RM0090: Reference manual - STMicroelectronics

Cryptographic processor (CRYP) RM0090
AES Galois/counter mode (GCM)
The AES Galois/counter mode (GCM) allows encrypting and authenticating the plaintext,
and generating the correspondent ciphertext and tag (also known as message
authentication code or message integrity check). This algorithm is based on AES counter
mode to ensure confidentiality. It uses a multiplier over a fixed finite field to generate the tag.
An initialization vector is required at the beginning of the algorithm.
The message to be processed is split into 2 parts:
● The header (also knows as additional authentication data): data which is authenticated
but no protected (such as information for routing the packet)
● The payload (also knows as plaintext or ciphertext): the message itself which is
authenticated and encrypted.
Note: The header must precede the payload and the two parts cannot be mixed together.
The GCM standard requires to pass, at the end of the message, a specific 128-bit block
composed of the size of the header (64 bits) and the size of the payload (64 bits). During the
computation, the header blocks must be distinguished from the payload blocks.
559/1416 Doc ID 018909 Rev 3