Sign in with
Sign up | Sign in

What Is AES Anyway?

AES-NI Performance Analyzed; Limited To 32nm Core i5 CPUs

The Advanced Encryption Standard is the most popular cryptographic, symmetric encryption algorithm in the IT world. The standard works on a 128-bit block size and includes 128-, 192-, or 256-bit ciphers (noted as AES-128, AES-192, and AES-256, respectively). The corresponsing keys are equally wide. Many encryption solutions, such as TrueCrypt, embraced AES early on. However, perhaps the most significant factor in the standard's success was its adoption by the U.S. government in 2002 and its status upgrade in 2003 of being approved to protect classified data.

Encrypting Data With AES

AES encryption is based on a substitution-permutation network, which means that a series of mathematical operations is linked in an effort to create highly modified (encrypted) target data. The input is always plain text and a key is used to pilot the operations. These can be as simple as a bitwise rotation or XOR (exclusive OR) or more complex. Because a single pass would be easy to decipher, all modern encryption technologies run multiple rounds. AES cycles through 10, 12, or 14 rounds for AES-128, AES-192, and AES-256. AES keys also undergo the same process as the user data, turning it into the changing round key.

The AES encryption process works with 4x4 arrays of single bytes called boxes—S-boxes for substitution and P-boxes for permutation. Substitution and permutation are separate stages. Substitution works within boxes while permutation swaps information between boxes. The S-box works on complex principles, which means that if only a single input bit is changed, multiple output bits will be affected, or that the property of each and every output bit depends on every input bit.

Applying multiple rounds is what makes for good encryption, as diffusion and confusion criteria have to be met. Diffusion happens through the cascaded combination of S-box and P-box transformation. By changing only a single bit on the input text, the S-box will modify the output of several bits, while the P-box semi-randomly distributes the effect among several S-boxes. When we talk about a minimal input change having maximum impact on the output, we’re talking about the avalanche effect.

How Secure is AES?

A lot of academic debate in the security space currently revolves around so-called breaks, which entail eliminating the necessity of running an exhaustive brute-force search for the correct decryption key. Techniques such as XSL attacks and related-key attacks have been discussed, but with little success. The only workable way to break AES encryption is a certain type of "side-channel attack." This requires the attack to happen on the same system on which the AES encryption is executed, and you have to find a way to obtain cache timing information. In such a case, it's possible to track the number of machine cycles until the encryption process is completed.

Obviously, this isn’t easily done. You would require access to a machine that provides sufficient contact surface for encryption analysis and rights to execute code. At this point, it’s obvious why security leaks that allow someone to possess such rights, no matter how absurd the leak may sound, have to be closed as soon as possible. Long story short: if you get access to a target machine, extraction of the AES key is a matter of expertise and no longer a laborious task that depends on integer horsepower.

AES Inside Intel

Given all this, CPU-based AES instructions start to make real sense, regardless of possible performance benefits. From a security standpoint, the processor may handle AES instructions in an encapsulated manner. This would alleviate the need for lookup tables that might provide data for side-channel cache-based attacks.

Display all 39 comments.
This thread is closed for comments
  • 3 Hide
    p1n3apqlexpr3ss , February 2, 2010 5:33 AM
    Great article, but still dont really have a idea about this AES stuff, encryption as far as i care, which i dont much really.
    Would really love to see a article comparing hyperthreading to the real shiz, i3 530 vs i5 750, at 3ghz each, id love to see how they perform
  • 5 Hide
    mjello , February 2, 2010 6:11 AM
    I dont get this for a personal computer... They allready have plenty power to do this.

    For a VPN server that would be great.... Hey wait most dont use x86 but hardware specialized for this purpose...

    Nice little insignificant feature though
  • -1 Hide
    anamaniac , February 2, 2010 6:44 AM
    P1n3apqlExpr3ssGreat article, but still dont really have a idea about this AES stuff, encryption as far as i care, which i dont much really.Would really love to see a article comparing hyperthreading to the real shiz, i3 530 vs i5 750, at 3ghz each, id love to see how they perform

    Yeah, more interested in how useful hyperthreading is on these dual cors too.
    All locked at, 3.0GHz, comparing i5-660 vs i5 750 vs any C2Q with a decent amount of cache. More than anything though, just comparing a dual core with HT LGA 1156 vs a C2Q.
  • 8 Hide
    cangelini , February 2, 2010 8:10 AM
    Well, I promised that we'd revisit AES-NI in the launch story, so we're keeping our word on that one =) I'll talk to the guys about some deeper insight on HT Ani!
  • 2 Hide
    Anonymous , February 2, 2010 10:42 AM
    For a user to say they will never have a need for encryption commands on the desktop processor is ridiculous. Life cycles on these processors will be several years, and AES finds its way into more and more software/hardware each day. If you use accounting software, I hope you use encryption. If you have sensitive data on your computer, putting it in an encrypted container is very easy and worthwhile.

    Do you have plenty of horsepower with your old core 2 duo? sure. Do you read this site because you buy off the shelf and are satisfied with mediocre performance? I doubt it. What intel is doing is enabling you to have outstanding performance even in an AES encrypted environment.

    I'd be interested in seeing benchmarks from cascaded encryption including AES - if you cascade AES and TwoFish, for example, I bet the performance hit is minimal with the on-chip AES support! I know without it, cascaded encryption gives a performance hit that makes you not want to use it...
  • 2 Hide
    ajai , February 2, 2010 11:25 AM
    You could have used the Via Nano also just for the fun of things...
  • 2 Hide
    Reynod , February 2, 2010 11:25 AM
  • 1 Hide
    Yuka , February 2, 2010 11:31 AM
    It's a very useful NI for corporate mails/attachments... Once they teach people how to USE compression at all, rofl. I can see the use in it at least; could make it a default for some mail clients (cough cough Outlook/Windows Mail/Thunderbird, cough cough).

    Hope this develops faster and AMD follows Intel on this one. I'd love to get (at least) close to "real time" encryption on my system for security matters. SSH communications also could get better/faster for servers (yeah sure, why not? XD!)

    Great article, BTW!

  • 0 Hide
    jeffunit , February 2, 2010 11:32 AM
    You might mention that the application has to be compiled to use the AES-NI instructions or there will be absolutely no benefit from the instructions, as they won't get used.

    Of course, if you have the source code, and a compiler that supports the AES-NI instructions it is easy to do it yourself. But few windows programs are open source, so you have to generally rely on the vendor.
  • 2 Hide
    ajai , February 2, 2010 11:36 AM

    Intel I5 661 3.3Ghz - 2000 MB/s
    Via Nano 1.3ghz - 0765 MB/s
    Intel I7 870 2.9Ghz - 0710 MB/s
    Intel QX9770 3.2Ghz - 0396 MB/s

    lol a Via nano @ 1.3Ghz can beat a i7 870 in AES...
  • 1 Hide
    martel80 , February 2, 2010 12:57 PM
    The SHA-256 encryption test proves that the feature only accelerates AES.
    SHA is just a hash function, it does not encrypt anything.
  • 0 Hide
    Mr_Man , February 2, 2010 1:55 PM
    Just a quick question: what do you guys use to make a RAM drive that big? The biggest my RAM drive is allowed to be is 30 MB.
  • 0 Hide
    JohnnyLucky , February 2, 2010 1:57 PM
    So what will this do for a little old lady whose idea of gaming is Windows Solitaire?
  • -1 Hide
    razor512 , February 2, 2010 4:23 PM
    seems good but no one will buy it unless they add that to the core i7 series the casual user doesn't really benefit from this and even many servers wont benefit either, from my experience, one of the main problems faced with servers is CPU and hard drive performance. Most companies do not want SSD for really important tasks as they often show no signs of when they are ready to fail and the read/write cycles that the drives get put through 24/7 will kill a SSD

    other than storage, there's a problem with CPU performance. Faster encryption is good but it wont be enough to make someone pick that CPU over a overall faster CPU as encryption isn't a large part of work that people need done, it is just a small and vital part of it.

    people who want this kind of acceleration wont care about it much, what people want is a CPU that is as fast as possible and other additional accelerations such as the encryption, is just icing on the cake
  • 3 Hide
    TheRev , February 2, 2010 5:40 PM
    I have nearly 400,000 clients running a full disk encryption product. Benchmarks have shown that performance is easily CPU bound and not I/O as many might think. For an enterprise, this will have a huge impact and will be a 'must have' requirement for our next model transiton.
  • 1 Hide
    snemarch , February 2, 2010 6:28 PM
    Remember that "time to encrypt " is only one possible benchmark. In a real-life situation, it's equally interesting to look at CPU load while en/decrypting. As an example, my X25-E delivers ~220MB/s read performance, while TrueCrypt benchmark shows it can do ~350MB/s AES-256 on my Q6600@2.4GHz.

    In other words, I'm I/O limited and AES-NI wouldn't reduce the wall-clock time spent on en/decryption. However, that 350MB/s encryption bandwidth is at 100% CPU utilization (all 4 cores) - in other words, reading full-speed from my X-25E would be at approximately 63% CPU load.

    Clearly, while AES-NI wouldn't get the job done faster, it would free up CPU cycles for other use.
  • 0 Hide
    omoronovo , February 2, 2010 6:47 PM
    First thing I thought when reading this is that Toms would use Truecrypt and it's built-in benchmarking tool to help use this as well, I was surprised they didn't.

    Since Truecrypt also combines encryption techniques, this would be a good way to see how cascaded algorithms that contain AES are improved with the new instructions.
  • -1 Hide
    dertechie , February 2, 2010 9:25 PM
    P1n3apqlExpr3ssGreat article, but still dont really have a idea about this AES stuff, encryption as far as i care, which i dont much really.Would really love to see a article comparing hyperthreading to the real shiz, i3 530 vs i5 750, at 3ghz each, id love to see how they perform

    Anand did pit the processors against each other HERE. They were simulated i3s (underclocked i5-661 with Turbo turned off). No one's done it with the clock speeds locked to X though. However, a Lynnfield at stock turbos to 3.2 GHz for 1/2 threads, which is close enough to a i3 at 3.06.

    The basic conclusion is this: the i3s are pretty good. However, when you hit 4 heavy threads, the real quads kick them to the curb.

    Fortunately for i3, most games don't have 4 heavy threads, so they work fine there. Unfortunately for them, transcoding does, and they get demolished there.

    YukaHope this develops faster and AMD follows Intel on this one.

    It's in Bulldozer (2011), but not Thuban/Zosma. Don't know about Bobcat.

    To be honest though, i5-6xx is for the enterprise market. Unless you have a particular need for AES-NI, they're not compelling from a price perspective.
  • -1 Hide
    yuhong , February 3, 2010 1:12 AM
    What about PCLMULQDQ, the other new instruction?
  • -4 Hide
    aford10 , February 3, 2010 2:06 AM
Display more comments