50.4.4.3 GCM Processing

GCM processing is made up of three phases:

  1. Processing the Additional Authenticated Data (AAD), hash computation only.
  2. Processing the Ciphertext (C), hash computation + ciphering/deciphering.
  3. Generating the Tag using length of AAD, length of C and J0 (refer to NIST documentation for details).

The Tag generation can be done either automatically, after the end of AAD/C processing if AES_MR.GTAGEN is set, or manually using AES_GHASHRx.GHASH (see subsections Processing a Complete Message with Tag Generation and Manual GCM Tag Generation for details).