AES and Combined Encryption/Authentication
Released: 19 June 2006
Updated on 22nd November
2006: Minor portability improvements
Updated on 2nd March 2007:
Add support for Structured Exception Handling (SEH) in x64 assembler
Updated on 16th April 2007: Correct errors in a Visual Studio
build project, some code improvements, no bug fixes
January 2008: Correct an error in aes_cfb_decrypt(). Update build projects
for Visual Studio 2008.
Updated 4th March 2008: Added a reduced
code size option for x86 assembler (requested by the Truecrypt Foundation)
Updated 22nd July 2008: Added the AES Algorithm Validation Suite tests
(ECB, CBC, CFB and OFB).
Updated 29th August 2008: Cosmetic changes
only to add comments and improve compilation in C++
Updated 7th October
2008. Added example code to implement RFC 3686 (AES-CTR)
Updated 29th November 2008. Added code for the
EME2 mode being standardised by the IEEE SISWG
Updated 29th April 2009. AES source updated to
remove a reported failure to compile when a specific set of options
Updated 11th January 2011.
Update for Visual Studio 2010 build (no substantive souce
Updated 12th September 2011.
Cosmetic change to VIA ACE support suggested by Peter Gutmann.
Updated 20th November 2013. Added
Intel AES instruction support in Visual Studio, added use of
stdint.h and fixed a bug in aes_x86_v2.asm.
Updated 18th February 2014. Corrected a bug in the
implementation of the access to the Intel AES instruction set.
of my AES code supports both 32 and 64 bit systems in C, x86
and x64 assembler using YASM.
Here is the AES source code and
here are the build files for
Visual Studio 2012 and Visual Studio 2013. You may also need test vectors
which I make available in these archives
key tests (new) and
text tests (new). If you want to run the AESAVS tests you will need
to obtain the test vector files from
here (the *.fax files in aestestvectors.zip).
Structured Exception Handling support in the x64
assembler implementation of AES requires
Urman for their work on
YASM, on which this
AES code in assembler depends. I am grateful to Peter Gutmann
for noticing the error in aes_cfb_decrypt().
2 . Byte Oriented AES (Low Resource
22nd November 2006
Updated 29th August 2008: To add a version
that does not use tables
This is a
slower version of AES that is capable of operating on systems where
only byte operations are available. It does however offer some
opportunities for speed improvements if 32-bit operations are supported.
This version uses only limited processor resources and should hence
be capable of use on small embedded processor systems. In addition
to providing normal pre-keyed AES operation, this version provides AES
subroutines with 'on the fly' keying for 128 and 256 bit keys and can
hence remove the need for memory to hold the full AES key schedule.
3. Modes (CCM, GCM, EAX, CWC)
Released: 19 June 2006 (note CCM and GCM bug fix
for small blocks)
Updated 22nd November 2006: Portability improvements
and a new associated application (gentest)
Updated 21st January
2008: Corrected an optimisation bug. Added Visual Studio 2008 build
projects. New Galois Field multiplier.
7th October 2008. Added CMAC (to avoid confusion of OMAC/CMAC naming)
Updated 23rd July 2009. To remove bugs when
being used in 'authentication prior to decryption' mode.
Updated 16th January 2010. To improve the
operation of the Galois Field Multiplier on big endian systems.
Updated 30th March 2011. To remove another compilation
failure reported by Peter Gutmann.
Updated 20th November 2013.
To match the latest AES code (uint_<nn>t changed to uint<nn>_t).
November 2013 Update.
This update only updates the modes code to use the fixed width
integer types defined in stdint.h. The code is otherwise unchanged.
January 2010 Update.
This update adds a build capability for Visual Studio 2010 and
improves the operation of the Galois Field Multiplier on big endian
systems. I am most grateful for the extensive help that Mark
Rodenkirch gave in tracking down an issue with the
GCM Galois Field Multiplier on big endian systems when fast buffer
operations are enabled (these used to be disabled on big-endian
systems in earlier versions because they were known to fail).
July 2009 Update. This
update corrects errors in my AES modes code when used in a specific
way - one in which authentication on decryption is requested before
decryption is undertaken. Some versions of my previous code
would not produce correct authentication tags in such circumstances
although correct results were produced when authentication followed
decryption. I am most grateful to Colin Sinclair of
HELION Technology Limited
for finding, reporting and analysing the problem and for assisting
in testing the changes needed to correct it.
code in this
CMAC (OMAC) and
the combined encryption/authentication
modes - CCM, GCM, EAX and CWC - using the AES code provided at 1. above.
This zip archive
the Visual Studio 2010 build projects and code for testing. To
use this code you will also need the AES code described at 1. above.
GENTEST is an application for developing test
vectors for these modes. A template file specifies the test vectors
to be generated and these are then passed through two different implementations
of the mode in question, my own version and another derived from code
in the LibTomCrypt library produced
by Tom St Denis. Test vectors are only output if the two implementations
provide identical results. Although this application is provided
as a part of a Visual Studio build project it has been compiled on other
systems as well.
Here is a summary of mode performance (cycles/byte)
on x86 systems (GCM table size in brackets):
The Galois Field Multiplier
This version includes a new Galois Field multiplier
that can operate in any of the four common field representations.
It has been tested extensively on x86 systems but has only had
limited testing on big endian systems. It should hence
be used with caution if your system is big endian.
I would greatly appreciate any reports
on its operation, especially on big endian systems.
is an old implementation of OMAC (it is now included with other modes
above), a MAC that improves on the traditional CBC based MAC by eliminating
a number of security weaknesses for partial length blocks.
This version uses AES as the associated cipher algorithm. OMAC
was designed by
Tetsu Iwata who has produced a description to assist in implementation
5. XTS and EME-2
Here is a zip archive containing
my implementation of XTS. This archive contains the XTS code together
with AES code and some support files needed to build a full XTS implementation.
It also contains a Microsoft Visual Studio 2008 build project and a
program for building XTS test vectors from templates (GENTEST) and some
test vectors. The XTS implementation also works with my
AES code (published separately).
is a zip archive containing my implementation of EME-2. This archive
contains the EME-2 code together with AES code and some support
files needed to build a full EME-2 implementation.
Warning: this is preliminary code that has not
yet been verified against an independent implementation.
XTS and EME-2 are new modes
proposed by the IEEE Security in Storage
Back to Brian
Gladman's Home Page