RM0090: Reference manual - STMicroelectronics

RM0090 Cryptographic processor (CRYP)
Figure 212. AES-CTR mode decryption
AHB2 data write
(before CRYP
is enabled)
+1
K0...3
(I + 1) is written
back into IV
at same time
than P is pushed
in OUT FIFO
128, 192
or 256
DATATYPE
IV0...1(L/R)
AEA, encrypt
DATATYPE
IN FIFO
ciphertext P
C, 128 bits
swapping
I, 128 bits
O, 128 bits
OUT FIFO
plaintext C
Ps, 128 bits
1. K: key; C: cipher text; I: input Block; o: output block; Ps: plain text before swapping (when decoding) or
after swapping (when encoding); Cs: cipher text after swapping (when decoding) or before swapping (when
encoding); P: plain text; IV: Initialization vectors.
Figure 213 shows the structure of the IV block as defined by the standard [2]. It is composed
of three distinct fields.
Figure 213. Initial counter block structure for the Counter mode
● Nonce is a 32-bit, single-use value. A new nonce should be assigned to each different
communication.
● The initialization vector (IV) is a 64-bit value and the standard specifies that the
encryptor must choose IV so as to ensure that a given value is used only once for a
given key
● The counter is a 32-bit big-endian integer that is incremented each time a block has
been encrypted. The initial value of the counter should be set to ‘1’.
The block increments the least significant 32 bits, while it leaves the other (most significant)
96 bits unchanged.
+
Cs, 128 bits
swapping
P, 128 bits
Nonce 32 bits
Initialization vector (IV)
64 bits
Counter 32 bits
ai16074
MS19025V1
Doc ID 018909 Rev 3 558/1416