About Me
Policy Analysis

AES and Combined Encryption/Authentication Modes

1. AES

Released: 19 June 2006
Updated on 22nd November 2006:  Minor portability improvements
Updated on 2nd March 2007: Add support for Structured Exception Handling (SEH) in x64 assembler code
Updated on 16th April 2007: Correct errors in a Visual Studio build project, some code improvements, no bug fixes
Updated 17th January 2008: Correct an error in aes_cfb_decrypt(). Update build projects for Visual Studio 2008.
Updated 4th March 2008: Added a reduced code size option for x86 assembler (requested by the Truecrypt Foundation)
Updated 22nd July 2008: Added the AES Algorithm Validation Suite tests (ECB, CBC, CFB and OFB).
Updated 29th August 2008: Cosmetic changes only to add comments and improve compilation in C++
Updated 7th October 2008. Added example code to implement RFC 3686 (AES-CTR)
Updated 29th November 2008. Added code for the EME2 mode being standardised by the IEEE SISWG
Updated 29th April 2009. AES source updated to remove a reported failure to compile when a specific set of options are selected.
Updated 11th January 2011.  Update for Visual Studio 2010 build (no substantive souce changes).
Updated 12th September 2011.  Cosmetic change to VIA ACE support suggested by Peter Gutmann.
Updated 20th November 2013.  Added Intel AES instruction support in Visual Studio, added use of stdint.h and fixed a bug in aes_x86_v2.asm.
Updated 18th February 2014.  Corrected a bug in the implementation of the access to the Intel AES instruction set.

I now make my AES code available on my GITHUB hosted repository (https://github.com/BrianGladman):


The AES code hosted on this page is hence maintained for historical purposes only.  Please use the repository based code for ongoing development and submit any requested changes against this version.  My byte oriented AES version and my modes code is still available here but I intend to migrate this code to GITHUB as soon as I get the time to do this.

The current version of my AES code supports both 32 and 64 bit systems in C,  x86 and x64 assembler using YASM

You may also need test vectors which I make available in these archives variable key tests, variable text tests, variable key tests (new) and variable text tests (new). If you want to run the AESAVS tests you will need to obtain the test vector files from here (the *.fax files in aestestvectors.zip).

Structured Exception Handling support in the x64 assembler implementation of AES requires YASM 0.6 or later.

My thanks go to Peter Johnson and Michael Urman for their work on YASM, on which this AES code in assembler depends.  I am grateful to Peter Gutmann for noticing the error in aes_cfb_decrypt().

2 . Byte Oriented AES (Low Resource Version)

Released: 22nd November 2006
Updated 29th August 2008: To add a version that does not use tables

This is a slower version of AES that is capable of operating on systems where only byte operations are available.  It does however offer some opportunities for speed improvements if 32-bit operations are supported.  This version uses only limited processor resources and should hence be capable of use on small embedded processor systems.  In addition to providing normal pre-keyed AES operation, this version provides AES subroutines with 'on the fly' keying for 128 and 256 bit keys and can hence remove the need for memory to hold the full AES key schedule.

3. Modes (CCM, GCM, EAX, CWC)

Released: 19 June 2006 (note CCM and GCM bug fix for small blocks)
Updated 22nd November 2006: Portability improvements and a new associated application (gentest)
Updated 21st January 2008: Corrected an optimisation bug. Added Visual Studio 2008 build projects. New Galois Field multiplier.
Updated 7th October 2008. Added CMAC (to avoid confusion of OMAC/CMAC naming)
Updated 23rd July 2009.  To remove bugs when being used in 'authentication prior to decryption' mode.
Updated 16th January 2010. To improve the operation of the Galois Field Multiplier on big endian systems.
Updated 30th March 2011. To remove another compilation failure reported by Peter Gutmann.
Updated 20th November 2013.  To match the latest AES code (uint_<nn>t changed to uint<nn>_t).

November 2013 Update. This update only updates the modes code to use the fixed width integer types defined in stdint.h. The code is otherwise unchanged.

January 2010 Update. This update adds a build capability for Visual Studio 2010 and improves the operation of the Galois Field Multiplier on big endian systems.  I am most grateful for the extensive help that Mark Rodenkirch gave in tracking down an issue with the GCM Galois Field Multiplier on big endian systems when fast buffer operations are enabled (these used to be disabled on big-endian systems in earlier versions because

July 2009 Update. This update corrects errors in my AES modes code when used in a specific way - one in which authentication on decryption is requested before decryption is undertaken.  Some versions of my previous code would not produce correct authentication tags in such circumstances although correct results were produced when authentication followed decryption.  I am most grateful to Colin Sinclair of HELION Technology Limited for finding, reporting and analysing the problem and for assisting in testing the changes needed to correct it.

he code in this zip archive implements CMAC (OMAC) and the combined encryption/authentication modes - CCM, GCM, EAX and CWC - using the AES code provided at 1. above.  This zip archive contains the Visual Studio 2010 build projects and code for testing.  To use this code you will also need the AES code described at 1. above.

GENTEST is an application for developing test vectors for these modes. A template file specifies the test vectors to be generated and these are then passed through two different implementations of the mode in question, my own version and another derived from code in the LibTomCrypt library produced by Tom St Denis. Test vectors are only output if the two implementations provide identical results.  Although this application is provided as a part of a Visual Studio build project it has been compiled on other systems as well.

Here is a summary of mode performance (cycles/byte) on x86 systems (GCM table size in brackets):

Processor CCM CWC EAX GCM (64K) GCM (8K) GCM (4K) GCM (256) GCM (0)
Intel P3 41.8 70.3 41.6 31.2 36.2 39.9 91.3 114.4
Intel P4 43.5 100.0 43.7 39.0 47.6 47.2 95.1 157.7
AMD64 (32) 32.0 47.5 31.9 26.4 40.0 33.9 71.1 79.4
AMD64 (64) 25.3 37.2 25.6 19.8 22.3 26.3 36.8 93.6
Average 35.7 63.8 35.7 29.1 36.5 36.8 73.6 111.3

The Galois Field Multiplier

This version includes a new Galois Field multiplier that can operate in any of the four common field representations.  It has been tested extensively on x86 systems but has only had limited testing on big endian systems.  It should hence be used with caution if your system is big endian. 

I would greatly appreciate any reports on its operation, especially on big endian systems.


Here is an old implementation of OMAC (it is now included with other modes above), a MAC that improves on the traditional CBC based MAC by eliminating a number of security weaknesses for partial length  blocks.   This version uses AES as the associated cipher algorithm.  OMAC was designed by Tetsu Iwata who has produced a description to assist in implementation here.

5. XTS and EME-2

Here is a zip archive containing my implementation of XTS. This archive contains the XTS code together with AES code and some support files needed to build a full XTS implementation. It also contains a Microsoft Visual Studio 2008 build project and a program for building XTS test vectors from templates (GENTEST) and some test vectors.   The XTS implementation also works with my AES code (published separately). 

Here is a zip archive containing my implementation of EME-2. This archive contains the  EME-2 code together with AES code and some support files needed to build a full EME-2 implementation.  Warning: this is preliminary code that has not yet been verified against an independent implementation.

XTS and EME-2 are new modes proposed by the IEEE Security in Storage Working Group

Back to Brian Gladman's Home Page