector Extensions 2 (Intel® AVX2) and Intel® Vector Extension for AES-NI and PCLMULQDQ.

The chart below demonstrates AES-GCM performance speed-up between two Intel IPP Cryptography releases:

Figure 3. Performance comparison between Intel IPP Cryptography 2021.9 and 2021.8 releases

 

Summary

AES-GCM is one of the most common symmetric cipher algorithms used in a variety of different spheres of the modern world. Intel IPP Cryptography brings differentiative performance on Intel CPU. The complexity of the algorithm makes it resilient against different attacks. This complexity, however, can also make its implementation challenging. Developers look for ease of use, fast implementation, and highly optimized execution speed. Performance is critical for many applications. Therefore, OpenSSL, Intel IPP Cryptography, and other libraries implement and optimize the algorithm for the latest available hardware. 

Get the Software

You can install the Intel® Integrated Performance Primitives Cryptography (Intel IPP Cryptography) as a part of the Intel® oneAPI Base Toolkit. You can also download a stand-alone version of the library or test it across Intel® CPUs and GPUs on the Intel® Developer Cloud platform. 

 

 

References

[1] Planning Note for Revision (2023), NIST Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC     

[2] Morris Dworkin (2007), NIST Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, NIST Special Publication 800-38D

[3] David A. McGrew, John Viega (2005), The Galois/Counter Mode of Operation (GCM)

Additional Resources

[4] OpenSSL GitHub

[5] Intel IPP Cryptography GitHub

[6] OpenSSL AES-GCM example

[7] Intel IPP Cryptography AES-GCM Documentation

[8] Advanced Encryption Standard Galois Counter Mode – Optimized GHASH Function Technology Guide

[9] Intel® Multi-Buffer Crypto for IPsec Library

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.