The x86 ISA allow me to use AES-NI instructions to encrypt/decrypt all 4 steps of a round together, or only 3 of them for the last round.
The only step that also has a separate instruction is InvMixColumn Transformation (AESIMC).
Why is that? On which conditions should I use this instruction separately from AESDEC / AESDECLAST ?
You apply the instruction on the key when you do AES-192 (FIPS 197). Say you have your key in registers xmm2 to xmm14, something like this:
aesimc xmm2, xmm2
aesimc xmm3, xmm3
aesimc xmm4, xmm4
...
aesimc xmm13, xmm13
aesimc xmm14, xmm14
This happens before the aesdec. The instructions could also be intermiggled, as long as the aesimc happens on a register before it gets used with the decryption instruction:
aesimc xmm14, xmm14
aesdec xmm1, xmm14
aesimc xmm13, xmm13
aesdec xmm1, xmm13
...
However, it is probably faster to do it all at once first since that way the registers are readily available for the aesdec instructions.
FYI, the instruction documentation says:
Note: the AESIMC instruction should be applied to the expanded AES round keys (except for the first and last round key) in order to prepare them for decryption using the “Equivalent Inverse Cipher” (defined in FIPS 197).
Source: http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/aes-instructions-set-white-paper.pdf (search for the chapter "Code Examples").
