AES instruction set

From HandWiki
Jump to: navigation, search

An Advanced Encryption Standard instruction set is now integrated into many processors. The purpose of the instruction set is to improve the speed (as well as the resistance to side-channel attacks) of applications performing encryption and decryption using Advanced Encryption Standard (AES). They are often implemented as instructions implementing a single round of AES along with a special version for the last round which has a slightly different method.

x86 architecture processors

AES-NI (or the Intel Advanced Encryption Standard New Instructions; AES-NI) was the first major implementation. AES-NI is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008.[1]


Instruction Description[2]
AESENC Perform one round of an AES encryption flow
AESENCLAST Perform the last round of an AES encryption flow
AESDEC Perform one round of an AES decryption flow
AESDECLAST Perform the last round of an AES decryption flow
AESKEYGENASSIST Assist in AES round key generation[note 1]
AESIMC Assist in AES Inverse Mix Columns


The following Intel processors support the AES-NI instruction set:[3]

  • Westmere based processors, specifically:
    • Westmere-EP (a.k.a. Gulftown Xeon 5600-series DP server model) processors.
    • Clarkdale processors (except Core i3, Pentium and Celeron).
    • Arrandale processors (except Celeron, Pentium, Core i3, Core i5-4XXM).
  • Sandy Bridge processors:
    • Desktop: all except Pentium, Celeron, Core i3.[4][5]
    • Mobile: all Core i7 and Core i5. Several vendors have shipped BIOS configurations with the extension disabled;[6] a BIOS update is required to enable them.[7]
  • Ivy Bridge processors.
    • All i5, i7, Xeon and i3-2115C[8] only.
  • Haswell processors (all except i3-4000m,[9] Pentium and Celeron).
  • Broadwell processors (all except Pentium and Celeron).
  • Silvermont/Airmont processors (all except Bay Trail-D and Bay Trail-M).
  • Goldmont (and later) processors.
  • Skylake (and later) processors.


Several AMD processors support AES instructions:

Hardware acceleration in other architectures

AES support with unprivileged processor instructions is also available in the latest SPARC processors (T3, T4, T5, M5, and forward) and in latest ARM processors. The SPARC T4 processor, introduced in 2011, has user-level instructions implementing AES rounds.[11] These instructions are in addition to higher level encryption commands. The ARMv8-A processor architecture, announced in 2011, including the ARM Cortex-A53 and A57 (but not previous v7 processors like the Cortex A5, 7, 8, 9, 11, 15[citation needed]) also have user-level instructions which implement AES rounds.[12] In August 2012, IBM announced[13] that the then-forthcoming Power7+ architecture would have AES support. The commands in these architectures are not directly equivalent to the AES-NI commands, but implement similar functionality.

IBM z9 or later mainframe processors support AES as single-opcode (KM, KMC) AES ECB/CBC instructions via IBM's CryptoExpress hardware.[14] These single-instruction AES versions are therefore easier to use than Intel NI ones, but may not be extended to implement other algorithms based on AES round functions (such as the Whirlpool and Grøstl hash functions).

Supporting x86 CPUs

VIA x86 CPUs, AMD Geode, and Marvell Kirkwood (ARM, mv_cesa in Linux) use driver-based accelerated AES handling instead. (See Crypto API (Linux).)

The following chips, while supporting AES hardware acceleration, do not support AES-NI:

ARM architecture

Programming information is available in ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile (Section A2.3 "The Armv8 Cryptographic Extension").[20]

  • ARMv8-A architecture
    • ARM cryptographic extensions optionally supported on ARM Cortex-A30/50/70 cores
  • Cryptographic hardware accelerators/engines
    • Allwinner
      • A10, A20, A30, A31, A80, A83T, H3 and A64 using Security System[21]
    • Broadcom
      • BCM5801/BCM5805/BCM5820 using Security Processor[17]
    • NXP Semiconductors
    • Qualcomm
      • Snapdragon 805 onwards[23]
    • Rockchip
      • RK30xx series onwards[24]
    • Samsung
      • Exynos 3 series onwards[25]

Other architectures

  • Atmel XMEGA[26] (on-chip accelerator with parallel execution, not an instruction)
  • SPARC T3 and later processors have hardware support for several cryptographic algorithms, including AES.
  • Cavium Octeon MIPS[27] All Cavium Octeon MIPS-based processors have hardware support for several cryptographic algorithms, including AES using special coprocessor 3 instructions.


In AES-NI Performance Analyzed, Patrick Schmid and Achim Roos found "impressive results from a handful of applications already optimized to take advantage of Intel's AES-NI capability".[28] A performance analysis using the Crypto++ security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte with AES/GCM versus a Pentium 4 with no acceleration.[29][30][failed verification][better source needed]

Supporting software

Most modern compilers can emit AES instructions.

Much security and cryptography software supports the AES instruction set, including the following core infrastructure:

See also


  1. The instruction computes 4 parallel subexpressions of AES key expansion on 4 32-bit words in a double quadword (aka SSE register) on bits X[127:96] for [math]\displaystyle{ i=3 }[/math] and X[63:32] for [math]\displaystyle{ i=1 }[/math] only. 2 parallel AES S-Box substitutions [math]\displaystyle{ Y_0=SubWord(X_1) }[/math] and [math]\displaystyle{ Y_2=SubWord(X_3) }[/math] are used in AES-256 and 2 subexpressions [math]\displaystyle{ Y_1=RotWord(SubWord(X_1)) \oplus rcon }[/math] and [math]\displaystyle{ Y_3=RotWord(SubWord(X_3)) \oplus rcon }[/math] are used in AES-128, AES-192, AES-256.


  1. "Intel Software Network". Intel. Archived from the original on 7 April 2008. Retrieved 2008-04-05. 
  2. Shay Gueron (2010). "Intel Advanced Encryption Standard (AES) Instruction Set White Paper". Intel. Retrieved 2012-09-20. 
  3. "Intel® Product Specification Advanced Search". 
  4. Shimpi, Anand Lal. "The Sandy Bridge Review: Intel Core i7-2600K, i5-2500K and Core i3-2100 Tested". 
  5. "Intel® Product Specification Comparison".,63913,58667,53480,53481,53482,53483,53484,53485,53490,53491,53492,53416,53414. 
  6. "AES-NI support in TrueCrypt (Sandy Bridge problem)". 
  7. "Some products can support AES New Instructions with a Processor Configuration update, in particular, i7-2630QM/i7-2635QM, i7-2670QM/i7-2675QM, i5-2430M/i5-2435M, i5-2410M/i5-2415M. Please contact OEM for the BIOS that includes the latest Processor configuration update.". 
  8. "Intel® Core™ i3-2115C Processor (3M Cache, 2.00 GHz) Product Specifications". 
  9. "Intel® Core™ i3-4000M Processor (3M Cache, 2.40 GHz) Product Specifications". 
  10. "Following Instructions". AMD. November 22, 2010. Archived from the original on November 26, 2010. Retrieved 2011-01-04. 
  11. Dan Anderson (2011). "SPARC T4 OpenSSL Engine". Oracle. Retrieved 2012-09-20. 
  12. Richard Grisenthwaite (2011). "ARMv8-A Technology Preview". ARM. Retrieved 2012-09-20. 
  13. Timothy Prickett Morgan (2012). "All the sauce on Big Blue's hot chip: More on Power7+". The Register. Retrieved 2012-09-20. 
  14. "IBM System z10 cryptography". IBM. Retrieved 2014-01-27. 
  15. "AMD Geode™ LX Processor Family Technical Specifications". AMD. 
  16. "VIA Padlock Security Engine". VIA. Retrieved 2011-11-14. 
  17. 17.0 17.1 Cryptographic Hardware Accelerators on
  18. "VIA Eden-N Processors". VIA. Archived from the original on 2011-11-11. Retrieved 2011-11-14. 
  19. "VIA C7 Processors". VIA. Retrieved 2011-11-14. 
  20. "ARM® Architecture Reference Manual ARMv8, for ARMv8-A architecture profile". ARM. 5 July 2019. 
  21. "Security System/Crypto Engine driver status". 
  22. "Linux Cryptographic Acceleration on an i.MX6". Linux Foundation. February 2017. 
  23. "Cryptographic module in Snapdragon 805 is FIPS 140-2 certified". 
  24. "RK3128 - Rockchip Wiki". 
  25. "The Samsung Exynos 7420 Deep Dive - Inside A Modern 14nm SoC". 
  26. "Using the XMEGA built-in AES accelerator". Retrieved 2014-12-03. 
  27. "Cavium Networks Launches Industry's Broadest Line of Single and Dual Core MIPS64®-based OCTEON™ Processors Targeting Intelligent Next Generation Networks". Retrieved 2016-09-17. 
  28. P. Schmid and A. Roos (2010). "AES-NI Performance Analyzed". Tom's Hardware.,2538.html. Retrieved 2010-08-10. 
  29. T. Krovetz, W. Dai (2010). "How to get fast AES calls?". Crypto++ user group. Retrieved 2010-08-11. 
  30. "Crypto++ 5.6.0 Pentium 4 Benchmarks". Crypto++ Website. 2009. Archived from the original on 19 September 2010. Retrieved 2010-08-10. 
  31. "NonStop SSH Reference Manual". Retrieved 2020-04-09. 
  32. "NonStop cF SSL Library Reference Manual". Retrieved 2020-04-09. 
  33. "BackBox H4.08Tape Encryption Option". Retrieved 2020-04-09. 
  34. "Intel Advanced Encryption Standard Instructions (AES-NI)". Intel. March 2, 2010. Archived from the original on 7 July 2010. Retrieved 2010-07-11. 
  35. "AES-NI enhancements to NSS on Sandy Bridge systems". 2012-05-02. Retrieved 2012-11-25. 
  36. "System Administration Guide: Security Services, Chapter 13 Solaris Cryptographic Framework (Overview)". Oracle. September 2010. Retrieved 2012-11-27. 
  37. "FreeBSD 8.2 Release Notes". 2011-02-24. Retrieved 2011-12-18. 
  38. OpenSSL: CVS Web Interface
  39. "Cryptographic Backend (GnuTLS 3.6.14)". 
  40. "AES-GCM in libsodium". 
  41. " :: Products". 
  42. "Hardware Acceleration". 
  43. "aes - The Go Programming Language". 
  44. Shimpi, Anand Lal. "The Clarkdale Review: Intel's Core i5 661, i3 540 & i3 530". 

External links