Faster and timing-attack resistant AES-GCM

E. Käsper, P. Schwabe

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

166 Citations (Scopus)
11 Downloads (Pure)


We present a bitsliced implementation of AES encryption in counter mode for 64-bit Intel processors. Running at 7.59 cycles/byte on a Core 2, it is up to 25% faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the only cache-timing-attack resistant implementation offering competitive speeds for stream as well as for packet encryption: for 576-byte packets, we improve performance over previous bitsliced implementations by more than a factor of 2. We also report more than 30% improved speeds for lookup-table based Galois/Counter mode authentication, achieving 10.68 cycles/byte for authenticated encryption. Furthermore, we present the first constant-time implementation of AES-GCM that has a reasonable speed of 21.99 cycles/byte, thus offering a full suite of timing-analysis resistant software for authenticated encryption.
Original languageEnglish
Title of host publicationCryptographic Hardware and Embedded Systems - CHES 2009 (11th International Workshop, Lausanne, Switzerland, September 6-9, 2009. Proceedings)
EditorsC. Clavier, K. Gaj
Place of PublicationBerlin
ISBN (Print)978-3-642-04137-2
Publication statusPublished - 2009

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743


Dive into the research topics of 'Faster and timing-attack resistant AES-GCM'. Together they form a unique fingerprint.

Cite this