An Advanced Encryption Standard instruction set (AES instruction set) is a set of instructions that are specifically designed to perform

AES encryption The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...

and decryption operations efficiently. These instructions are typically found in modern processors and can greatly accelerate AES operations compared to software implementations. An AES instruction set includes instructions for key expansion, encryption, and decryption using various key sizes (128-bit, 192-bit, and 256-bit). The instruction set is often implemented as a set of instructions that can perform a single round of AES along with a special version for the last round which has a slightly different method. When AES is implemented as an instruction set instead of as software, it can have improved security, as its side channel attack surface is reduced.

x86 architecture processors

AES-NI (or the Intel Advanced Encryption Standard New Instructions; AES-NI) was the first major implementation. AES-NI is an extension to the

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

instruction set architecture In computer science, an instruction set architecture (ISA) is an abstract model that generally defines how software controls the CPU in a computer or a family of computers. A device or program that executes instructions described by that ISA, ...

for

microprocessor A microprocessor is a computer processor (computing), processor for which the data processing logic and control is included on a single integrated circuit (IC), or a small number of ICs. The microprocessor contains the arithmetic, logic, a ...

s from

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...

and

AMD Advanced Micro Devices, Inc. (AMD) is an American multinational corporation and technology company headquartered in Santa Clara, California and maintains significant operations in Austin, Texas. AMD is a hardware and fabless company that de ...

proposed by Intel in March 2008. A wider version of AES-NI, '' AVX-512 Vector AES instructions (VAES)'', is found in

AVX-512 AVX-512 are 512-bit extensions to the 256-bit Advanced Vector Extensions SIMD instructions for x86 instruction set architecture (ISA) proposed by Intel in July 2013, and first implemented in the 2016 Intel Xeon Phi x200 (Knights Landing), and then ...

Instructions

Intel

The following

processors support the AES-NI instruction set: * Westmere based processors, specifically: ** Westmere-EP (a.k.a. Gulftown Xeon 5600-series DP server model) processors ** Clarkdale processors (except Core i3, Pentium and Celeron) ** Arrandale processors (except Celeron, Pentium, Core i3, Core i5-4XXM) *

Sandy Bridge Sandy Bridge is the List of Intel codenames, codename for Intel's 32 nm process, 32 nm microarchitecture used in the second generation of the Intel Core, Intel Core processors (Intel Core i7, Core i7, Intel Core i5, i5, Intel Core i3, i3). The Sa ...

processors: ** Desktop: all except Pentium, Celeron, Core i3 ** Mobile: all Core i7 and Core i5. Several vendors have shipped

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is a type of firmware used to provide runtime services for operating systems and programs and to perform hardware initialization d ...

configurations with the extension disabled; a BIOS update is required to enable them. * Ivy Bridge processors ** All i5, i7, Xeon and i3-2115C only * Haswell processors (all except i3-4000m, Pentium and Celeron) * Broadwell processors (all except Pentium and Celeron) * Silvermont/Airmont processors (all except Bay Trail-D and Bay Trail-M) * Goldmont (and later) processors * Skylake (and later) processors

AMD

Several

processors support AES instructions: * "Heavy Equipment" processors **

Bulldozer A bulldozer or dozer (also called a crawler) is a large tractor equipped with a metal #Blade, blade at the front for pushing material (soil, sand, snow, rubble, or rock) during construction work. It travels most commonly on continuous tracks, ...

processors **

Piledriver Piledriver or pile driver may refer to: *Pile driver, a person trained to use the diesel hammer that drives piles into the ground for foundations and bridges *Piledriver (professional wrestling), a move used in professional wrestling Entertainme ...

processors **

Steamroller A steamroller (or steam roller) is a form of road roller – a type of heavy construction machinery used for leveling surfaces, such as roads or airfields – that is powered by a steam engine. The leveling/flattening action is achieved through ...

processors **

Excavator Excavators are heavy equipment (construction), heavy construction equipment primarily consisting of a backhoe, boom, dipper (or stick), Bucket (machine part), bucket, and cab on a rotating platform known as the "house". The modern excavator's ...

processors and newer *

Jaguar The jaguar (''Panthera onca'') is a large felidae, cat species and the only extant taxon, living member of the genus ''Panthera'' that is native to the Americas. With a body length of up to and a weight of up to , it is the biggest cat spe ...

processors and newer * Puma processors and newer *

Zen Zen (; from Chinese: ''Chán''; in Korean: ''Sŏn'', and Vietnamese: ''Thiền'') is a Mahayana Buddhist tradition that developed in China during the Tang dynasty by blending Indian Mahayana Buddhism, particularly Yogacara and Madhyamaka phil ...

(and later) based processors

Hardware acceleration in other architectures

AES support with unprivileged processor instructions is also available in the latest SPARC processors ( T3, T4, T5, M5, and forward) and in latest ARM processors. The SPARC T4 processor, introduced in 2011, has user-level instructions implementing AES rounds. These instructions are in addition to higher level encryption commands. The

ARMv8-A ARM (stylised in lowercase as arm, formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a family of RISC instruction set architectures (ISAs) for computer processors. Arm Holdings develops the ISAs and lice ...

processor architecture, announced in 2011, including the ARM Cortex-A53 and A57 (but not previous v7 processors like the Cortex A5, 7, 8, 9, 11, 15 ) also have user-level instructions which implement AES rounds.

x86 CPUs offering non-AES-NI acceleration interfaces

VIA x86 CPUs and AMD Geode use driver-based accelerated AES handling instead. (See Crypto API (Linux).) The following chips, while supporting AES hardware acceleration, do not support AES-NI: * AMD Geode LX processors * VIA, using VIA PadLockCryptographic Hardware Accelerators
on OpenWRT.org ** VIA C3 Nehemiah C5P (Eden-N) processors ** VIA C7 Esther C5J processors

ARM architecture

Programming information is available in ''ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile (Section A2.3 "The Armv8 Cryptographic Extension")''. The Marvell Kirkwood was the embedded core of a range of SoC from Marvell Technology, these SoC CPUs (ARM, mv_cesa in Linux) use driver-based accelerated AES handling. (See Crypto API (Linux).) * ARMv8-A architecture ** ARM cryptographic extensions are optionally supported on ARM Cortex-A30/50/70 cores * Cryptographic hardware accelerators/engines ** Allwinner *** A10, A20, A30, A31, A80, A83T, H3 and A64 using ''Security System'' **

Broadcom Broadcom Inc. is an American multinational corporation, multinational designer, developer, manufacturer, and global supplier of a wide range of semiconductor and infrastructure software products. Broadcom's product offerings serve the data cen ...

*** BCM5801/BCM5805/BCM5820 using ''Security Processor'' **

NXP Semiconductors NXP Semiconductors N.V. is a Dutch semiconductor manufacturing and design company with headquarters in Eindhoven, Netherlands. It is the third largest European semiconductor company by market capitalization as of 2024. The company employs approx ...

*** i.MX6 onwards **

Qualcomm Qualcomm Incorporated () is an American multinational corporation headquartered in San Diego, California, and Delaware General Corporation Law, incorporated in Delaware. It creates semiconductors, software and services related to wireless techn ...

*** Snapdragon 810 onwards **

Rockchip Rockchip (Fuzhou Rockchip Electronics Co., Ltd.) is a Chinese fabless semiconductor company based in Fuzhou, Fujian province. It has offices in Shanghai, Beijing, Shenzhen, Hangzhou and Hong Kong. It designs system on a chip (SoC) products, usi ...

*** RK30xx series onwards **

Samsung Samsung Group (; stylised as SΛMSUNG) is a South Korean Multinational corporation, multinational manufacturing Conglomerate (company), conglomerate headquartered in the Samsung Town office complex in Seoul. The group consists of numerous a ...

*** Exynos 7 series onwards

RISC-V architecture

The scalar and vector cryptographic instruction set extensions for the RISC-V architecture were ratified respectively on 2022 and 2023, which allowed RISC-V processors to implement hardware acceleration for AES, GHASH,

SHA-256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compressi ...

SHA-512 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...

, SM3, and SM4. Before the AES-specific instructions were available on RISC-V, a number of RISC-V chips included integrated AES co-processors. Examples include: * Dual-core

RISC-V RISC-V (pronounced "risk-five") is an open standard instruction set architecture (ISA) based on established reduced instruction set computer (RISC) principles. The project commenced in 2010 at the University of California, Berkeley. It transfer ...

64 bits Sipeed-M1 support AES and SHA256. * RISC-V architecture based

ESP32 ESP32 is a family of low-cost, energy-efficient microcontrollers that integrate both Wi-Fi and Bluetooth capabilities. These chips feature a variety of processing options, including the Tensilica Xtensa LX6 microprocessor available in both dual-c ...

-C (as well as Xtensa-based ESP32), support AES, SHA, RSA, RNG, HMAC, digital signature and XTS 128 for flash. * Bouffalo Labs BL602/604 32-bit RISC-V supports various AES and SHA variants.

POWER architecture

Since the Power ISA v.2.07, the instructions vcipher and vcipherlast implement one round of AES directly.

IBM z/Architecture

IBM z9 or later mainframe processors support AES as single-opcode (KM, KMC) AES ECB/CBC instructions via IBM's CryptoExpress hardware. These single-instruction AES versions are therefore easier to use than Intel NI ones, but may not be extended to implement other algorithms based on AES round functions (such as the

Whirlpool A whirlpool is a body of rotating water produced by opposing currents or a current running into an obstacle. Small whirlpools form when a bath or a sink is draining. More powerful ones formed in seas or oceans may be called maelstroms ( ). ''Vo ...

and Grøstl hash functions).

Other architectures

* Atmel XMEGA (on-chip accelerator with parallel execution, not an instruction) *

SPARC T3 The SPARC T3 microprocessor (previously known as UltraSPARC T3, codenamed ''Rainbow Falls'', and also known as UltraSPARC KT or ''Niagara-3'' during development) is a Multithreading (computer hardware), multithreading, Multi-core (computing), multi ...

and later processors have hardware support for several cryptographic algorithms, including AES. * Cavium Octeon MIPS All Cavium Octeon MIPS-based processors have hardware support for several cryptographic algorithms, including AES using special coprocessor 3 instructions.

Performance

In ''AES-NI Performance Analyzed'', Patrick Schmid and Achim Roos found "impressive results from a handful of applications already optimized to take advantage of Intel's AES-NI capability". A performance analysis using the

Crypto++ Crypto++ (also known as CryptoPP, libcrypto++, and libcryptopp) is a free and open-source C++ class library of cryptographic algorithms and schemes written by Wei Dai. Crypto++ has been widely used in academia, student projects, open-source, and ...

security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte with AES/ GCM versus a

Pentium 4 Pentium 4 is a series of single-core central processing unit, CPUs for Desktop computer, desktops, laptops and entry-level Server (computing), servers manufactured by Intel. The processors were shipped from November 20, 2000 until August 8, 20 ...

with no acceleration.

Supporting software

Most modern compilers can emit AES instructions. A lot of security and cryptography software supports the AES instruction set, including the following notable core infrastructure: * Apple's FileVault 2 full-disk encryption in

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

10.10+ * NonStop SSH2, NonStop cF SSL Library and BackBox VTC Software in HPE Tandem NonStop OS L-series * Cryptography API: Next Generation (CNG) (requires Windows 7) * Linux's Crypto API *

Java Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...

7 HotSpot * Network Security Services (NSS) version 3.13 and above (used by

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

and

Google Chrome Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...

) * Solaris Cryptographic Framework on

Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...

10 onwards *

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

's OpenCrypto API (aesni(4) driver) *

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...

1.0.1 and above * GnuTLS * Libsodium *

VeraCrypt VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or (in Windows) the entire sto ...

* Go programming language *

BitLocker BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard ...

* Bloombase * Vormetric

Application beyond AES

A fringe use of the AES instruction set involves using it on block ciphers with a similarly-structured

S-box In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Clau ...

, using

affine transform In Euclidean geometry, an affine transformation or affinity (from the Latin, '' affinis'', "connected with") is a geometric transformation that preserves lines and parallelism, but not necessarily Euclidean distances and angles. More generally ...

to convert between the two. SM4,

Camellia ''Camellia'' (pronounced or ) is a genus of flowering plants in the family Theaceae. They are found in tropical and subtropical areas in East Asia, eastern and South Asia, southern Asia, from the Himalayas east to Japan and Indonesia. There are ...

and

ARIA In music, an aria (, ; : , ; ''arias'' in common usage; diminutive form: arietta, ; : ariette; in English simply air (music), air) is a self-contained piece for one voice, with or without instrument (music), instrumental or orchestral accompan ...

have been accelerated using AES-NI. The AVX-512 Galois Field New Instructions (GFNI) allows implementing these S-boxes in a more direct way. New cryptographic algorithms have been constructed to specifically use parts of the AES algorithm, so that the AES instruction set can be used for speedups. The AEGIS family, which offers

authenticated encryption Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...

, runs with at least twice the speed of AES. AEGIS is an "additional finalist for high-performance applications" in the

CAESAR Competition The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) is a competition organized by a group of international cryptologic researchers to encourage the design of authenticated encryption schemes. The compet ...

Notes

References

External links

Intel Advanced Encryption Standard Instructions (AES-NI)

AES instruction set whitepaper
(2.93 MiB, PDF) from Intel {{DEFAULTSORT:Aes Instruction Set X86 architecture X86 instructions AMD technologies Advanced Encryption Standard Hardware acceleration

x86 architecture processors

Instructions

Intel

AMD

Hardware acceleration in other architectures

x86 CPUs offering non-AES-NI acceleration interfaces

ARM architecture

RISC-V architecture

POWER architecture

IBM z/Architecture

Other architectures

Performance

Supporting software

Application beyond AES

See also

Notes

References

External links