Recent development in AES-GCM authenticated encryption optimization and deployments, and its nonce misuse resistant version GCM-SIV

Shay Gueron


The talk will discuss the evolution of the AES-GCM authenticated encryption algorithm, and its software implementation. We will describe how new instructions, code optimizations, and micro architectural enhancements on modern CPU’s, changed its performance from ~23 cycles per byte in 2009, down to 0.65 cycles per byte on the latest Intel processors, Architecture Codename Skylake. Notably, bringing the authenticated encryption to perform at the same throughput as the CTR encryption alone. Then, we will review a variant of AES-GCM, named GCM-SIV (Gueron and Lindell, 20156), which converts AES-GCM to a nonce misuse resistant algorithm, at a very small performance cost.


Shay Gueron is an Associate Professor of Mathematics at the University of Haifa. He is also an Intel Senior Principal Engineer, serving as the Chief Core Cryptography Architect of the CPU Architecture Group. His interests include cryptography, security, and algorithms. Shay is responsible for some of the recent CPU instructions that speed up cryptographic algorithms, such as the AES-NI and the carry-less multiplier instruction, the coming VPMADD52, and for some micro architectural enhancements in the Big Cores. He has contributed software patches to open source libraries, such as OpenSSL and NSS, offering significant performance gains to encryption, authenticated encryption, public key algorithms, and hashing. He was one of the architects of the emerging Intel Software Guard Extensions (SGX), in charge of the cryptographic definition and implementation of SGX, and the inventor of the Memory Encryption Engine on the latest Architecture Codename Skylake processor.

Time and Place

Tuesday, February 16, 4:15pm
Gates 463