Table 313. Gcm Last Block Definition - ST STM32G4 Series Reference Manual

RM0440
The message has the following structure:
•
16-byte initial counter block (ICB), composed of two distinct fields:
–
–
•
Authenticated header AAD (also knows as additional authentication data) has a
known length Len(A) that may be a non-multiple of 16 bytes, and must not exceed
64
2
•
Plaintext message P is both authenticated and encrypted as ciphertext C, with a
known length Len(P) that may be non-multiple of 16 bytes, and cannot exceed 2
128-bit blocks.
•
Last block contains the AAD header length (bits [32:63]) and the payload length (bits
[96:127]) information, as shown in
The GCM standard specifies that ciphertext C has the same bit length as the plaintext P.
When a part of the message (AAD or P) has a length that is a non-multiple of 16-bytes a
special padding scheme is required.
Endianness Bit[0] ---------- Bit[31]
Input data
Initialization vector (IV): a 96-bit value that must be unique for each encryption
cycle with a given key. Note that the GCM standard supports IVs with less than 96
bits, but in this case strict rules apply.
Counter: a 32-bit big-endian integer that is incremented each time a block
processing is completed. According to NIST specification, the counter value is 0x2
when processing the first block of payload.
– 1 bits. This part of the message is only authenticated, not encrypted.

Table 313. GCM last block definition

Bit[32]---------- Bit[63]
0x0 AAD length[31:0]
Table 313.
Bit[64] -------- Bit[95]
RM0440 Rev 1
AES hardware accelerator (AES)
Bit[96] --------- Bit[127]
0x0 Payload length[31:0]
32
- 2
1465/2083
1497