 |
About Me | |
|
|
Background | |
|
|
Policy Analysis | |
|
|
Organisations | |
|
|
Cryptography | |
|
|
Technology | |
|
|
Cryptography | |
|
|
Computing | |
|
|
Mathematics | |
|
|
Papers | |
AES and Combined Encryption/Authentication Modes
1. AES
Released: 19 June 2006
Updated on 22nd November 2006:
Minor portability improvements
Updated on 2nd March 2007: Add support for Structured
Exception Handling (SEH) in x64 assembler code
Updated on 16th April 2007: Correct errors in a Visual Studio build project,
some code improvements, no bug fixes
Updated 17th January 2008: Correct an error in
aes_cfb_decrypt(). Update build projects for Visual Studio 2008.
Updated 4th March 2008: Added a reduced code size option
for x86 assembler (requested by the Truecrypt Foundation)
This version of my AES code supports both 32 and 64 bit systems in both C and x86 assembler (using YASM). The AES source code files are here (old version is here) and the project files for building static and DLL libraries using Visual Studio 2008 are here (old Visual Studio 2005 version here) - you will also need the AES source code files. You may also need test vectors which I make available in these archives variable key tests, variable text tests, variable key tests (new) and variable text tests (new).
Structured Exception Handling support in the x64 assembler implementation of AES requires YASM 0.6 or later.
My thanks go to Peter Johnson and Michael Urman for their work on YASM, on which this AES code in assembler depends. I am grateful to Peter Gutmann for noticing the error in aes_cfb_decrypt().
2 . Byte Oriented AES (Low Resource Version)
Released: 22nd November 2006
This is a slower version of AES that is capable of operating on systems where only byte operations are available. It does however offer some opportunities for speed improvements if 32-bit operations are supported. This version uses only limited processor resources and should hence be capable of use on small embedded processor systems. In addition to providing normal pre-keyed AES operation, this version provides AES subroutines with 'on the fly' keying for 128 and 256 bit keys and can hence remove the need for memory to hold the full AES key schedule.
3. Modes (CCM, GCM, EAX, CWC)
Released: 19 June 2006 (note CCM and GCM
bug fix for small blocks)
Updated 22nd November 2006: Portability improvements and a
new associated application (gentest)
Updated 21st January 2008: Corrected an optimisation bug.
Added Visual Studio 2008 build projects. New Galois Field multiplier.
The code in this zip archive implements the CCM, GCM, EAX and CWC combined encryption/authentication modes and OMAC using the AES code provided at 1. above. This zip archive contains the Visual Studio 2008 build projects and code for testing. To use this code you will also need the AES code described at 1. above.
GENTEST is an application for developing test vectors for these modes. A template file specifies the test vectors to be generated and these are then passed through two different implementations of the mode in question, my own version and another derived from code in the LibTomCrypt library produced by Tom St Denis. Test vectors are only output if the two implementations provide identical results. Although this application is provided as a part of a Visual Studio build project it has been compiled on other systems as well.
Here is a summary of mode performance (cycles/byte) on x86 systems (GCM table size in brackets):
| Processor | CCM | CWC | EAX | GCM (64K) | GCM (8K) | GCM (4K) | GCM (256) | GCM (0) |
|---|---|---|---|---|---|---|---|---|
| Intel P3 | 41.8 | 70.3 | 41.6 | 31.2 | 36.2 | 39.9 | 91.3 | 114.4 |
| Intel P4 | 43.5 | 100.0 | 43.7 | 39.0 | 47.6 | 47.2 | 95.1 | 157.7 |
| AMD64 (32) | 32.0 | 47.5 | 31.9 | 26.4 | 40.0 | 33.9 | 71.1 | 79.4 |
| AMD64 (64) | 25.3 | 37.2 | 25.6 | 19.8 | 22.3 | 26.3 | 36.8 | 93.6 |
| Average | 35.7 | 63.8 | 35.7 | 29.1 | 36.5 | 36.8 | 73.6 | 111.3 |
The Galois Field Multiplier
This version includes a new Galois Field multiplier that can operate in any of the four common field representations. It has been tested extensively on x86 systems but has NOT been tested at all on big endian systems. It should hence be used with extreme caution if your system is big endian.
I would greatly appreciate any reports on its operation, especially on big endian systems.
4. OMAC
Here is an old implementation of OMAC (it is now included with other modes above), a MAC that improves on the traditional CBC based MAC by eliminating a number of security weaknesses for partial length blocks. This version uses AES as the associated cipher algorithm. OMAC was designed by Tetsu Iwata who has produced a description to assist in implementation here.
5. XTS
Here is a zip archive containing my implementation of XTS. This archive contains the XTS code together with AES code and some support files needed to build a full XTS implementation. It also contains a Microsoft Visual Studio 2008 build project and a program for building XTS test vectors from templates (GENTEST) and some test vectors. The XTS implementation also works with my AES code (published separately).
XTS is a new mode proposed by the IEEE Security in Storage Working Group for protecting data held on storage devices.
Back to Brian
Gladman's Home Page This page
and its predecessor have
been accessed
times since 1st June 2005.