950
SAM4CP [DATASHEET]
43051E–ATPL–08/14
3.
Calculate the J
0
value as described in NIST documentation
J
0
=
IV
|| 0
31
|| 1 when len(
IV
)=96 and
J
0
=GHASH
H
(
IV
|| 0
s
+64
|| [len(
IV
)]
64
) if len(
IV
)
≠
96. See
Section 41.4.5.3.5 ”Processing a Message with only AAD (GHASHH)”
for
J
0
generation example when len(
IV
)
≠
96.
Set IV in AES_IVRx registers with inc32 (J
0
) (J
0
+ 1 on 32 bits).
Set AADLEN field in AES_AADLENR and CLEN field in AES_CLENR.
Fill the IDATA field of AES_IDATARx with the message to process according to the SMOD configuration used. If
Manual Mode or Auto Mode is used, the DATRDY bit indicates when the data have been processed (however, no
output data are generated when processing AAD).
Make sure the last output data have been read if CLEN
≠
0 (or wait for DATRDY), then read the GHASH field of
AES_GHASHRx to obtain the hash value after the last processed data.
4.
5.
6.
7.
41.4.5.3.3 Processing a Fragmented Message without Tag Generation
If needed, a message can be processed by fragments, in such case automatic GCM TAG generation is not supported.
To process a message by fragments, perform the following steps:
First fragment:
1.
2.
In AES_MR set OPMOD to GCM and GTAGEN to ‘0’ (configuration as usual for the rest).
Set KEYW in AES_KEYWRx and wait for DATRDY bit of AES_ISR to be set (GCM hash subkey generation com-
plete), use interrupt if needed.
After the GCM hash subkey
generation is complete the GCM hash subkey can be
read or overwritten with
specific value in the AES_GCMHRx
(see Section
Section 41.4.5.2 ”Key Writing and Auto-
matic Hash Subkey Calculation”
for details).
Calculate the J
0
value as described in NIST documentation
J
0
=
IV
|| 0
31
|| 1 when len(
IV
)=96 and
J
0
=GHASH
H
(
IV
|| 0
s
+64
|| [len(
IV
)]
64
) if len(
IV
)
≠
96. See
Section 41.4.5.3.5 ”Processing a Message with only AAD (GHASHH)”
for
J
0
generation example when len(
IV
)
≠
96.
Set IV in AES_IVRx registers with inc32 (J
0
) (J
0
+ 1 on 32 bits).
Set AADLEN field in AES_AADLENR and CLEN field in AES_CLENR according to the length of the first fragment,
or set the fields with the full message length, both configurations work.
Fill the IDATA field of AES_IDATARx with the first fragment of the message to process (aligned on 16-byte
boundary) according to the SMOD configuration used. If Manual Mode or Auto Mode is used the DATRDY bit indi-
cates when the data have been processed (however, no output data are generated when processing AAD).
Make sure the last output data have been read if the fragment ends in C phase (or wait for DATRDY if the fragment
ends in AAD phase), then read the GHASH field of AES_GHASHRx to obtain the value of the hash after the last
processed data and finally read the CTR field of the AES_CTR to obtain the value of the CTR encryption counter
(not needed when the fragment ends in AAD phase).
3.
4.
5.
6.
7.
Next fragment (or last fragment):
1.
2.
In AES_MR set OPMOD to GCM and GTAGEN to ‘0’ (configuration as usual for the rest).
Set KEYW in AES_KEYWRx and wait until DATRDY bit of AES_ISR is set (GCM hash subkey generation com-
plete), use interrupt if needed.
After the GCM hash subkey
generation is complete the GCM hash subkey can be
read or overwritten with
specific value in the AES_GCMHRx (
see Section
Section 41.4.5.2 ”Key Writing and Auto-
matic Hash Subkey Calculation”
for details).
Set IV in AES_IVRx with:
If the first block of the fragment is a block of Additional Authenticated data, set IV in AES_IVRx with the
J
0
initial value.
If the first block of the fragment is a block of Plaintext data, set IV in AES_IVRx with a value constructed as
follows:
‘LSB
96
(J
0
) || CTR’
value, (96 bit LSB of
J
0
concatenated with saved CTR value from previous
fragment).
Set AADLEN field in AES_AADLENR and CLEN field in AES_CLENR according to the length of the current
fragment, or set the fields with the remaining message length, both configurations work.
Fill the GHASH field of AES_GHASHRx with the value stored after the previous fragment.
3.
4.
5.