Table 314. Gcm Mode Ivi Bitfield Initialization; Figure 518. Gcm Authenticated Encryption - ST STM32G4 Series Reference Manual

AES hardware accelerator (AES)
GCM processing
Figure 518
by writing 011 to the CHMOD[2:0] bitfield of the AES_CR register.
(1) Init
AES_KEYRx (KEY)
[0]
128
Encrypt
H
(2) Header
AES_DINR (AAD 0)
Swap
DATATYPE
management
[1:0]
GF2mul
H
Legend
input
output
XOR
The mechanism for the confidentiality of the plaintext in GCM mode is similar to that in the
Counter mode, with a particular increment function (denoted 32-bit increment) that
generates the sequence of input counter blocks.
AES_IVRx registers keeping the counter block of data are used for processing each data
block. The AES peripheral automatically increments the Counter[31:0] bitfield. The first
counter block (CB1) is derived from the initial counter block ICB by the application software
(see Table
Register AES_IVR3[31:0]
Input data
Note: In GCM mode, the settings 01 and 11 of the MODE[1:0] bitfield are forbidden.
1466/2083
describes the GCM implementation in the AES peripheral. The GCM is selected

Figure 518. GCM authenticated encryption

AES_KEYRx (KEY)
AES_DINR (plaintext P1)
Swap
management
DATATYPE
AES_DINR (AAD i)
(ciphertext C1)
Swap
management
GF2mul
H
314).

Table 314. GCM mode IVI bitfield initialization

AES_IVR2[31:0]
ICB[31:0] ICB[63:32]
Block 1
AES_IVRx
ICB + (32-bit counter = 0x02)
CB1
Encrypt
DATATYPE
[1:0]
Swap
[1:0]
management
AES_DOUTR
GF2mul
H
(4) Final
Len(A)
64
AES_IVRx
(IV + 32-bit counter (= 0x0))
AES_IVR1[31:0]
ICB[95:64]
RM0440 Rev 1
(3) Payload
CBn
Counter
increment (+1)
AES_KEYRx (KEY)
AES_DINR (plaintext Pn)
DATATYPE
Swap
management [1:0]
DATATYPE[1:0]
AES_DOUTR
(ciphertext Cn)
H
AES_DINR
|| Len(C)
64
H
Encrypt
(Authentication TAG T)
AES_KEYRx (key)
AES_IVR0[31:0]
Counter[31:0] = 0x2
RM0440
Block n
AES_IVRx
CBn
Encrypt
Swap
management
GF2mul
GF2mul
S
AES_DOUTR
MSv42149V1