Figure 223. Aes-Ecb Mode Decryption - ST STM32F405 Reference Manual

Cryptographic processor (CRYP)
1. K: key; C: cipher text; I: input block; O: output block; P: plain text.
2. If Key size = 128 => Key = [K3 K2].
If Key size = 192 => Key = [K3 K2 K1]
If Key size = 256 => Key = [K3 K2 K1 K0].
AES Cipher block chaining (AES-CBC) mode
•
AES-CBC mode encryption
The AES Cipher block chaining (AES-CBC) mode decryption is shown on
In AES-CBC encryption, the first input block (I
swapping (refer to
ORing the first plaintext data block (P
P ). The input block is processed through the AEA in the encrypt state using the 128-,
1
192- or 256-bit key (K0...K3). The resultant 128-bit output block (O
ciphertext (C
the second plaintext data block to produce the second input block, (I
Note that I
through the AEA to produce the second ciphertext block. This encryption process
continues to "chain" successive cipher and plaintext blocks together until the last
plaintext block in the message is encrypted. If the message does not consist of an
integral number of data blocks, then the final partial data block should be encrypted in a
manner specified for the application.
In the CBC mode, like in the ECB mode, the secret key must be prepared to perform an
AES decryption. Refer to
decryption on page 744
•
AES-CBC mode decryption
In AES-CBC decryption (see
directly as the input block (I
decrypt state using the 128-, 192- or 256-bit key. The resulting output block is
exclusive-ORed with the 128-bit initialization vector IV (which must be the same as that
used during encryption) to produce the first plaintext block (P
ciphertext block is then used as the next input block and is processed through the AEA.
The resulting output block is exclusive-ORed with the first ciphertext block to produce
the second plaintext data block (P
730/1749

Figure 223. AES-ECB mode decryption

DATATYPE
K 0...3 (1)
DATATYPE
Section 23.3.3: Data type on page
), that is, C = O . This first ciphertext block is then exclusive-ORed with
1 1 1
and P now refer to the second block. The second input block is processed
2 2
Section 23.3.6: Procedure to perform an encryption or a
for more details on how to prepare the key.
Figure
). The input block is processed through the AEA in the
1
RM0090 Rev 18
IN FIFO
ciphertext C
C, 128 bits
swapping
I, 128 bits
128/192
or 256
AEA, decrypt
O, 128 bits
swapping
P, 128 bits
OUT FIFO
plaintext P
) obtained after bit/byte/half-word
1
739) is formed by exclusive-
) with a 128-bit initialization vector IV (I
1
225), the first 128-bit ciphertext block (C
⊕ C
= O ). (Note that P
2 2 1
RM0090
MS19023V1
Figure
= IV ⊕
1
) is used directly as
1
) = (C ⊕ P
2 1
) is used
1
⊕ IV). The second
= O
1 1
and O refer to the second
2 2
224.
).
2