54.4.2 Operating Modes

The AES supports the following modes of operation:

  • ECB: Electronic Codebook
  • CBC: Cipher Block Chaining
    • CBC-MAC: Useful for CMAC hardware acceleration
  • OFB: Output Feedback
  • CFB: Cipher Feedback
    • CFB8 (CFB where the length of the data segment is 8 bits)
    • CFB16 (CFB where the length of the data segment is 16 bits)
    • CFB32 (CFB where the length of the data segment is 32 bits)
    • CFB64 (CFB where the length of the data segment is 64 bits)
    • CFB128 (CFB where the length of the data segment is 128 bits)
  • CTR: Counter
  • GCM: Galois/Counter Mode
  • XTS: XEX-based Tweaked-codebook Mode

Data pre-processing, data post-processing and data chaining for the concerned modes are performed automatically. Refer to the NIST Special Publication 800-38A and NIST Special Publication 800-38D for more complete information.

Mode selection is done by configuring AES_MR.OPMOD.

When switching from an operating mode requiring the initialization vectors (e.g. CBC, GCM) to another operating mode that does not require initialization vectors (e.g. ECB) and a message of one block has been processed, initialization vector registers (AES_IVRx) must be cleared before switching to the new mode.

In CFB mode, five data sizes are possible (8, 16, 32, 64 or 128 bits), configurable by means of AES_MR.CFBS.

In CTR mode, the size of the block counter embedded in the module is 16 bits. Therefore, there is a rollover after processing 1 Mbyte of data. If the file to be processed is greater than 1 Mbyte, this file must be split into fragments of 1 Mbyte or less for the first fragment if the initial value of the counter is greater than 0. Prior to loading the first fragment into AES_IDATARx, AES_IVRx must be fully programmed with the initial counter value. For any fragment, after the transfer is completed and prior to transferring the next fragment, AES_IVRx must be programmed with the appropriate counter value.

If the initial value of the counter is greater than 0 and the data buffer size to be processed is greater than 1 Mbyte, the size of the first fragment to be processed must be 1 Mbyte minus 16 × (initial value) to prevent a rollover of the internal 16-bit counter.

To have a sequential increment, the counter value must be programmed with the value programmed for the previous fragment + 216 (or less for the first fragment).

All AES_IVRx fields must be programmed to take into account the possible carry propagation.