Table of Contents
Advertisement
RM0444
Legend
input
output
XOR
In CTR mode, the cryptographic core output (also called keystream) Ox is XOR-ed with
relevant input block (Px' for encryption, Cx' for decryption), to produce the correct output
block (Cx' for encryption, Px' for decryption). Initialization vectors in AES must be initialized
as shown in
AES_IVR3[31:0]
Nonce[31:0]
Unlike in CBC mode that uses the AES_IVRx registers only once when processing the first
data block, in CTR mode AES_IVRx registers are used for processing each data block, and
the AES peripheral increments the counter bits of the initialization vector (leaving the nonce
bits unchanged).
CTR decryption does not differ from CTR encryption, since the core always encrypts the
current counter block to produce the key stream that is then XOR-ed with the plaintext (CTR
encryption) or ciphertext (CTR decryption) input. In CTR mode, the MODE[1:0] bitfield
setting 01 (key derivation) is forbidden and all the other settings default to encryption mode.
The sequence of events to perform an encryption or a decryption in CTR chaining mode:
1.
Ensure that AES is disabled (the EN bit of the AES_CR must be 0).
2.
Select CTR chaining mode by setting to 010 the CHMOD[2:0] bitfield of the AES_CR
register. Set MODE[1:0] bitfield to any value other than 01.
3.
Initialize the AES_KEYRx registers, and load the AES_IVRx registers as described in
Table
4.
Set the EN bit of the AES_CR register, to start encrypting the current counter (EN is
automatically reset when the calculation finishes).
5.
If it is the last block, pad the data with zeros to have a complete block, if needed.
6.
Append data in AES, and read the result. The three possible scenarios are described in
Section 20.4.4: AES procedure to perform a cipher
7.
Repeat the previous step till the second-last block is processed. For the last block,
apply the two previous steps and discard the bits that are not part of the payload (if the
size of the significant data in the last input block is less than 16 bytes).
Figure 91. CTR decryption
Nonce + 32-bit counter
AES_KEYRx (KEY)
AES_DINR (ciphertext C1)
DATATYPE[1:0]
Swap
management
DATATYPE[1:0]
AES_DOUTR (plaintext P1)
Table
103.
Table 103. CTR mode initialization vector definition
AES_IVR2[31:0]
Nonce[63:32]
103.
Block 1
AES_IVRx
increment (+1)
I1
AES_KEYRx (KEY)
Encrypt
AES_DINR (ciphertext C2)
O1
C1'
P1'
Swap
management
AES_IVR1[31:0]
Nonce[95:64]
RM0444 Rev 5
AES hardware accelerator (AES)
Block 2
AES_IVRx
Nonce + 32-bit counter (+1)
Counter
Encrypt
DATATYPE[1:0]
Swap
management
C2'
Swap
DATATYPE[1:0]
management
AES_DOUTR (plaintext P2)
AES_IVR0[31:0]
32-bit counter = 0x0001
operation.
I2
O2
P2'
MSv18942V2
491/1390
522
- Quick Links:
- Memory Organization
Hide quick links:
Advertisement
Table of Contents
Need help?
Do you have a question about the STM32G0 1 Series and is the answer not in the manual?
Questions and answers