AES-NI Performance Analyzed; Limited To 32nm Core i5 CPUs

What Is AES Anyway?

The Advanced Encryption Standard is the most popular cryptographic, symmetric encryption algorithm in the IT world. The standard works on a 128-bit block size and includes 128-, 192-, or 256-bit ciphers (noted as AES-128, AES-192, and AES-256, respectively). The corresponsing keys are equally wide. Many encryption solutions, such as TrueCrypt, embraced AES early on. However, perhaps the most significant factor in the standard's success was its adoption by the U.S. government in 2002 and its status upgrade in 2003 of being approved to protect classified data.

Encrypting Data With AES

AES encryption is based on a substitution-permutation network, which means that a series of mathematical operations is linked in an effort to create highly modified (encrypted) target data. The input is always plain text and a key is used to pilot the operations. These can be as simple as a bitwise rotation or XOR (exclusive OR) or more complex. Because a single pass would be easy to decipher, all modern encryption technologies run multiple rounds. AES cycles through 10, 12, or 14 rounds for AES-128, AES-192, and AES-256. AES keys also undergo the same process as the user data, turning it into the changing round key.

The AES encryption process works with 4x4 arrays of single bytes called boxes—S-boxes for substitution and P-boxes for permutation. Substitution and permutation are separate stages. Substitution works within boxes while permutation swaps information between boxes. The S-box works on complex principles, which means that if only a single input bit is changed, multiple output bits will be affected, or that the property of each and every output bit depends on every input bit.

Applying multiple rounds is what makes for good encryption, as diffusion and confusion criteria have to be met. Diffusion happens through the cascaded combination of S-box and P-box transformation. By changing only a single bit on the input text, the S-box will modify the output of several bits, while the P-box semi-randomly distributes the effect among several S-boxes. When we talk about a minimal input change having maximum impact on the output, we’re talking about the avalanche effect.

How Secure is AES?

A lot of academic debate in the security space currently revolves around so-called breaks, which entail eliminating the necessity of running an exhaustive brute-force search for the correct decryption key. Techniques such as XSL attacks and related-key attacks have been discussed, but with little success. The only workable way to break AES encryption is a certain type of "side-channel attack." This requires the attack to happen on the same system on which the AES encryption is executed, and you have to find a way to obtain cache timing information. In such a case, it's possible to track the number of machine cycles until the encryption process is completed.

Obviously, this isn’t easily done. You would require access to a machine that provides sufficient contact surface for encryption analysis and rights to execute code. At this point, it’s obvious why security leaks that allow someone to possess such rights, no matter how absurd the leak may sound, have to be closed as soon as possible. Long story short: if you get access to a target machine, extraction of the AES key is a matter of expertise and no longer a laborious task that depends on integer horsepower.

AES Inside Intel

Given all this, CPU-based AES instructions start to make real sense, regardless of possible performance benefits. From a security standpoint, the processor may handle AES instructions in an encapsulated manner. This would alleviate the need for lookup tables that might provide data for side-channel cache-based attacks.