Girish Mahajan (Editor)

AES instruction set

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

Advanced Encryption Standard Instruction Set (or the Intel Advanced Encryption Standard New Instructions; AES-NI) is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008. The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES).

Contents

Intel and AMD x86 architecture

The following processors support the AES-NI instruction set:

  • Intel
  • Intel Westmere based processors, specifically:
  • Intel Westmere-EP (Xeon 56xx) (a.k.a. Gulftown Xeon 5600-series DP server model) processors.
  • Intel Clarkdale processors (except Core i3, Pentium and Celeron).
  • Intel Arrandale processors (except Celeron, Pentium, Core i3, Core i5-4XXM).
  • Intel Sandy Bridge processors:
  • Desktop: all except Pentium, Celeron, Core i3.
  • Mobile: all Core i7 and Core i5. Several vendors have shipped BIOS configurations with the extension disabled; a BIOS update is required to enable them.
  • Intel Ivy Bridge processors.
  • All i5, i7, Xeon and i3-2115C only.
  • Intel Haswell processors (all except i3-4000m, Pentium and Celeron).
  • Intel Broadwell processors (all except Pentium and Celeron).
  • Intel Silvermont/Airmont processors (all except Bay Trail-D and Bay Trail-M).
  • Intel Skylake processors.
  • Intel Kaby Lake processors.
  • Intel has a list of processors that support AES-NI on their website.
  • AMD
  • AMD Bulldozer-based processors.
  • AMD Piledriver-based processors.
  • AMD Steamroller-based processors and successors (Excavator).
  • AMD Jaguar-based processors.
  • AMD Puma-based processors.
  • AMD Zen-based processors.

    • Hardware acceleration in other architectures

    AES support with unprivileged processor instructions is also available in the latest SPARC processors (T3, T4, T5, M5, and forward) and in latest ARM processors. The SPARC T4 processor, introduced in 2011, has user-level instructions implementing AES rounds. These instructions are in addition to higher level encryption commands. The ARMv8-A processor architecture, announced in 2011, including the ARM Cortex-A53 and A57 (but not previous v7 processors like the Cortex A5, 7, 8, 9, 11, 15) also have user-level instructions which implement AES rounds. In August 2012, IBM announced that the forthcoming Power7+ architecture would have AES support. The commands in these architectures are not directly compatible with the AES-NI commands, but implement similar functionality.

    IBM z9 or later mainframe processors support AES as single-opcode (KM, KMC) AES ECB/CBC instructions via IBM's CryptoExpress hardware These single-instruction AES versions are therefore easier to use than Intel NI ones, but may not be extended to implement other algorithms based on AES round functions (such as the Whirlpool hash function).

    Supporting x86 CPUs

    VIA x86 CPUs, AMD Geode, and Marvell Kirkwood (ARM, mv_cesa in Linux) use driver-based accelerated AES handling instead. (see Crypto API (Linux))

    The following chips, while supporting AES hardware acceleration, do not support the AES-NI instruction set:

  • AMD Geode LX processors
  • VIA
  • VIA PadLock
  • VIA C3 Nehemiah C5P (Eden-N) processors
  • VIA C7 Esther C5J processors

    • ARM architecture

  • Allwinner
  • A10, A20, A30, A31, A80, A83T, H3 and A64 using Security System
  • Broadcom
  • BCM5801/BCM5805/BCM5820 using Security Processor

    • Other architectures

  • Atmel XMEGA (on-chip accelerator with parallel execution, not an instruction)
  • SPARC T3 and later processors have hardware support for several crypto algorithms, including AES.
  • Cavium Octeon MIPS All Cavium Octeon MIPS-based processors have hardware support for several crypto algorithms, including AES using special coprocessor 3 instructions.

    • Performance

    In AES-NI Performance Analyzed, Patrick Schmid and Achim Roos found, "... impressive results from a handful of applications already optimized to take advantage of Intel's AES-NI capability". A performance analysis using the Crypto++ security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte with AES/GCM versus a Pentium 4 with no acceleration.

    Supporting software

    Most modern compilers can emit AES instructions.

    Much security and cryptography software supports the AES instruction set, including the following core infrastructure:

  • Cryptography API: Next Generation (CNG) (requires Windows)
  • Linux's Crypto API
  • Java 7 HotSpot
  • Network Security Services (NSS) version 3.13 and above (used by Firefox and Google Chrome)
  • Solaris Cryptographic Framework on Solaris 10 onwards
  • FreeBSD's OpenCrypto API (aesni(4) driver)
  • OpenSSL 1.0.1 and above
  • FLAMĀ®/FLUCĀ® 5.1.08 (released 2015-08-24) and above

    • References

    AES instruction set Wikipedia
    (Text) CC BY-SA