Intel® Advanced Encryption Standard Instructions (AES-NI)


AES (Advanced Encryption Standard) is an encryption standard adopted by the U.S. government starting in 2001. It is widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructure. AES is a symmetric block cipher that encrypts/decrypts data through several rounds. The new 2010 Intel® Core™ processor family (code name Westmere) includes a set of new instructions, Intel® Advanced Encryption Standard (AES) New Instructions (AES-NI). The instructions were designed to implement some of the complex and performance intensive steps of the AES algorithm using hardware and thus accelerating the execution of the AES algorithms. AES-NI can be used to accelerate the performance of an implementation of AES by 3 to 10x over a completely software implementation.

The AES algorithm works by encrypting a fixed block size of 128 bits of plain text in several rounds to produce the final encrypted cipher text. The number of rounds (10, 12, or 14) used depends on the key length (128b, 192b, or 256b). Each round performs a sequence of steps on the input state, which is then fed into the following round. Each round is encrypted using a subkey that is generated using a key schedule. For more details on AES please refer to [1].

The new AES-NI instruction set is comprised of six new instructions that perform several compute intensive parts of the AES algorithm. These instructions can execute using significantly less clock cycles than a software solution. Four of the new instructions are for accelerating the encryption/decryption of a round and two new instructions are for round key generation. The following is a description of the new instructions.

  • AESENC. This instruction performs a single round of encryption. The instruction combines the four steps of the AES algorithm - ShiftRows, SubBytes, MixColumns & AddRoundKey into a single instruction.
  • AESENCLAST. Instruction for the last round of encryption. Combines the ShiftRows, SubBytes, & AddRoundKey steps into one instruction.
  • AESDEC. Instruction for a single round of decryption. This combines the four steps of AES - InvShiftRows, InvSubBytes, InvMixColumns, AddRoundKey into a single instruction
  • AESDECLAST. Performs last round of decryption. It combines InvShiftRows, InvSubBytes, AddRoundKey into one instruction.
  • AESKEYGENASSIST is used for generating the round keys used for encryption.
  • AESIMC is used for converting the encryption round keys to a form usable for decryption using the Equivalent Inverse Cipher.

For details on these instructions and their usage please refer to the white paper [3];

Benefits of using AES-NI

Performance Improvement

The performance improvement expected with the use of AES-NI would depend on the applications and how much of the application time is spent in encryption and decryption. At the algorithm level, using AES-NI can provide significant speedup of AES. For non-parallel modes of AES operation such as CBC-encrypt AES-NI can provide a 2-3 fold gain in performance over a completely software approach. For parallelizable modes such as CBC-decrypt and CTR, AES-NI can provide a 10x improvement over software solutions. For details on performance please refer to [3].

Intel continues to provide leadership in developing instruction- set extensions with recently released ISA support for Advanced Encryption Standard (AES). This paper presents the excellent performance of the AES algorithm on the Intel® Core™ i7 Processor Extreme Edition, i7-980X, using the AES New Instructions (AES-NI). Performance results for serial and parallel modes of operation are provided for all key sizes, for variable numbers of cores and threads. These results have been achieved using highly optimized implementations of the AES functions that can achieve ~1.3 cycles/byte on a single-core Intel® Core™ i7 Processor Extreme Edition, i7-980X for AES-128 in parallel modes. The paper also has a brief description of how to code to achieve these results and a reference to the complete source code. (Read "Breakthrough AES Performance with Intel® AES New Instructions" White Paper in its entirety.)

Improved Security

Beyond improving performance, the new instructions help address recently discovered side channel attacks on AES. AES-NI instructions perform the decryption and encryption completely in hardware without the need for software lookup tables. Therefore using AES-NI can lower the risk of side-channel attacks as well as greatly improve AES performance. For details please refer to [3].

Using AES-NI

AES-NI instructions can be used in any application that uses AES for encryption. AES is very widely used in several applications such as network encryption, disk and file encryption applications. File-level and disk encryption applications use AES to protect data stored on a disk. Networking applications use encryption to protect data in flight with protocols encompassing SSL, TLS, IPsec, HTTPS, FTP, SSH, etc.

There are several ways to take advantage of AES-NI in your applications, whether you are starting from scratch or optimizing existing applications. The following shows several methods for using AES-NI.

Using Standard Libraries

If you are using existing crypto libraries that provide the crypto functionalities including AES, all you need to do is recompile your applications to include the latest libraries. The following table shows the list of libraries and versions that are optimized to take advantage of AES-NI.

LibraryDescriptionVersion supporting AES-NI
Open SSLOpen source library implementation of SSL and TLS. Supports several cryptographic functions including AESDirect support in V1.0 (experimental version)

0.9.8k or later via patch
Intel ® Integrated Performance Primitives (IPP) cryptoExtensive library of multicore-ready, highly optimized implementations of several cryptographic algorithms including AES.V6.1 or later
Microsoft* Cryptography API: Next Generation1APIs included with Microsoft* Operating systems provides cryptographic services to applications.Windows 7

Using C/C++ or assembly

If you have existing C/C++ or assembly implementations of AES algorithms you can take advantage of the support provided in most of the standard compiler development tools. You will need to modify your code to replace code blocks with the equivalent AES-NI instructions. AES-NI instructions can be called from C/C++ either using inline assembly or using special functions know as intrinsics. Each intrinsic maps to one of the new instructions. Using intrinsics allows you to develop code using the syntax of C/C++ function calls and variables instead of inline assembly language.

To use AES-NI in assembly language you can directly call the relevant instruction from your code.

The following compilers provide C/C++ as well assembly support for AES-NI.

CompilerDescriptionVersion supporting AES-NI
Gcc/g++Open source GNU compiler for C/C++4.4 or later
Intel® C/C++ compilerIntel compiler tools for C/C+11.1 or later
Microsoft* Visual C++C/C++ compiler tools for Windows* operating systems2008 SP1 or later

Additional Links

[1] Advanced Encryption Standard (AES) -

[2] Intel ® Performance Primitives (IPP) web page - /en-us/intel-ipp/

[3] White Paper on AES-NI - /en-us/articles/intel-advanced-encryption-standard-aes-instructions-set

[4] Intel® C/C++ compiler - /en-us/intel-compilers/

[5] Download the Intel® AES-NI Sample Library v1.2

[6] OpenSSL libraries -

[7] White Paper - "Securing the Enterprise with Intel® AES-NI" -

[8] White Paper - "Breakthrough AES Performance with Intel® AES New Instructions" -

1 Note the Microsoft* Crypto API that preceded the Microsoft* Crypto API: Next Generation is not optimized for AES-NI.

For more complete information about compiler optimizations, see our Optimization Notice.


David M.'s picture

This almost seems like a silly question, but it is related to bureaucratic standards, which require a certain pedantry.

FIPS-140-2 compliance requires the use of certified cryptographic libraries or hardware.

  • are the AES-NI instructions (i.e., their implementation) FIPS-140-2 certified?
  • is the library interface to them FIPS-140-2 certified?  In particular, is there a FIPS-140-2 certified OpenSSL implementation that uses the AES-NI instructions?  (Somewhat surprisingly, there exist FIPS-140-2 certified OpenSSL binaries.)

I am assuming the answer to the first question is yes, or that certification is in process, but I am wondering about the answer to the second question.  Setting OpenSSL aside, is there a library that provides a FIPS-140-2 certified path to the AES-NI instructions?



anonymous's picture

Does Itanium support hardware encryption?

anonymous's picture

hello every body...nice to see this platform knowing a lot about AES ... i want to implemement AES on Fpga ...i am new and need help..any one can suggest me refernce material or tips etc ...

anonymous's picture

Is AES-NI available for Ketkey for use in OpenSWAN or strongSWAN?

danx's picture

@Az7: Great news. It's good to hear some of the power-friendlier Sandy Bridge processors can handle the delicate balance of both low power and full processor features.

anonymous's picture

IA AES Extensions are supported & already enabled on my (low power) Intel Core i7-2630QM.

danx's picture

@Tasman Hayes
Not all Westmere or Sandy Bridge-class processors have AES-NI. In general, the lower-power mobile processors do not have AES-NI. For example, Core i3 does not have AES-NI. Low-end mobile Core i7 processors 2630QM and 2635QM does not have AES-NI. Most other Core i5/i7 processors have AES-NI. I don't know what processor MacBook Air uses, but get the processor number and look it up in Each processor has a spec sheet and clearly shows whether it supports AES-NI (among other features). Remember, few things are free--you can have low power or lots of hardware features, but not both.

As for upgrading, I think longer battery life would make a upgrade worth while. I wouldn't upgrade my working laptop just for a faster processor, unless it's running slow or I'm doing weird stuff that needs the speed. Laptops seem to break soon enough through regular use.

Tasman Hayes's picture

Hi. Thanks for the excellent info! Great to see support for AES-NI has been rolled into OpenSSL.

I'm curating an article on MacBook Air i5 vs i7 at

I'd like to ask a few questions to go into this and other MacBook Air articles at

A common question is "Is it worth upgrading from a previous generation MacBook Air with a Core 2 Duo, to the current generation running Core series chips?"

The i5 & i7 processors in the new 2011 MacBook Air's are ultra-low voltage Sandy Bridge CPUs.
Apple has released new full hard disk encryption software, called FileVault 2, with its latest OS, Mac OS X 10.7 Lion.

Can I confirm whether these CPUs have AES-NI support?
Do you know if FileVault 2 uses the AES-NI instruction set?

Many thanks for information or leads!

danx's picture

I have a blog article on the use of Intel AES-NI in Oracle's Sun Solaris Operating System to improve performance. Briefly, it's faster :-) and AES-NI is used and supported on Oracle Solaris 11 Express 2010.11 and on Solaris 10 10/09 (aka update 8). It's at

Intel has code samples in the whitepaper and at
Samples are also in the OpenSSL library, and you can see use in Solaris at


Add a Comment

Have a technical question? Visit our forums. Have site or software product issues? Contact support.