Processing a Fragmented Message without Tag Generation

If needed, a message can be processed by fragments, in such case automatic GCM Tag generation is not supported.

To process a message by fragments, the sequence is as follows:

  1. 1.Set AES_MR.OPMOD to GCM and AES_MR.GTAGEN to ‘0’.
  2. 2.Set the AES Key Register and wait for AES_ISR.DATRDY to be set (GCM hash subkey generation complete); use interrupt if needed. After the GCM hash subkey generation is complete the GCM hash subkey can be read or overwritten with specific value in AES_GCMHRx. See Key Writing and Automatic Hash Subkey Calculation.
  3. 3.Calculate the J0 value as described in NIST documentation J0 = IV || 031 || 1 when len(IV) = 96 and J0 = GHASHH(IV || 0s+64 || [len(IV)]64) if len(IV) ≠ 96. See Processing a Message with only AAD (GHASHH) for J0 generation example when len(IV) ≠ 96.
  4. 4.Set AES_IVRx.IV with inc32(J0) (J0 + 1 on 32 bits).
  5. 5.Configure AES_AADLENR.AADLEN and AES_CLENR.CLEN according to the length of the first fragment, or set the fields with the full message length (both configurations work).
  6. 6.Fill AES_IDATARx.IDATA with the first fragment of the message to process (aligned on 16-byte boundary) according to the SMOD configuration used. If Manual Mode or Auto Mode is used the DATRDY bit indicates when the data have been processed (however, no output data are generated when processing AAD).
  7. 7.Make sure the last output data have been read if the fragment ends in C phase (or wait for DATRDY if the fragment ends in AAD phase), then read AES_GHASHRx.GHASH to obtain the value of the hash after the last processed data and finally read AES_CTR.CTR to obtain the value of the CTR encryption counter (not needed when the fragment ends in AAD phase).
  1. 1.Set AES_MR.OPMOD to GCM and AES_MR.GTAGEN to ‘0’.
  2. 2.Set the AES Key Register and wait until AES_ISR.DATRDY is set (GCM hash subkey generation complete); use interrupt if needed. After the GCM hash subkey generation is complete the GCM hash subkey can be read or overwritten with specific value in AES_GCMHRx. See Key Writing and Automatic Hash Subkey Calculation.
  3. 3.Set AES_IVRx.IV as follows:
    • If the first block of the fragment is a block of Additional Authenticated data, set AES_IVRx.IV with the J0 initial value
    • If the first block of the fragment is a block of Plaintext data, set AES_IVRx.IV with a value constructed as follows: ‘LSB96(J0) || CTR’ value, (96 bit LSB of J0 concatenated with saved CTR value from previous fragment).
  4. 4.Configure AES_AADLENR.AADLEN and AES_CLENR.CLEN according to the length of the current fragment, or set the fields with the remaining message length, both configurations work.
  5. 5.Fill AES_GHASHRx.GHASH with the value stored after the previous fragment.
  6. 6.Fill AES_IDATARx.IDATA with the current fragment of the message to process (aligned on 16 byte boundary) according to the SMOD configuration used. If Manual Mode or Auto Mode is used, the DATRDY bit indicates when the data have been processed (however, no output data are generated when processing AAD).
  7. 7.Make sure the last output data have been read if the fragment ends in C phase (or wait for DATRDY if the fragment ends in AAD phase), then read AES_GHASHRx.GHASH to obtain the value of the hash after the last processed data and finally read AES_CTR.CTR to obtain the value of the CTR encryption counter (not needed when the fragment ends in AAD phase).
Note: Step 1 and 2 are required only if the value of the concerned registers has been modified.

Once the last fragment has been processed, the GHASH value will allow manual generation of the GCM tag. See Manual GCM Tag Generation.

Parent topic: GCM Processing