Table 320. Gcm Last Block Definition; Figure 519. Message Construction In Gcm - ST STM32G4 Series Reference Manual

RM0440
16-byte
boundaries
Additional authenticated data
ICB
4-byte boundaries
Initialization vector (IV)
Zero padding / zeroed bits
The message has the following structure:
•
16-byte initial counter block (ICB), composed of two distinct fields:
–
–
•
Authenticated header AAD (also knows as additional authentication data) has a
known length Len(A) that may be a non-multiple of 16 bytes, and must not exceed
64
2
• Plaintext message P is both authenticated and encrypted as ciphertext C, with a
known length Len(P) that may be non-multiple of 16 bytes, and cannot exceed 2
128-bit blocks.
•
Last block contains the AAD header length (bits [32:63]) and the payload length (bits
[96:127]) information, as shown in
The GCM standard specifies that ciphertext C has the same bit length as the plaintext P.
When a part of the message (AAD or P) has a length that is a non-multiple of 16-bytes a
special padding scheme is required.
Endianness Bit[0] ---------- Bit[31]
Input data

Figure 519. Message construction in GCM

Len(A)
0
(AAD)
Counter
Initialization vector (IV): a 96-bit value that must be unique for each encryption
cycle with a given key. Note that the GCM standard supports IVs with less than 96
bits, but in this case strict rules apply.
Counter: a 32-bit big-endian integer that is incremented each time a block
processing is completed. According to NIST specification, the counter value is 0x2
when processing the first block of payload.
– 1 bits. This part of the message is only authenticated, not encrypted.

Table 320. GCM last block definition

Bit[32]---------- Bit[63]
0x0 AAD length[31:0]
Len(P) = Len(C)
Plaintext (P)
Authenticated & encrypted ciphertext (C)
Authentication tag (T)
Table 320.
Bit[64] -------- Bit[95]
RM0440 Rev 4
AES hardware accelerator (AES)
[Len(A)]
0
0
Bit[96] --------- Bit[127]
0x0 Payload length[31:0]
[Len(C)]
64 64
Last
block
MSv42157V1
32
- 2
1509/2126
1538