An AES (Advanced Encryption Standard) instruction set is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions for key expansion, encryption, and decryption using various key sizes (128-bit, 192-bit, and 256-bit).
The instruction set is often implemented as a set of instructions that can perform a single round of AES along with a special version for the last round which has a slightly different method.
When AES is implemented as an instruction set instead of as software, it can have improved security, as its side channel attack surface is reduced. [1]
AES-NI (or the Intel Advanced Encryption Standard New Instructions; AES-NI) was the first major implementation. AES-NI is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008. [2]
A wider version of AES-NI, AVX-512 Vector AES instructions (VAES) , is found in AVX-512. [3]
Instruction | Description [4] |
---|---|
AESENC | Perform one round of an AES encryption flow |
AESENCLAST | Perform the last round of an AES encryption flow |
AESDEC | Perform one round of an AES decryption flow |
AESDECLAST | Perform the last round of an AES decryption flow |
AESKEYGENASSIST | Assist in AES round key generation [note 1] |
AESIMC | Assist in AES decryption round key generation. Applies Inverse Mix Columns to round keys. |
The following Intel processors support the AES-NI instruction set: [5]
Several AMD processors support AES instructions:
AES support with unprivileged processor instructions is also available in the latest SPARC processors (T3, T4, T5, M5, and forward) and in latest ARM processors. The SPARC T4 processor, introduced in 2011, has user-level instructions implementing AES rounds. [13] These instructions are in addition to higher level encryption commands. The ARMv8-A processor architecture, announced in 2011, including the ARM Cortex-A53 and A57 (but not previous v7 processors like the Cortex A5, 7, 8, 9, 11, 15 [ citation needed ]) also have user-level instructions which implement AES rounds. [14]
VIA x86 CPUs and AMD Geode use driver-based accelerated AES handling instead. (See Crypto API (Linux).)
The following chips, while supporting AES hardware acceleration, do not support AES-NI:
Programming information is available in ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile (Section A2.3 "The Armv8 Cryptographic Extension"). [20]
The Marvell Kirkwood was the embedded core of a range of SoC from Marvell Technology, these SoC CPUs (ARM, mv_cesa in Linux) use driver-based accelerated AES handling. (See Crypto API (Linux).)
The scalar and vector cryptographic instruction set extensions for the RISC-V architecture were ratified respectively on 2022 and 2023, which allowed RISC-V processors to implement hardware acceleration for AES, GHASH, SHA-256, SHA-512, SM3, and SM4.
Before the AES-specific instructions were available on RISC-V, a number of RISC-V chips included integrated AES co-processors. Examples include:
Since the Power ISA v.2.07, the instructions vcipher
and vcipherlast
implement one round of AES directly. [30]
IBM z9 or later mainframe processors support AES as single-opcode (KM, KMC) AES ECB/CBC instructions via IBM's CryptoExpress hardware. [31] These single-instruction AES versions are therefore easier to use than Intel NI ones, but may not be extended to implement other algorithms based on AES round functions (such as the Whirlpool and Grøstl hash functions).
In AES-NI Performance Analyzed, Patrick Schmid and Achim Roos found "impressive results from a handful of applications already optimized to take advantage of Intel's AES-NI capability". [34] A performance analysis using the Crypto++ security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte with AES/GCM versus a Pentium 4 with no acceleration. [35] [36] [ failed verification ][ better source needed ]
Most modern compilers can emit AES instructions.
A lot of security and cryptography software supports the AES instruction set, including the following notable core infrastructure:
A fringe use of the AES instruction set involves using it on block ciphers with a similarly-structured S-box, using affine isomorphism to convert between the two. SM4, Camellia and ARIA have been accelerated using AES-NI. [52] [53] [54] The AVX-512 Galois Field New Instructions (GFNI) allows implementing these S-boxes in a more direct way. [55]
New cryptographic algorithms have been constructed to specifically use parts of the AES algorithm, so that the AES instruction set can be used for speedups. The AEGIS family, which offers authenticated encryption, runs with at least twice the speed of AES. [56] AEGIS is an "additional finalist for high-performance applications" in the CAESAR Competition. [57]
RDRAND
Celeron is a discontinued series of low-end IA-32 and x86-64 computer microprocessor models targeted at low-cost personal computers, manufactured by Intel. The first Celeron-branded CPU was introduced on April 15, 1998, and was based on the Pentium II.
TLS acceleration is a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to a hardware accelerator.
As of 2020, the x86 architecture is used in most high end compute-intensive computers, including cloud computing, servers, workstations, and many less powerful computers, including personal computer desktops and laptops. The ARM architecture is used in most other product categories, especially high-volume battery powered mobile devices such as smartphones and tablet computers.
Pentium is a discontinued series of x86 architecture-compatible microprocessors produced by Intel. The original Pentium was first released on March 22, 1993. The name "Pentium" is originally derived from the Greek word pente (πεντε), meaning "five", a reference to the prior numeric naming convention of Intel's 80x86 processors (8086–80486), with the Latin ending -ium since the processor would otherwise have been named 80586 using that convention.
Sandy Bridge is the codename for Intel's 32 nm microarchitecture used in the second generation of the Intel Core processors. The Sandy Bridge microarchitecture is the successor to Nehalem and Westmere microarchitecture. Intel demonstrated an A1 stepping Sandy Bridge processor in 2009 during Intel Developer Forum (IDF), and released first products based on the architecture in January 2011 under the Core brand.
The history of general-purpose CPUs is a continuation of the earlier history of computing hardware.
Dell Vostro is a line of business-oriented laptop and desktop computers manufactured by Dell aimed at small to medium range businesses. From 2013–2015, the line was temporarily discontinued on some Dell websites but continued to be offered in other markets, such as Malaysia and India.
Advanced Vector Extensions are SIMD extensions to the x86 instruction set architecture for microprocessors from Intel and Advanced Micro Devices (AMD). They were proposed by Intel in March 2008 and first supported by Intel with the Sandy Bridge microarchitecture shipping in Q1 2011 and later by AMD with the Bulldozer microarchitecture shipping in Q4 2011. AVX provides new features, new instructions, and a new coding scheme.
Haswell is the codename for a processor microarchitecture developed by Intel as the "fourth-generation core" successor to the Ivy Bridge. Intel officially announced CPUs based on this microarchitecture on June 4, 2013, at Computex Taipei 2013, while a working Haswell chip was demonstrated at the 2011 Intel Developer Forum. Haswell was the last generation of Intel processor to have socketed processors on mobile. With Haswell, which uses a 22 nm process, Intel also introduced low-power processors designed for convertible or "hybrid" ultrabooks, designated by the "U" suffix. Haswell began shipping to manufacturers and OEMs in mid-2013, with its desktop chips officially launched in September 2013.
Arrandale is the code name for a family of mobile Intel processors, sold as mobile Intel Core i3, i5 and i7 as well as Celeron and Pentium. It is closely related to the desktop Clarkdale processor; both use dual-core dies based on the Westmere 32 nm die shrink of the Nehalem microarchitecture, and have integrated Graphics as well as PCI Express and DMI links.
Intel Core is a line of multi-core central processing units (CPUs) for midrange, embedded, workstation, high-end and enthusiast computer markets marketed by Intel Corporation. These processors displaced the existing mid- to high-end Pentium processors at the time of their introduction, moving the Pentium to the entry level. Identical or more capable versions of Core processors are also sold as Xeon processors for the server and workstation markets.
Intel Quick Sync Video is Intel's brand for its dedicated video encoding and decoding hardware core. Quick Sync was introduced with the Sandy Bridge CPU microarchitecture on 9 January 2011 and has been found on the die of Intel CPUs ever since.
Westmere is the code name given to the 32 nm die shrink of Nehalem. While sharing the same CPU sockets, Westmere included Intel HD Graphics, while Nehalem did not.
Hardware-based encryption is the use of computer hardware to assist software, or sometimes replace software, in the process of data encryption. Typically, this is implemented as part of the processor's instruction set. For example, the AES encryption algorithm can be implemented using the AES instruction set on the ubiquitous x86 architecture. Such instructions also exist on the ARM architecture. However, more unusual systems exist where the cryptography module is separate from the central processor, instead being implemented as a coprocessor, in particular a secure cryptoprocessor or cryptographic accelerator, of which an example is the IBM 4758, or its successor, the IBM 4764. Hardware implementations can be faster and less prone to exploitation than traditional software implementations, and furthermore can be protected against tampering.
The Dell Inspiron series is a line of laptop computers made by American company Dell under the Dell Inspiron branding. The first Inspiron laptop model was introduced before 1999. Unlike the Dell Latitude line, which is aimed mostly at business/enterprise markets, Inspiron is a consumer-oriented line, often marketed towards individual customers as computers for everyday use.
Comet Lake is Intel's codename for its 10th generation Core processors. They are manufactured using Intel's third 14 nm Skylake process revision, succeeding the Whiskey Lake U-series mobile processor and Coffee Lake desktop processor families. Intel announced low-power mobile Comet Lake-U CPUs on August 21, 2019, H-series mobile CPUs on April 2, 2020, desktop Comet Lake-S CPUs April 30, 2020, and Xeon W-1200 series workstation CPUs on May 13, 2020. Comet Lake processors and Ice Lake 10 nm processors are together branded as the Intel "10th Generation Core" family. Intel officially launched Comet Lake-Refresh CPUs on the same day as 11th Gen Core Rocket Lake launch. The low-power mobile Comet Lake-U Core and Celeron 5205U CPUs were discontinued on July 7, 2021.
Rocket Lake is Intel's codename for its 11th generation Core microprocessors. Released on March 30, 2021, it is based on the new Cypress Cove microarchitecture, a variant of Sunny Cove backported to Intel's 14 nm process node. Rocket Lake cores contain significantly more transistors than Skylake-derived Comet Lake cores.
Newer x86-64 processors also support Galois Field New Instructions (GFNI) which allow implementing Camellia s-box more straightforward manner and yield even better performance.