AES improvements on Intel CPUs

Werner Koch wk at
Wed Feb 16 18:51:47 CET 2011


The last days a played a bit with a loaned box from Intel (Core i5) and
implemented asm code to use the AES-NI instructions.  It is quite an
improvement over the pure C code:

First without AES-NI (AES-128, AES-192 and AES-256):
$ ./benchmark --cipher-repetitions 100 --alignment 16 \
              --disable-hwf intel-aesni cipher aes aes192 aes256
  ECB/Stream         CBC             CFB             OFB             CTR      
-------------- --------------- --------------- --------------- ---------------
1360ms  1350ms  1170ms  1180ms  1120ms  1120ms  1550ms  1570ms  1730ms  1740ms
1560ms  1570ms  1370ms  1400ms  1320ms  1320ms  1750ms  1770ms  1930ms  1930ms
1770ms  1770ms  1560ms  1600ms  1520ms  1520ms  1950ms  1970ms  2140ms  2130ms

Now with AES-NI (AES-128, AES-192 and AES-256):
$ ./benchmark --cipher-repetitions 100 --alignment 16 \
              cipher aes aes192 aes256
  ECB/Stream         CBC             CFB             OFB             CTR      
--------------- --------------- --------------- --------------- ---------------
  80ms    90ms   250ms   220ms   140ms    70ms   300ms   290ms   440ms   430ms
 110ms   110ms   260ms   250ms   160ms    80ms   320ms   320ms   450ms   450ms
 130ms   130ms   290ms   260ms   200ms   100ms   340ms   340ms   470ms   470ms

Of course, most other crypto libs use these instructions also.  CFB mode
has been optimized because that is what OpenPGP requires.  CBC and CTR
will follow as time permits.  64 bit is not yet supported.  There is a
lot of room for more improvements of course.

We are using inline asm and this may result in problems with some gcc
versions.  Please report such problems.  There is a configure option to
disable the use of AES-NI.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list