Hardware Acceleration¶
Botan provides built-in support for hardware acceleration of certain algorithms on certain platforms. These alternate implementations use special CPU instructions that are not available on all platforms and either speed up the algorithm or improve security in terms of side channel resistance.
The following sections list the platforms and algorithms for which hardware acceleration is available. If the CPU specific optimizations are available at runtime, they are automatically used if enabled in the build. If not, the base implementation is used.
It is possible to disable CPU-specific optimizations at runtime by setting the
environment variable BOTAN_CLEAR_CPUID. For example
BOTAN_CLEAR_CPUID=avx2 will disable use of any AVX2 instructions.
x86¶
On x86-64 and x86-32 platforms, the following CPU specific optimizations are available.
Note
AVX-512 codepaths are only used on x86-64 processors that support AVX-512 extensions similar to Intel Ice Lake or AMD Zen4 (requires AVX-512 F, VL, BW, DQ, VBMI, VBMI2, BITALG, IFMA)
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
VAES-AVX2 AES-NI SSSE3 |
|
3.6.0 1.9.3 1.9.10 |
AES-GCM |
AVX-512 + CLMUL CLMUL SSSE3 |
|
3.11.0 1.11.6 1.9.10 |
Argon2 |
AVX-512 AVX2 SSSE3 |
|
3.11.1 3.0.0 2.19.2 |
ARIA |
AVX-512 + GFNI AES-NI |
|
3.11.0 3.11.1 |
Camellia |
AVX-512 + GFNI AVX2 + GFNI AES-NI |
|
3.11.0 3.9.0 3.11.1 |
ChaCha |
AVX-512 AVX2 SSSE3 |
|
3.1.0 2.8.0 1.11.32 |
CTR |
AVX2 SSSE3 |
|
3.11.1 3.11.1 |
IDEA |
AVX2 SSE2 |
|
3.11.0 1.9.4 |
NOEKEON |
SSSE3 |
|
1.9.4 |
Poly1305 |
AVX-512 AVX2 |
|
3.11.0 3.11.0 |
RDRAND |
RDRAND |
|
1.11.31 |
RDSEED |
RDSEED |
|
1.11.36 |
SEED |
AVX-512 + GFNI AES-NI |
|
3.11.1 3.11.1 |
Serpent |
AVX-512 AVX2 SSSE3 |
|
3.1.0 2.8.0 1.9.0 |
SHACAL2 |
Intel SHA Extensions AVX-512 AVX2 |
|
2.3.0 3.9.0 2.13.0 |
SHA-1 |
Intel SHA Extensions AVX2 + BMI2 SSSE3 |
|
2.2.0 3.9.0 1.7.12 |
SHA-256 |
Intel SHA Extensions AVX2 + BMI2 SSSE3 |
|
2.2.0 3.8.0 3.8.0 |
SHA-512 |
Intel SHA Extensions AVX-512 + BMI2 AVX2 + BMI2 |
|
3.8.0 3.8.0 3.8.0 |
SHA-3 / SHAKE / KMAC |
BMI2 AVX-512 |
|
2.10.0 3.11.0 |
SM3 |
AVX2 + BMI2 SM3-NI |
|
3.11.0 3.11.0 |
SM4 |
AVX-512 + GFNI AVX2 + GFNI SM4-NI AES-NI |
|
3.11.0 3.6.0 3.8.0 3.11.1 |
Twofish |
AVX-512 + GFNI |
|
3.11.1 |
Whirlpool |
AVX-512 AVX2 |
|
3.11.1 3.11.1 |
XTS |
AVX-512 + CLMUL |
|
3.11.0 |
ZFEC |
SSSE3 |
|
3.0.0 |
ARM¶
On ARM platforms, the following CPU specific optimizations are available.
Note
The ARMv8 cryptography extensions are only used on 64-bit aarch64 systems
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
ARMv8 Cryptography Extensions NEON |
|
2.3.0 2.12.0 |
AES-GCM |
ARMv8 Cryptography Extensions |
|
2.3.0 |
ARIA |
ARMv8 Cryptography Extensions |
|
3.11.1 |
Camellia |
ARMv8 Cryptography Extensions |
|
3.11.1 |
ChaCha |
NEON |
|
2.8.0 |
NOEKEON |
NEON |
|
1.9.4 |
SEED |
ARMv8 Cryptography Extensions |
|
3.11.1 |
Serpent |
NEON |
|
1.9.2 |
SHACAL2 |
NEON ARMv8 Cryptography Extensions |
|
2.3.0 2.13.0 |
SHA-1 |
ARMv8 Cryptography Extensions NEON |
|
2.2.0 3.8.0 |
SHA-256 |
ARMv8 Cryptography Extensions NEON |
|
2.2.0 3.8.0 |
SHA-384 |
ARMv8 Cryptography Extensions |
|
3.3.0 |
SHA-512 |
ARMv8 Cryptography Extensions |
|
3.3.0 |
SM3 |
ARMv8 Cryptography Extensions |
|
3.11.0 |
SM4 |
ARMv8 Cryptography Extensions ARMv8 Cryptography Extensions |
|
2.8.0 3.11.1 |
ZFEC |
NEON |
|
3.0.0 |
POWER/PowerPC¶
On 64-bit POWER/PowerPC platforms, the following CPU specific optimizations are available:
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
POWER8/POWER9 AltiVec |
|
2.14.0 2.12.0 |
ChaCha |
AltiVec |
|
2.8.0 |
DARN |
POWER9 |
|
2.15.0 |
Serpent |
AltiVec |
|
1.9.2 |
SHACAL2 |
AltiVec |
|
2.3.0 |
NOEKEON |
AltiVec |
|
1.9.4 |
Loongarch64¶
On loongarch64, the LSX extensions are used.
Note
Loongarch64 apparently supports a “crypto” extension, for which hwcaps exist for Linux, and there are shipping processors which do support these extensions. However no documentation has been so far located. If you are aware of any such documentation please do contact the maintainers.
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
LSX |
|
3.8.0 |
ChaCha |
LSX |
|
3.8.0 |
Serpent |
LSX |
|
3.8.0 |
SHA-1 |
LSX |
|
3.8.0 |
SHACAL2 |
LSX |
|
3.8.0 |
NOEKEON |
LSX |
|
3.8.0 |
ZFEC |
LSX |
|
3.8.0 |
Wasm¶
On Wasm, the SIMD128 extension is used.
Note
To make use of SIMD128, ``simd128 compilation flag is required.
Algorithm |
Extension |
Module |
Added in |
|---|---|---|---|
AES |
SIMD128 |
|
3.11.0 |
AES-GCM |
SIMD128 |
|
3.11.0 |
Argon2 |
SIMD128 |
|
3.11.0 |
ChaCha |
SIMD128 |
|
3.11.0 |
Serpent |
SIMD128 |
|
3.11.0 |
SHA-1 |
SIMD128 |
|
3.11.0 |
SHA-256 |
SIMD128 |
|
3.11.0 |
SHACAL2 |
SIMD128 |
|
3.11.0 |
NOEKEON |
SIMD128 |
|
3.11.0 |
ZFEC |
SIMD128 |
|
3.11.0 |
Configuring Acceleration¶
If it is desirable to avoid using some form of acceleration, this can be accomplished
at build time by using --disable-modules=. For instance, to remove support
of ARMv8 intrinsics for AES, use --disable-modules=aes_armv8. Note that this is rarely
if ever required; if support for the CPU extension is not available at runtime then the
code using that extension will simply be skipped over. The only reason to do this is when
the code is being deployed to a fixed target (eg the specific board used in your product)
and you know that target does not support such an extension, and you wish to minimize code size.
It is also possible to disable acceleration at runtime using
BOTAN_CLEAR_CPUID environment variable. This is the preferred
mode of disabling acceleration.