AES-GCM for Efficient Authenticated Encryption Ending the Reign of HMAC-SHA-1?

Similar documents
AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Encrypting the Internet

Haswell Cryptographic Performance

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Cryptography and Network Security Chapter 12

The Impact of Cryptography on Platform Security

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Vulnerabilità dei protocolli SSL/TLS

Improving OpenSSL* Performance

Breakthrough AES Performance with. Intel AES New Instructions

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Computer Security: Principles and Practice

Chapter 7 Transport-Level Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Is Your SSL Website and Mobile App Really Secure?

Security Protocols/Standards

KeyStone Architecture Security Accelerator (SA) User Guide

EXAM questions for the course TTM Information Security May Part 1

CS155. Cryptography Overview

Performance Investigations. Hannes Tschofenig, Manuel Pégourié-Gonnard 25 th March 2015

National Security Agency Perspective on Key Management

Table of Contents. Bibliografische Informationen digitalisiert durch

Chapter 17. Transport-Level Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Summary of Results. NGINX SSL Performance

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Cryptographic Hash Functions Message Authentication Digital Signatures

Network Security Essentials Chapter 5

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software

Enhancing McAfee Endpoint Encryption * Software With Intel AES-NI Hardware- Based Acceleration

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

Communication Systems SSL

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

CS 758: Cryptography / Network Security

Einführung in SSL mit Wireshark

Overview. SSL Cryptography Overview CHAPTER 1

Message Authentication

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Lecture 9 - Network Security TDTS (ht1)

Public Key Cryptography Overview

ColdFire Security SEC and Hardware Encryption Acceleration Overview

Network Security Part II: Standards

SE 4472a / ECE 9064a: Information Security

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Authenticated encryption

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Security. Learning Objectives. This module will help you...

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

An Overview of Communication Manager Transport and Storage Encryption Algorithms

The Misuse of RC4 in Microsoft Word and Excel

How to Send Stealth Text From Your Cell Phone

SkyRecon Cryptographic Module (SCM)

13135 Lee Jackson Memorial Hwy., Suite 220 Fairfax, VA United States of America

SENSE Security overview 2014

Web Security Considerations

Message Authentication Codes. Lecture Outline

Lecture 9: Application of Cryptography

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

7! Cryptographic Techniques! A Brief Introduction

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

SECURITY IN NETWORKS

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

As enterprises conduct more and more

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

An Introduction to Cryptography as Applied to the Smart Grid

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

CSE/EE 461 Lecture 23

Security Policy for FIPS Validation

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Properties of Secure Network Communication

UM0586 User manual. STM32 Cryptographic Library. Introduction

Secure Network Communications FIPS Non Proprietary Security Policy

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

TLS all the tubes! TLS Fast Yet? IsWebRTC. It can be. Making TLS fast(er)... the nuts and bolts. +Ilya

MAC. SKE in Practice. Lecture 5

HASH CODE BASED SECURITY IN CLOUD COMPUTING

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Network Security. Lecture 3

SecureDoc Disk Encryption Cryptographic Engine

Technologies to Improve. Ernie Brickell

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

How To Encrypt Data With Encryption

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Thanks, But No Thanks

Waspmote Encryption Libraries. Programming guide

Transcription:

Workshop on Real-World Cryptography Stanford University Jan. 9-11, 2013 AES-GCM for Efficient Authenticated Encryption Ending the Reign of HMAC-SHA-1? Shay Gueron University of Haifa Department of Mathematics, Faculty of Natural Sciences, University of Haifa, Israel Intel Corporation Intel Corporation, Israel Development Center, Haifa, Israel shay@math.haifa.ac.il, shay.gueron@intel.com 1

Agenda Why is the ecosystem using HMAC SHA-1 for authenticated encryption? What can be done to change this? AES-GCM dirty secrets and how to optimize it ( and save the honor of AES-GCM after Adam s talk) S. Gueron. RWC 2013 2

Optimizing cryptographic primitives Why care? Who cares? The need for end-to-end security in the internet, constantly increases the world-wide number (and percentage) of SSL/TLS connections. Why aren t all connections https://? Overheads costs Cryptographic algorithms for secure communications = computational overhead Mainly on the servers side Any latency client side influences (indirectly) the ecosystem Authenticated Encryption: a fundamental cryptographic primitive Is the ecosystem using an efficient AE scheme? Apparently no a better alternative exists S. Gueron. RWC 2013 3

Ciphers in use in SSL/TLS connections Today s most frequently used AE in browser/server connections RC4 + HMAC-MD5 (don t care) RC4 + HMAC-SHA-1 AES + HMAC-SHA-1 RC4-MD5-128 15% RC4-SHA-128 3% DES-CBC3- SHA-168 2% authentication: mostly HMAC SHA-1 Is it the best AE (performance wise)? AES128-SHA-1 36% ASE256-SHA-1 44% No a faster alternative exists We already know that HMAC is not an efficient MAC scheme, and as an ingredient in AE it makes an inefficient AE Akamai serves service millions of requests per sec. for secure content over HTTPS/SSL Observed the client-side SSL ciphers in popular use Statistics for SSLv3 and TLSv1 http://www.akamai.com/stateoftheinternet AES-GCM is a more efficient Authenticated Encryption scheme S. Gueron. RWC 2013 4

AES-GCM Authenticated Encryption AES-GCM Authenticated Encryption (D. McGrew & J. Viega) Designed for high performance (Mainly with a HW viewpoint) A NIST standard FIPS 800-38D (since 2008) Included in the NSA Suite B Cryptography. Also in: IPsec (RFC 4106) IEEE P1619 Security in Storage Working Group http://siswg.net/ TLS 1.2 How it works: Encryption is done with AES in CTR mode Authentication tag computations - Galois Hash : A Carter-Wegman-Shoup universal hash construction: polynomial evaluation over a binary field Uses GF(2 128 ) defined by the lowest irreducible polynomial Computations based on GF(2 128 ) arithmetic g = g(x) = x 128 + x 7 + x 2 + x + 1 But not really the standard GF(2 128 ) arithmetic S. Gueron. RWC 2013 5

AES-GCM and Intel s AES-NI / PCLMULQDQ Intel introduced a new set of instructions (2010) AES-NI: Facilitate high performance AES encryption and decryption PCLMULQDQ 64 x 64 128 (carry-less) Binary polynomial multiplication; speeds up computations in binary fields Has several usages --- AES-GCM is one To use it for the GHASH computations: GF(2 128 ) multiplication: 1. Compute 128 x 128 256 via carry-less multiplication (of 64-bit operands) 2. Reduction: 256 128 modulo x 128 + x 7 + x 2 + x + 1 (done efficiently via software) It ain t necessarily so AES-NI and PCLMULQDQ can be used for speeding up AES-GCM Authenticated Encryption S. Gueron. RWC 2013 6

Cycles per Byte - lower is better Some Authenticated Encryption performance PRE AES-NI / CLMUL(lookup tables) RC4 + HMAC SHA-1 AES + HMAC SHA-1 AES-GCM 2010 - POST AES-NI / CLMUL 2 nd Generation; 3 rd Generation Core 25 The performance order is reversed! 20 21.96 22.51 AES-NI accelerate the encryption PCLMULQDQ GF(2 128 ) stuff (w/o tables) 15 AES-GCM AES-SHA1 10 9.46 9.46 8.97 RC4-SHA1 5 6.16 5.59 2.47 2.42 0 pre-aes NI Core i7-2600k Core i7-3770 S. Gueron. RWC 2013 7

If AES-GCM is so good, why everyone is still using SHA-1 HMAC? Inertia: If is works don t upgrade it Migration costs and effort Problem is not painful enough / Painful but to whom? Legacy : RC4/AES + HMAC-SHA1 is all over the place Ecosystem awareness: performance benefit & progression - not fully understood Kickoff latency AES-GCM is a relatively new standard (2008); Part of TLS -- only from TLS 1.2 (which is not proliferated yet) Superior performance: only from 2010 (emergence of AES-NI & PCLMULQDQ) The chicken and the egg problem: Browsers (client) will not upgrade (TLS1.2) and implement (GCM) before all servers support TLS 1.2 Servers will not upgrade/implement before all browsers have TLS1.2 and offer GCM as an option In an ideal world: all servers and clients support TLS 1.2, clients offer AES-GCM at handshake And the ecosystem would see performance gain But how can we get there? S. Gueron. RWC 2013 8

What needs to happen? Clients (browsers): add TLS 1.2, as well as GCM support. The client will then offer that as one of their ciphers Server: support TLS 1.2 and GCM (today ~9% of the servers) Servers with AES-NI/CLMUL would enjoy the faster cipher What happens now? OpenSSL 1.0.1 already has GCM and TLS 1.2. (and that is slowly deploying) Internet Explorer and MSFT server support TLS 1.2 AES-GCM (version 8 on Win 7) Safari (?) (announced TLS 1.2 and AES-GCM) The next big move: --- NSS to add support (NSS is the stack behind Firefox and Chrome) There is ongoing work there on both GCM and TLS 1.2 Wan-Teh Chang (Google), Bob Relyea (Red Hat), Brian Smith (Mozilla), Eric Rescorla, Shay Gueron (Intel) S. Gueron. RWC 2013 9

What did we contribute to this? The new AES-GCM patches (2012) Sept./Oct. 2012: We published two patches for two popular open source distributions: OpenSSL and NSS Authors: S. Gueron and V. Krasnov Inherently side channel protected constant time in the strict definition Fast on the current x86_64 processors (2 nd and 3 rd Generation Core) Fastest we know of And also ready to boost performance on the coming processors generation (4 th Generation Core) Let s review how this was done S. Gueron. RWC 2013 10

AES-GCM optimization 1. The encryption 2. The Galois Hash 3. Putting them together S. Gueron. RWC 2013 11

AESENC data, key0 AESENC data, key1 AESENC data, key2 AESENC data0, key0 AESENC data1, key0 AESENC data2, key0 AESENC data3, key0 AESENC data4, key0 AESENC data5, key0 AESENC data6, key0 AESENC data7, key0 AESENC data0, key1 AES-NI: Throughput vs. Latency Parallelizable modes (CTR, CBC decryption, XTS) can interleave processing of multiple messages They become much faster with AES-NI S. Gueron. RWC 2013 12

How much to parallelize? The effect of the parallelization parameter Encryption of 8 blocks in parallel vs. encryption of 4 blocks in parallel 4 blocks AES ECB on 1KB buffer (in CPU cycles per Byte, Intel Core i7-2600k) 8 blocks 0 0.2 0.4 0.6 0.8 1 We found the 8 blocks in parallel is a sweat point S. Gueron. RWC 2013 13

CPU Cycles/Byte AES-CTR performance Previous Generation Core, Second Generation Core, Thirds Generation Core Intel Core i7-2600k vs. Intel Core i7-880 Processor (1KB buffer; performance in CPU cycles per Byte) 2.00 1.80 1.60 1.53 1.78 Performance on Intel Core i7-880 Processor 1.40 1.30 1.20 1.00 0.80 0.83 0.83 0.96 0.97 1.09 1.09 128-bit Legacy SSE AES instructions 0.60 VEX encoded AES instructions 0.40 0.20 0.00 AES-128 AES-192 AES-256 Key Size S. Gueron. RWC 2013 14

128-bit Carry-less Multiplication using PCLMULQDQ This is fixed (Gueron Kounavis, 2009) Multiply 128 x 128 256 A 1 : A 0 B 1 : B 0 Schoolbook (4 PCLMULQDQ invocations) A 0 B 0 = C 1 : C 0, A 1 B 1 = D 1 : D 0 A 0 B 1 = E 1 : E 0, A 1 B 0 = F 1 : F 0 A 1 : A 0 B 1 : B 0 = [D 1 : D 0 E 1 F 1 : C 1 E 0 F 0 : C 0 ] So this is also fixed Carry-less Karatsuba (3 PCLMULQDQ invocations) A 1 B 1 = C 1 : C 0, A 0 B 0 = D 1 : D 0 A 1 A 0 B 1 B 0 = [E 0 : E 1 ] A 1 : A 0 B 1 : B 0 = [C 1 : C 0 C 1 D 1 E 1 : D 1 C 0 D 0 E 0 : D 0 ] S. Gueron. RWC 2013 15

AES-GCM dirty secrets revealed A new interpretation to GHASH operations Not what you expected: GHASH does not use GF(2 128 ) computations At least not in the usual polynomial representation convention The bits inside the 128-bit operands are reflected Actually - it is an operation on a permutation of the elements of GF(2 128 No need ) to reflect T1 = reflect (A) the data T2 = reflect (B) T3 = T1 T2 modulo x 128 + x 7 + x 2 + x + 1 (a GF(2 128 ) multiplication) Reflect (T3) We can prove (a new interpretation) that this operation is: A B x -127 mod x 128 + x 127 +x 126 +x 121 + 1 i.e., a weird Montgomery Multiplication in GF(2 128 ) modulo a reversed poly Better written as A B x x -128 mod x 128 + x 127 +x 126 +x 121 + 1 S. Gueron. RWC 2013 16

The Shift-XOR reflected reduction (Gueron Kounavis 2009) CipherText HKey X 3 X 2 X 1 X 0 1 X 3 X 2 X 1 X 0 S. Gueron. RWC 2013 17

X 1 A B C 63 62 57 X 0 X 0 X 0 D X 0 1 E 0 E 0 D X 0 2 F 0 F 0 D X 0 7 G 0 G 0 S. Gueron. RWC 2013 18

E 0 E 0 F 0 F 0 G 0 G 0 X 3 X 2 H 0 H 0 Voila S. Gueron. RWC 2013 19

Fast reduction modulo x 128 +x 127 +x 126 +x 121 +1 (Gueron 2012) Algorithm 4: Montgomery reduction Input 256-bit operand [X 3 :X 2 :X 1 :X 0 ] [A 1 :A 0 ] = X 0 0xc200000000000000 [B 1 :B 0 ] = [X 0 A 1 :X 1 A 0 ] [C 1 :C 0 ] = B 0 0xc200000000000000 [D 1 :D 0 ] = [B 0 C 1 :B 1 C 0 ] Output: [D 1 X 3 :D 0 X 2 ] The cost: 2 x PCLMULQDQ 3 x shift/xor Ideal with fast PCLMULQDQ ; Input is in T1:T7 vmovdqa T3, [W] vpclmulqdq T2, T3, T7, 0x01 vpshufd T4, T7, 78 vpxor T4, T4, T2 vpclmulqdq T2, T3, T4, 0x01 vpshufd T4, T4, 78 vpxor T4, T4, T2 vpxor T1, T4 ; result in T1 S. Gueron. RWC 2013 20

The optimized reflected reduction CipherText Hkey X 3 X 2 X 1 X 0 0xc2000000000 00000 X 0 0xc2000000000 00000 B 0 A 1 A 0 C 1 C 0 X 0 X 1 B 0 B 1 B 1 B 0 D 1 D 0 X 3 X 2 Voila S. Gueron. RWC 2013 H 1 H 0 21

The Ghash operation is: Aggregated Reduction MM (CT 1, Hx m ) + MM (CT 2, Hx m-1 ) + + MM (CT m, Hx) mod x 128 + x 127 +x 126 +x 121 + 1 In a Horner form (facilitating iterative computation) Y i = MM [(X i + Y i-1 ), Hx] everything mod Q= x 128 + x 127 + x 126 + x 121 + 1 4-way expanded Horner form (aggregate results & defer the reduction step) Yi = MM [(X i + Y i-1 ), Hx] = MM [(X i, Hx) ] + MM [(Y i-1, Hx)] = MM [(X i, Hx)] + MM [(X i-1 + Y i-2 ), Hx 2 ] = = MM [(X i, H)] + MM [(X i-1, Hx 2 )] + MM [(X i-2 +Y i-3 ), Hx 3 ] = MM [(X i, Hx)] + MM [(X i-1, Hx 2 )] + MM [(X i-2, Hx 3 )] + MM [(X i-3 +Y i-4 ), Hx 4 ] Can be expanded further The gain: reduction deferred to once per N blocks Overhead: pre-calculate the powers of H (amortized for reasonably long buffer) S. Gueron. RWC 2013 22

Interleaving CTR and GHASH There are two approaches to GCM Use dedicated AES-CTR function for the encryption and another GHASH function to generate the MAC Gain additional performance by interleaving the calculation of CTR and GHASH in a single function The first approach can only achieve the performance of CTR+GHASH The second approach achieves a better performance Filling the execution pipe more efficiently. S. Gueron. RWC 2013 23

The new AES-GCM patches (2012) putting it (and more ) all together Sept./Oct. 2012: We published two patches for two popular open source distributions: OpenSSL and NSS NSS patch to be committed into version 3.14.2 Both patches share similar code and use : Carry-less Karatsuba multiplication Reduce using Montgomery Encrypt 8 counter blocks Deferred reduction (using 8 block aggregation) Fixed elements outside the brackets Interleave CTR and GHASH Inherently side channel protected constant time in the strict definition Fast on current processors (2 nd and 3 rd Generation Core) And also ready to boost on the coming processors (4 th Generation Core) S. Gueron. RWC 2013 24

Results The performance of AES-128 GCM Encryption on 4KB buffer in CPU cycles per Byte, Intel Core i7-2600k vs. Intel Core i7-880 Processor, Lower is better Performance on Intel Core i7-2600k Processor 2.53 Performance on Intel Core i7-880 Processor 3.90 Best known AES-GCM without AES-NI* on i7-2600k Processor 10.42 0.00 2.00 4.00 6.00 8.00 10.00 12.00 * E. Käsper, P. Schwabe, Faster and Timing-Attack Resistant AES-GCM, http://homes.esat.kuleuven.be/~ekasper/papers/fast_aes_slides.pdf S. Gueron. RWC 2013 25

Some breakdown AES-GCM: 4KB message: 2.53 C/B 16KB message: 2.47 C/B Breakdown CTR performance for 16KB: 0.79 C/B The cost of the GHASH is ~1.68 C/B ~68% of the computations The performance of standalone GHASH is 1.75 C/B The delta is the gain from interleaving GHASH with CTR. Notes: the MAC computations are still significant Limited by the current performance of PCLMULQDQ Ultimate goal: achieve AES-GCM at the performance of CTR+ ε S. Gueron. RWC 2013 26

The NSS patch (2012) The performance of NSS AES GCM Encryption on 8KB buffer in CPU cycles per Byte, Intel Core i7-2600k and Intel Core i7-3770 Processors, Lower is better 60.00 55.42 53.67 50.00 40.00 30.00 NSS 3.14 RC0 Our patch 20.00 10.00 0.00 2.70 2.66 Core i7-2600k Core i7-3770 Ready to boost performance on the coming processors generation (4 th Generation Core) S. Gueron. RWC 2013 27

The OpenSSL patch (2012) 3.50 The performance of OpenSSL AES GCM Encryption on 8KB buffer in CPU cycles per Byte, Intel Core i7-2600k and Intel Core i7-3770 Processors, Lower is better 3.00 2.50 2.89 2.88 2.69 2.64 2.00 1.50 OpenSSL 1.0.1c Our patch 1.00 0.50 0.00 Core i7-2600k Core i7-3770 Ready to boost performance on the coming processors generation (4 th Generation Core) S. Gueron. RWC 2013 28

18.00 What does it give? AES-GCM vs. other (NIST standard) Authenticated Encryption The performance of NSS AES GCM Encryption on 32KB buffer in CPU cycles per Byte, Intel Core i7-2600k and Intel Core i7-3770 Processors, Lower is better 16.00 16.80 14.00 15.57 12.00 10.00 AES CBC+HMAC-SHA256 (serial) 8.00 9.46 8.97 RC4-SHA1 AES CBC+HMAC-SHA1 AES GCM 6.00 4.00 6.16 5.59 2.00 2.47 2.42 0.00 Core i7-2600k Core i7-3770 S. Gueron. RWC 2013 29

Summary AES-GCM is the best performing Authenticated Encryption combination among the NIST standard options (esp. compared to using HMAC SHA-1) SE on x86-64 + Performance keeps improving across CPU generations Just wait for the coming 4 th Generation Core (2013) We try to actively help the eco-system move to the more efficient AE With some luck, we might see significant deployment already in 2013 Optimized algorithms & implementations released as patches for Open Source Thanks to Google/Mozilla/RedHat colleagues Review and commit to NSS; add TLS1.2; enable Firefox / Chrome support The ultimate goal: achieve AES-GCM at the performance of CTR+ ε All the codes and papers are publicly available (see reference) S. Gueron. RWC 2013 30

References S. Gueron. RWC 2013 31

References AES-GCM (The algorithms and methods that underlie the AES-GCM patches codes are detailed in references [1-4]) 1. S. Gueron, Michael E. Kounavis: Intel Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode (Rev. 2.01) http://software.intel.com/sites/default/files/article/165685/clmul-wp-rev-2.01-2012-09-21.pdf 2. S. Gueron, M. E. Kounavis: Efficient Implementation of the Galois Counter Mode Using a Carry-less Multiplier and a Fast Reduction Algorithm. Information Processing Letters 110: 549û553 (2010). 3. S. Gueron: AES Performance on the 2nd Generation Intel Core Processor Family (to be posted) (2012). 4. S. Gueron: Fast GHASH computations for speeding up AES-GCM (to be published soon) (2012). AES-NI 5. S. Gueron. Intel Advanced Encryption Standard (AES) Instructions Set, Rev 3.01. Intel Software Network. http://software.intel.com/sites/default/files/article/165683/aes-wp-2012-09-22-v01.pdf 6. S. Gueron. Intel's New AES Instructions for Enhanced Performance and Security. Fast Software Encryption, 16th International Workshop (FSE 2009), Lecture Notes in Computer Science: 5665, p. 51-66 (2009). OpenSSL patch: S. Gueron, V. Krasnov, [PATCH] Efficient implementation of AES-GCM, using Intel's AES-NI, PCLMULQDQ instruction, and the Advanced Vector Extension (AVX). http://rt.openssl.org/ticket/display.html?id=2900&user=guest&pass=guest (2012) NSS patch: S. Gueron, V. Krasnov, Efficient AES-GCM implementation that uses Intel's AES and PCLMULQDQ instructions (AES-NI), and the Advanced Vector Extension (AVX) architecture. For the NSS library, Attachment 673021 Details for Bug 373108, [PATCH] https://bugzilla.mozilla.org/show_bug.cgi?id=805604#c0 (2012) S. Gueron. RWC 2013 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information