Figure 179. 32-Bit Counter + Nonce Organization; Galois Counter Mode (Gcm) - ST STM32L4x6 Reference Manual

Advanced encryption standard hardware accelerator (AES)
The nonce value and 32-bit counter are accessible through the AES_IVRx register and
organized like below in
In counter mode, the counter is incremented from the initialized value for each block to be
processed in order to guarantee a unique sequence which is not repeated for a long time. It
is a 32-bit counter, meaning that the nonce message is kept to the initialized value stored
when the AES was disabled. Only the 32-bit LSB of the 128-bit initialization vector register
represents the counter. In contrast to CBC mode (which uses the AES_IVRx registers only
once when processing the first data block), in counter mode, the AES_IVRx registers are
used for processing each data block.
In counter mode, key derivation + decryption mode is not applicable.
Note: The AES_IVRx register has be written only when the AES is disabled (bit EN = 0) to
guarantee good AES behavior.
Reading it while AES is enabled returns the value 0x00000000.
Reading it while the AES is disabled returns the latest counter value (useful for managing
suspend mode).
In CTR mode, key derivation + decryption serves no purpose. Consequently it is forbidden
to set MODE[1:0] = 11 in the AES_CR register and any attempt to set this configuration is
forced to MODE[1:0] = 10 (which corresponds to CTR mode decryption). This uses the
encryption block of the AES processor to decipher the message as shown in
Suspend mode in CTR mode
Like for the CBC mode, it is possible to interrupt a message, sending a higher priority
message and resume the message which was interrupted. Refer to the
Section 25.5.2
25.6

Galois counter mode (GCM)

GCM allows to encrypt and authenticate the plaintext, generating the corresponding
ciphertext and the TAG (also known as message authentication code or message integrity
check). It is based on AES in counter mode for confidentiality and it uses a multiplier over a
fixed finite field for generating the TAG. It requires an initialization vector at the beginning.
The message to process can be split in 2 different portions:
• The first that is authenticated only (the header of the message),
•
The second that is authenticated and encrypted (the payload).
The header part must precede the payload and the two portions cannot be mixed. GCM
standard requires to pass at the end of the message a particular 128-bit block composed by
724/1693
Figure 179:

Figure 179. 32-bit counter + nonce organization

for more details about the suspend mode capability.
DocID024597 Rev 3
RM0351
Figure 178.
Figure 176 and