Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

AES instruction set

From Wikipedia, the free encyclopedia
Instruction set extensions accelerating AES operations

AnAdvanced Encryption Standard instruction set (AES instruction set) is a set of instructions that are specifically designed to performAES encryption and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions forkey expansion, encryption, and decryption using various key sizes (128-bit, 192-bit, and 256-bit).

The instruction set is often implemented as a set of instructions that can perform a single round of AES along with a special version for the last round which has a slightly different method.

When AES is implemented as an instruction set instead of as software, it can have improved security, as itsside channel attack surface is reduced.[1]

x86 architecture processors

[edit]

AES-NI (or the IntelAdvanced Encryption Standard New Instructions;AES-NI) was the first major implementation. AES-NI is an extension to thex86instruction set architecture formicroprocessors fromIntel andAMD proposed by Intel in March 2008.[2]

A wider version of AES-NI,AVX-512 Vector AES instructions (VAES), is found inAVX-512.[3]

Instructions

[edit]
InstructionDescription[4]
AESENCPerform one round of an AES encryption flow
AESENCLASTPerform the last round of an AES encryption flow
AESDECPerform one round of an AES decryption flow
AESDECLASTPerform the last round of an AES decryption flow
AESKEYGENASSISTAssist in AES round key generation[note 1]
AESIMCAssist in AES decryption round key generation. AppliesInverse Mix Columns to round keys.

Intel

[edit]

The followingIntel processors support the AES-NI instruction set:[5]

  • Westmere based processors, specifically:
    • Westmere-EP (a.k.a.Gulftown Xeon 5600-series DP server model) processors
    • Clarkdale processors (except Core i3, Pentium and Celeron)
    • Arrandale processors (except Celeron, Pentium, Core i3, Core i5-4XXM)
  • Sandy Bridge processors:
    • Desktop: all except Pentium, Celeron, Core i3[6][7]
    • Mobile: all Core i7 and Core i5. Several vendors have shippedBIOS configurations with the extension disabled;[8] a BIOS update is required to enable them.[9]
  • Ivy Bridge processors
    • All i5, i7, Xeon and i3-2115C[10] only
  • Haswell processors (all except i3-4000m,[11] Pentium and Celeron)
  • Broadwell processors (all except Pentium and Celeron)
  • Silvermont/Airmont processors (all except Bay Trail-D and Bay Trail-M)
  • Goldmont (and later) processors
  • Skylake (and later) processors

AMD

[edit]

SeveralAMD processors support AES instructions:

Hardware acceleration in other architectures

[edit]

AES support with unprivileged processor instructions is also available in the latestSPARC processors (T3,T4,T5, M5, and forward) and in latestARM processors. TheSPARC T4 processor, introduced in 2011, has user-level instructions implementing AES rounds.[13] These instructions are in addition to higher level encryption commands. TheARMv8-A processor architecture, announced in 2011, including the ARM Cortex-A53 and A57 (but not previous v7 processors like the Cortex A5, 7, 8, 9, 11, 15[citation needed]) also have user-level instructions which implement AES rounds.[14]

x86 CPUs offering non-AES-NI acceleration interfaces

[edit]

VIA x86 CPUs andAMD Geode use driver-based accelerated AES handling instead. (SeeCrypto API (Linux).)

The following chips, while supporting AES hardware acceleration, do not support AES-NI:

ARM architecture

[edit]

Programming information is available inARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile (Section A2.3 "The Armv8 Cryptographic Extension").[20]

The Marvell Kirkwood was the embedded core of a range of SoC fromMarvell Technology, these SoC CPUs (ARM, mv_cesa in Linux) use driver-based accelerated AES handling. (SeeCrypto API (Linux).)

  • ARMv8-A architecture
    • ARM cryptographic extensions are optionally supported on ARM Cortex-A30/50/70 cores
  • Cryptographic hardware accelerators/engines

RISC-V architecture

[edit]

The scalar and vector cryptographic instruction set extensions for the RISC-V architecture were ratified respectively on 2022 and 2023, which allowed RISC-V processors to implement hardware acceleration for AES,GHASH,SHA-256,SHA-512,SM3, andSM4.

Before the AES-specific instructions were available on RISC-V, a number of RISC-V chips included integrated AES co-processors. Examples include:

  • Dual-coreRISC-V 64 bits Sipeed-M1 support AES and SHA256.[26]
  • RISC-V architecture basedESP32-C (as well as Xtensa-based ESP32[27]), support AES, SHA, RSA, RNG, HMAC, digital signature and XTS 128 for flash.[28]
  • Bouffalo Labs BL602/604 32-bit RISC-V supports various AES and SHA variants.[29]

POWER architecture

[edit]

Since thePower ISA v.2.07, the instructionsvcipher andvcipherlast implement one round of AES directly.[30]

IBM z/Architecture

[edit]

IBM z9 or later mainframe processors support AES as single-opcode (KM, KMC) AES ECB/CBC instructions via IBM's CryptoExpress hardware.[31] These single-instruction AES versions are therefore easier to use than Intel NI ones, but may not be extended to implement other algorithms based on AES round functions (such as theWhirlpool andGrøstl hash functions).

Other architectures

[edit]
  • Atmel XMEGA[32] (on-chip accelerator with parallel execution, not an instruction)
  • SPARC T3 and later processors have hardware support for several cryptographic algorithms, including AES.
  • Cavium Octeon MIPS[33] All Cavium Octeon MIPS-based processors have hardware support for several cryptographic algorithms, including AES using special coprocessor 3 instructions.

Performance

[edit]

InAES-NI Performance Analyzed, Patrick Schmid and Achim Roos found "impressive results from a handful of applications already optimized to take advantage of Intel's AES-NI capability".[34] A performance analysis using theCrypto++security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte withAES/GCM versus aPentium 4 with no acceleration.[35][36][failed verification][better source needed]

Supporting software

[edit]

Most modern compilers can emit AES instructions.

A lot of security and cryptography software supports the AES instruction set, including the following notable core infrastructure:

Application beyond AES

[edit]

A fringe use of the AES instruction set involves using it on block ciphers with a similarly-structuredS-box, usingaffine transform to convert between the two.SM4,Camellia andARIA have been accelerated using AES-NI.[52][53][54] TheAVX-512 Galois Field New Instructions (GFNI) allows implementing these S-boxes in a more direct way.[55]

New cryptographic algorithms have been constructed to specifically use parts of the AES algorithm, so that the AES instruction set can be used for speedups. The AEGIS family, which offersauthenticated encryption, runs with at least twice the speed of AES.[56] AEGIS is an "additional finalist for high-performance applications" in theCAESAR Competition.[57]

See also

[edit]

Notes

[edit]
  1. ^The instruction computes 4 parallel subexpressions ofAES key expansion on 4 32-bit words in a double quadword (aka SSE register) on bits X[127:96] fori=3{\displaystyle i=3} and X[63:32] fori=1{\displaystyle i=1} only. Two parallelAES S-box substitutionsY0=SubWord(X1){\displaystyle Y_{0}=SubWord(X_{1})} andY2=SubWord(X3){\displaystyle Y_{2}=SubWord(X_{3})} are used in AES-256 and 2 subexpressionsY1=RotWord(SubWord(X1))rcon{\displaystyle Y_{1}=RotWord(SubWord(X_{1}))\oplus rcon} andY3=RotWord(SubWord(X3))rcon{\displaystyle Y_{3}=RotWord(SubWord(X_{3}))\oplus rcon} are used in AES-128, AES-192, AES-256.

References

[edit]
  1. ^"Securing the Enterprise with Intel AES-NI"(PDF).Intel Corporation.Archived(PDF) from the original on 2013-03-31. Retrieved2017-07-26.
  2. ^"Intel Software Network". Intel. Archived fromthe original on 7 April 2008. Retrieved2008-04-05.
  3. ^"Intel Architecture Instruction Set Extensions and Future Features Programming Reference". Intel. RetrievedOctober 16, 2017.
  4. ^Shay Gueron (2010)."Intel Advanced Encryption Standard (AES) Instruction Set White Paper"(PDF). Intel. Retrieved2012-09-20.
  5. ^"Intel Product Specification Advanced Search".Intel ARK.
  6. ^Shimpi, Anand Lal."The Sandy Bridge Review: Intel Core i7-2600K, i5-2500K and Core i3-2100 Tested". Archived fromthe original on January 6, 2011.
  7. ^"Intel Product Specification Comparison".
  8. ^"AES-NI support in TrueCrypt (Sandy Bridge problem)". 27 January 2022.
  9. ^"Some products can support AES New Instructions with a Processor Configuration update, in particular, i7-2630QM/i7-2635QM, i7-2670QM/i7-2675QM, i5-2430M/i5-2435M, i5-2410M/i5-2415M. Please contact OEM for the BIOS that includes the latest Processor configuration update".
  10. ^"Intel Core i3-2115C Processor (3M Cache, 2.00 GHz) Product Specifications".
  11. ^"Intel Core i3-4000M Processor (3M Cache, 2.40 GHz) Product Specifications".
  12. ^"Following Instructions". AMD. November 22, 2010. Archived fromthe original on November 26, 2010. Retrieved2011-01-04.
  13. ^Dan Anderson (2011)."SPARC T4 OpenSSL Engine". Oracle. Retrieved2012-09-20.
  14. ^Richard Grisenthwaite (2011)."ARMv8-A Technology Preview"(PDF). ARM. Archived fromthe original(PDF) on 2018-06-10. Retrieved2012-09-20.
  15. ^"AMD Geode LX Processor Family Technical Specifications". AMD.
  16. ^"VIA Padlock Security Engine". VIA. Archived fromthe original on 2011-05-15. Retrieved2011-11-14.
  17. ^abCryptographic Hardware Accelerators on OpenWRT.org
  18. ^"VIA Eden-N Processors". VIA. Archived fromthe original on 2011-11-11. Retrieved2011-11-14.
  19. ^"VIA C7 Processors". VIA. Archived fromthe original on 2007-04-19. Retrieved2011-11-14.
  20. ^"Arm Architecture Reference Manual Armv8, for Armv8-A architecture profile". ARM. 22 January 2021.
  21. ^"Security System/Crypto Engine driver status".sunxi.montjoie.ovh.
  22. ^"Linux Cryptographic Acceleration on an i.MX6"(PDF). Linux Foundation. February 2017. Archived fromthe original(PDF) on 2019-08-26. Retrieved2018-05-02.
  23. ^"Cryptographic module in Snapdragon 805 is FIPS 140-2 certified".Qualcomm.
  24. ^"RK3128 - Rockchip Wiki".Rockchip wiki. Archived fromthe original on 2019-01-28. Retrieved2018-05-02.
  25. ^"The Samsung Exynos 7420 Deep Dive - Inside A Modern 14nm SoC".AnandTech. Archived fromthe original on June 30, 2015.
  26. ^"Sipeed M1 Datasheet v1.1"(PDF).kamami.pl. 2019-03-06. Retrieved2021-05-03.
  27. ^"ESP32 Series Datasheet"(PDF).www.espressif.com. 2021-03-19. Retrieved2021-05-03.
  28. ^"ESP32-C3 WiFi & BLE RISC-V processor is pin-to-pin compatible with ESP8266".CNX-Software. Retrieved2020-11-22.
  29. ^"BL602-Bouffalo Lab (Nanjing) Co., Ltd".www.bouffalolab.com. Archived fromthe original on 2021-06-18. Retrieved2021-05-03.
  30. ^"Power ISA Version 2.07 B". Retrieved2022-01-07.
  31. ^"IBM System z10 cryptography". IBM. Archived fromthe original on August 13, 2008. Retrieved2014-01-27.
  32. ^"Using the XMEGA built-in AES accelerator"(PDF). Retrieved2014-12-03.
  33. ^"Cavium Networks Launches Industry's Broadest Line of Single and Dual Core MIPS64-based OCTEON Processors Targeting Intelligent Next Generation Networks". Archived fromthe original on 2017-12-07. Retrieved2016-09-17.
  34. ^P. Schmid and A. Roos (2010)."AES-NI Performance Analyzed". Tom's Hardware. Retrieved2010-08-10.
  35. ^T. Krovetz, W. Dai (2010)."How to get fast AES calls?".Crypto++ user group. Retrieved2010-08-11.
  36. ^"Crypto++ 5.6.0 Pentium 4 Benchmarks".Crypto++ Website. 2009.Archived from the original on 19 September 2010. Retrieved2010-08-10.
  37. ^"NonStop SSH Reference Manual". Retrieved2020-04-09.
  38. ^"NonStop cF SSL Library Reference Manual". Retrieved2020-04-09.
  39. ^"BackBox H4.08Tape Encryption Option". Retrieved2020-04-09.
  40. ^"Intel Advanced Encryption Standard Instructions (AES-NI)". Intel. March 2, 2010.Archived from the original on 7 July 2010. Retrieved2010-07-11.
  41. ^"AES-NI enhancements to NSS on Sandy Bridge systems". 2012-05-02. Retrieved2012-11-25.
  42. ^"System Administration Guide: Security Services, Chapter 13 Solaris Cryptographic Framework (Overview)". Oracle. September 2010. Retrieved2012-11-27.
  43. ^"FreeBSD 8.2 Release Notes". FreeBSD.org. 2011-02-24. Archived fromthe original on 2011-04-12. Retrieved2011-12-18.
  44. ^OpenSSL: CVS Web Interface
  45. ^"Cryptographic Backend (GnuTLS 3.6.14)".gnutls.org. Retrieved2020-06-26.
  46. ^"AES-GCM in libsodium".libsodium.org.
  47. ^"Hardware Acceleration".www.veracrypt.fr.
  48. ^"aes - The Go Programming Language".golang.org. Retrieved2020-06-26.
  49. ^Shimpi, Anand Lal."The Clarkdale Review: Intel's Core i5 661, i3 540 & i3 530".www.anandtech.com. Archived fromthe original on July 18, 2012. Retrieved2020-06-26.
  50. ^"Bloombase StoreSafe Intelligent Storage Firewall".
  51. ^"Vormetric Encryption Adds Support for Intel AES-NI Acceleration Technology". 15 May 2012.
  52. ^Saarinen, Markku-Juhani O. (17 April 2020)."mjosaarinen/sm4ni: Demonstration that AES-NI instructions can be used to implement the Chinese Encryption Standard SM4".GitHub.
  53. ^Kivilinna, Jussi (2013).Block Ciphers: Fast Implementations on x86-64 Architecture(PDF) (M.Sc.).University of Oulu. pp. 33, 42. Retrieved2017-06-22.
  54. ^Yoo, Tae-Hee; Kivilinna, Jussi; Cho, Choong-Hee (2023)."AVX-Based Acceleration of ARIA Block Cipher Algorithm".IEEE Access.11:77403–77415.Bibcode:2023IEEEA..1177403Y.doi:10.1109/ACCESS.2023.3298026.
  55. ^Kivilinna, Jussi (19 April 2023)."camellia-simd-aesni".GitHub.Newer x86-64 processors also support Galois Field New Instructions (GFNI) which allow implementing Camellia s-box more straightforward manner and yield even better performance.
  56. ^Wu, Hongjun; Preneel, Bart."AEGIS: A Fast Authenticated Encryption Algorithm (v1.1)"(PDF).
  57. ^Denis, Frank."The AEGIS Family of Authenticated Encryption Algorithms".cfrg.github.io.

External links

[edit]
AMD technology
Software
Platforms
Current
Obsolete
Technology
Instructions
Intel technology
Platforms
Discontinued
Current
Upcoming
SIMD (RISC)
SIMD (x86)
Bit manipulation
  • BMI (ABM: 2007, BMI1: 2012, BMI2: 2013, TBM: 2012)
  • ADX (2014)
Compressed instructions
Security andcryptography
Transactional memory
Virtualization
Suspended extensions' dates arestruck through.
Common
algorithms
Less common
algorithms
Other
algorithms
Design
Attack
(cryptanalysis)
Standardization
Utilization
Retrieved from "https://en.wikipedia.org/w/index.php?title=AES_instruction_set&oldid=1305156150"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp