Hardware Acceleration¶
Botan provides built-in support for hardware acceleration of certain algorithms on certain platforms. These alternate implementations use special CPU instructions that are not available on all platforms and either speed up the algorithm or improve security in terms of side channel resistance.
A “base” software implementation is always provided. For example, for the AES-128 block cipher three implementations are available. All of the AES-128 implementations are immune to common cache/timing based side channels.
If AES hardware support is available (AES-NI, POWER8, Aarch64) use that
If 128-bit SIMD with byte shuffles are available (SSSE3, NEON, or Altivec), use the vperm technique published by Mike Hamburg at CHES 2009
If no hardware or SIMD support, fall back to a constant time bitsliced implementation
The following sections list the platforms and algorithms for which hardware acceleration is available. If the CPU specific optimizations are available at runtime, they are automatically used if enabled in the build. If not, the base implementation is used.
x86¶
On x86-64 and x86-32 platforms, the following CPU specific optimizations are available:
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
VAES-AVX2 AES-NI SSSE3 |
aes_vaes aes_ni aes_vperm |
3.6.0 1.9.3 1.9.10 |
AES-GCM |
CLMUL SSSE3 |
ghash_cpu ghash_vperm |
1.11.6 1.9.10 |
Argon2 |
AVX2 SSSE3 |
argon2_avx2 argon2_ssse3 |
3.0.0 2.19.2 |
ChaCha |
AVX512 (x86-64 only) AVX2 SSE2 |
chacha_avx512 chacha_avx2 chacha_simd32 |
3.1.0 2.8.0 1.11.32 |
IDEA |
SSE2 |
idea_sse2 |
1.9.4 |
KMAC |
BMI2 |
keccak_perm_bmi2 |
3.2.0 |
NOEKEON |
SSE2 |
noekeon_simd |
1.9.4 |
RDRAND |
RDRAND |
processor_rng |
1.11.31 |
RDSEED |
RDSEED |
rdseed |
1.11.36 |
Serpent |
AVX512 (x86-64 only) AVX2 SSE2 |
serpent_avx512 serpent_avx2 serpent_simd |
3.1.0 2.8.0 1.9.0 |
SHACAL2 |
Intel SHA Extensions AVX2 |
shacal2_x86 shacal2_avx2 |
2.3.0 2.13.0 |
SHAKE |
BMI2 |
keccak_perm_bmi2 |
2.13.0 |
SHA-1 |
Intel SHA Extensions SSE2 |
sha1_x86 sha1_sse2 |
2.2.0 1.7.12 |
SHA-256 |
Intel SHA Extensions BMI2 |
sha2_32_x86 sha2_32_bmi2 |
2.2.0 2.7.0 |
SHA-3 |
BMI2 |
keccak_perm_bmi2 |
2.10.0 |
SM4 |
GFNI |
sm4_gfni |
3.6.0 |
ARM¶
On arm64 and arm32 platforms, the following CPU specific optimizations are available:
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
NEON |
aes_armv8 |
1.9.3 |
AES-GCM |
PMULL (arm64 only) NEON |
ghash_cpu ghash_vperm |
2.3.0 2.12.0 |
ChaCha |
NEON |
chacha_simd32 |
2.8.0 |
NOEKEON |
NEON |
noekeon_simd |
1.9.4 |
Serpent |
NEON |
serpent_simd |
1.9.2 |
SHACAL2 |
NEON ARMv8 Cryptography Extensions (arm64 only) |
shacal2_simd shacal2_armv8 |
2.3.0 2.13.0 |
SHA-1 |
ARMv8 Cryptography Extensions (arm64 only) |
sha1_armv8 |
2.2.0 |
SHA-256 |
ARMv8 Cryptography Extensions (arm64 only) |
sha2_32_armv8 |
2.2.0 |
SHA-384 |
ARMv8 Cryptography Extensions (arm64 only) |
sha2_64_armv8 |
3.3.0 |
SHA-512 |
ARMv8 Cryptography Extensions (arm64 only) |
sha2_64_armv8 |
3.3.0 |
SM4 |
ARMv8 Cryptography Extensions (arm64 only) |
sm4_armv8 |
2.8.0 |
PowerPC¶
On ppc64 and ppc32 platforms, the following CPU specific optimizations are available:
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
POWER8/POWER9 AltiVec |
aes_power8 aes_vperm |
2.14.0 2.12.0 |
AES-GCM |
AltiVec |
ghash_vperm |
2.12.0 |
ChaCha |
AltiVec |
chacha_simd32 |
2.8.0 |
DARN |
POWER9 |
processor_rng |
2.15.0 |
Serpent |
AltiVec |
serpent_simd |
1.9.2 |
SHACAL2 |
AltiVec |
shacal2_simd |
2.3.0 |
NOEKEON |
AltiVec |
noekeon_simd |
1.9.4 |
Configuring Acceleration¶
Hardware acceleration can be disabled at during configuring the build
by passing certain --disable-* options to configure.py.
This will cause the base software implementation to be used instead
of the hardware accelerated one. The following options are currently supported:
--disable-sse2disable SSE2 intrinsics
--disable-ssse3disable SSSE3 intrinsics
--disable-sse4.1disable SSE4.1 intrinsics
--disable-sse4.2disable SSE4.2 intrinsics
--disable-avx2disable AVX2 intrinsics
--disable-bmi2disable BMI2 intrinsics
--disable-rdranddisable RDRAND intrinsics
--disable-rdseeddisable RDSEED intrinsics
--disable-aes-nidisable AES-NI intrinsics
--disable-sha-nidisable SHA-NI intrinsics
--disable-altivecdisable AltiVec intrinsics
--disable-neondisable NEON intrinsics
--disable-armv8cryptodisable ARMv8 Crypto intrinsics
--disable-powercryptodisable POWER Crypto intrinsics
Additionally, --disable-modules=MODS can be used to remove a certain module,
if desirable.
Last but not least, the BOTAN_CLEAR_CPUID environment variable
can be set to a non-empty value at runtime to cause Botan to clear the CPUID bits for the CPU
extensions it uses.