 Hello and welcome to this presentation of the STM32 Advanced Encryption Standard Hardware Accelerator, which is embedded in the devices of the STM32G0 access line with encryption, i.e. STM32G08X microcontrollers. It covers the features of the AES interface, which is widely used for cryptographic applications. The AES algorithm is a symmetric block cipher used to encrypt and decrypt information using a secret cryptographic key that is 128 or 256 bits long. Encryption converts data to an unintelligible format called ciphertext, while decrypting converts the ciphertext back to its original format called plaintext. The AES peripheral is a NIST FIPS 197 compliant implementation of the AES algorithm, more efficient than a software library in terms of processing time. The AES peripheral supports multiple chaining modes, protecting data confidentiality or data confidentiality with authenticity, depending on the mode. Encrypting plaintext data into ciphertext and inversely decrypting ciphertext into plaintext requires intensive computing, which represents a huge workload when done entirely by software. The AES hardware accelerator lightens the STM32G08X CPU's workload by performing encryption and decryption operations in the AES core. The AES block is an AHB slave. Either the CPU passes the data, key and initialization vector to the AES block by writing to memory mapped registers and gets the result by reading registers, or data movement can be insured by two DMA channels, one for writing data to the AES, the second to read the result. Software can suspend a message if the AES needs to process another message with a higher priority than resume the original message. The AES core is the unit in charge of processing data. Its logic supports 1, 8, 16 or 32-bit data swapping. Internal data paths are 128-bits wide for data and initialization values and 256-bits for keys. 128-bit keys are also supported. The AES encryption and decryption algorithms are suitable for a variety of applications such as secure networking routers, wireless communications, encrypted data storage including secure smart cards, secure video surveillance systems, secure electronic financial transactions, etc. The sender encrypts a plain text message using a secret key and the receiver decrypts the message using the same secret key. AES is therefore based on symmetric keys, the same key is used for both encryption and decryption. Appending a message authentication code to the ciphertext enables the receiver to confirm that the message has been originated by the expected sender. The AES block is capable of generating the MAC along with data encryption. The National Institute of Standards and Technology or NIST develops federal information processing standards or FIPS publications specifying cryptographic standards. Block cipher modes are useful when data to be encrypted has been stored in buffers. Stream cipher mode is useful to efficiently encrypt or decrypt data at bit level and not at block level. This mode does not require key scheduling. Authenticated modes are used to generate a message authentication code or MAC along with encrypted data if enabled. The AES features three modes of operation. Mode 1, plain text encryption. Mode 2, electronic code book, also referred as ECB or cipherblock chaining, also referred as CBC decryption key derivation. It must be used prior to selecting mode 3 with ECB or CBC chaining modes. Key derivation derives a new key based on the values stored in the AES key registers before enabling the AES accelerator. Mode 3, ciphertext decryption. AES keys are 128 or 256 bits long. Data swapping supports 1, 8, 16 or 32 bits swapping within 128 bit data blocks. The suspend and resume mechanism enables preemption depending on the priority of the message to handle. When managing messages of a size that's not a multiple of the block size, IDS 128 bit size software must implement ciphertext stealing techniques such as those described in the addendum to NIST special publication 838A. ECB is the simplest form of operation. There are no chaining operations and no special initialization stage. The message is divided into blocks and each block is encrypted or decrypted separately. For an ECB decryption, a key for the first round of decryption must be derived from the key of the last round of encryption. This is why a complete key schedule of encryption is required before performing the decryption. In CBC mode, each block of plain text is x-alled with the previous ciphertext block before being encrypted. To make each message unique, an initialization vector is used during the first block processing. For a CBC decryption, a key for the first round of decryption must be derived from the key of the last round of encryption. This is why a complete key schedule of encryption is required before performing the decryption. The counter mode, known as CTR mode, uses the AES core to generate a key stream. The keys are then x-alled with the plain text to obtain the ciphertext. Unlike ECB and CBC modes, no key scheduling is required for the CTR decryption. Since in this chaining scheme, the AES core is always used in encryption mode for producing the key stream or counter blocks. In Galois counter mode, or GCM, the plain text message is encrypted, while a message authentication code is computed in parallel, thus generating the corresponding ciphertext and its MAC, also known as authentication tag. It's based on the AES' counter mode for confidentiality and uses a multiplier over a fixed finite field for generating the tag. It requires an initialization vector at the beginning. Part of the GCM message, here block 1, might not be encrypted. This block is called the authenticated header. Galois message authentication code, or GMAC, allows authenticating a message and generating the corresponding message authentication code. GMAC is similar to GCM, except that it's applied to a message that only contains the plain text authenticated header. All steps and settings are the same as GCM, except that the payload phase will not be used. In counter, with cipher block chaining message authentication code mode, or CCM, the payload part of the plain text message is encrypted, while a message authentication code is computed for the complete message in parallel, thus generating the corresponding ciphertext and the corresponding MAC, also known as a tag. CCM mode is based on the AES in counter mode for confidentiality and it uses CBC for computing the message authentication code. It requires an initial value. The CCM standard defines specific encoding rules for the first authentication block, called B0, in the standard. In particular, the first block includes flags, and nonce, and the payload length expressed in bytes. Like GCM, the CCM chaining mode could be applied on a message composed only by plain text authenticated data, that is, only header, no payload. But it's not recommended by NIST. Note that this way of using CCM is not called CMAC, and it's not similar to GCM or GMAC. CMAC is a different NIST mode specified in SP838B. This simplified block diagram of the AES accelerator shows the data path from data in on the left to data out on the right. The AES accelerator processes 128-bit data blocks using an encryption key, with a length of either 128 or 256 bits. With or without a data swapping option. The error flags block checks of the behavior of the AES accelerator via two different flags. The read error flag, called RDERR, is set in the AES status register when an unexpected read operation is detected during the computation phase or during the input phase. The write error flag, called WRERR, is set in the AES status register when an unexpected write operation is detected during the output phase or during the computation phase. An interrupt can be generated when one of these two error flags is set if the error interrupt enable bit, called ERRIE, in the AES control register, was previously set. The computation complete flag, called CCF, is set by hardware when the computation is complete. An interrupt is generated if the CCF interrupt enable bit was previously set. The busy flag used only with GCM mode indicates that a higher priority message can interrupt the current message during GCM payload phase for encryption mode. Here are the processing times for different key sizes and algorithms. Here are the processing times for different key sizes and algorithms. Here's a summary of the events able to trigger an interrupt in the nested vector interrupt controller, AES computation completed, AES read error and AES write error. Direct memory access requests are generated internally for both incoming and outgoing data. The DMA channel must be configured in memory to peripheral or peripheral to memory mode with a data size equal to 32 bits. Here's an overview of the status of the AES accelerator in each of the low power modes. AES operations are not possible when the device is in stop mode. This is a list of peripherals related to the AES accelerator. Please refer to these peripheral trainings for more information if needed. For more details, please refer to these application notes and user manuals available on our website.