Short description: Extension to the x86 instruction set
An AES (Advanced Encryption Standard) instruction set is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions for key expansion, encryption, and decryption using various key sizes (128-bit, 192-bit, and 256-bit).
The instruction set is often implemented as a set of instructions that can perform a single round of AES along with a special version for the last round which has a slightly different method.
When AES is implemented as an instruction set instead of as software, it can have improved security, as its side channel attack surface is reduced.[citation needed]
AES-NI (or the Intel Advanced Encryption Standard New Instructions; AES-NI) was the first major implementation. AES-NI is an extension to the x86instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008.[1]
A wider version of AES-NI, AVX-512 Vector AES instructions (VAES), is found in AVX-512.[2]
Desktop: all except Pentium, Celeron, Core i3[5][6]
Mobile: all Core i7 and Core i5. Several vendors have shipped BIOS configurations with the extension disabled;[7] a BIOS update is required to enable them.[8]
AES support with unprivileged processor instructions is also available in the latest SPARC processors (T3, T4, T5, M5, and forward) and in latest ARM processors. The SPARC T4 processor, introduced in 2011, has user-level instructions implementing AES rounds.[12] These instructions are in addition to higher level encryption commands. The ARMv8-A processor architecture, announced in 2011, including the ARM Cortex-A53 and A57 (but not previous v7 processors like the Cortex A5, 7, 8, 9, 11, 15[citation needed]) also have user-level instructions which implement AES rounds.[13]
Programming information is available in ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile (Section A2.3 "The Armv8 Cryptographic Extension").[19]
The Marvell Kirkwood was the embedded core of a range of SoC from Marvell Technology, these SoC CPUs (ARM, mv_cesa in Linux) use driver-based accelerated AES handling. (See Crypto API (Linux).)
ARMv8-A architecture
ARM cryptographic extensions are optionally supported on ARM Cortex-A30/50/70 cores
Whilst the RISC-V architecture does not include AES-specific instructions, a number of RISC-V chips include integrated AES co-processors. Examples include:
Dual-core RISC-V 64 bits Sipeed-M1 support AES and SHA256.[25]
RISC-V architecture based ESP32-C (as well as Xtensa-based ESP32[26]), support AES, SHA, RSA, RNG, HMAC, digital signature and XTS 128 for flash.[27]
Bouffalo Labs BL602/604 32-bit RISC-V supports various AES and SHA variants.[28]
POWER architecture
Since the Power ISA v.2.07, the instructions vcipher and vcipherlast implement one round of AES directly.[29]
IBM z/Architecture
IBM z9 or later mainframe processors support AES as single-opcode (KM, KMC) AES ECB/CBC instructions via IBM's CryptoExpress hardware.[30] These single-instruction AES versions are therefore easier to use than Intel NI ones, but may not be extended to implement other algorithms based on AES round functions (such as the Whirlpool and Grøstl hash functions).
Other architectures
Atmel XMEGA[31] (on-chip accelerator with parallel execution, not an instruction)
SPARC T3 and later processors have hardware support for several cryptographic algorithms, including AES.
Cavium Octeon MIPS[32] All Cavium Octeon MIPS-based processors have hardware support for several cryptographic algorithms, including AES using special coprocessor 3 instructions.
Performance
In AES-NI Performance Analyzed, Patrick Schmid and Achim Roos found "impressive results from a handful of applications already optimized to take advantage of Intel's AES-NI capability".[33] A performance analysis using the Crypto++security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte with AES/GCM versus a Pentium 4 with no acceleration.[34][35][failed verification][better source needed]
Supporting software
Most modern compilers can emit AES instructions.
A lot of security and cryptography software supports the AES instruction set, including the following notable core infrastructure:
A fringe use of the AES instruction set involves using it on block ciphers with a similarly-structured S-box, using affine isomorphism to convert between the two. SM4 and Camellia have been accelerated using AES-NI.[51][52] The AVX-512 Galois Field New Instructions (GFNI) allows implementing these S-boxes in a more direct way.[53]
↑The instruction computes 4 parallel subexpressions of AES key expansion on 4 32-bit words in a double quadword (aka SSE register) on bits X[127:96] for [math]\displaystyle{ i=3 }[/math] and X[63:32] for [math]\displaystyle{ i=1 }[/math] only. Two parallel AES S-box substitutions[math]\displaystyle{ Y_0=SubWord(X_1) }[/math] and [math]\displaystyle{ Y_2=SubWord(X_3) }[/math] are used in AES-256 and 2 subexpressions [math]\displaystyle{ Y_1=RotWord(SubWord(X_1)) \oplus rcon }[/math] and [math]\displaystyle{ Y_3=RotWord(SubWord(X_3)) \oplus rcon }[/math] are used in AES-128, AES-192, AES-256.
↑Kivilinna, Jussi (19 April 2023). "camellia-simd-aesni". https://github.com/jkivilin/camellia-simd-aesni. "Newer x86-64 processors also support Galois Field New Instructions (GFNI) which allow implementing Camellia s-box more straightforward manner and yield even better performance."