 Hello and welcome to this presentation of the STM32 Advanced Encryption Standard Hardware Accelerator. It covers the features of the AES interface, which is widely used for cryptographic applications. The AES algorithm is a symmetric block cipher used to encrypt and decrypt information using a secret cryptographic key that is 128 or 256 bits long. Encryption converts data to an unintelligible format called ciphertext. Decrypting the ciphertext converts the data back into its original format called plaintext. Applications benefit from the NIST FIPS 197 compliant implementation of the AES algorithm to protect the confidentiality of data as well as its low processing time. The AES accelerator supports four operation modes, encryption, key derivation, decryption, and key derivation plus decryption. It processes 128-bit data blocks using an encryption key that is either 128 or 256 bits long based on the selected chaining mode as shown on the next slide. This simplified block diagram of the AES shows the basic functional and control modules. The AES accelerator processes 128-bit data blocks using an encryption key with a length of either 256 bits or 128 bits, with or without a data swapping option. The AES accelerator has four operating modes. Mode 1, encryption using the encryption key stored in the AES key register. Mode 2, key derivation which derives a new key based on the value stored in the AES key register before enabling the AES accelerator. This mode is independent from the AES chaining mode selection. Module 3, decryption using a given or pre-computed decryption key stored in the AES key register. And Mode 4, key derivation plus decryption using an encryption key stored in the AES key registers, not used when the AES is configured in counter mode for performing a chaining algorithm. The AES accelerator supports six chaining algorithms or modes. Electronic Code Book or ECB. This is the default mode. This mode does not use the AES IVR register. There are no chaining operations. The message is divided into blocks and each block is encrypted separately. Cypher Block Chaining, CVC. Each block of plain text is XOR'd with the previous Cypher text block before being encrypted. To make each message unique, an initialization vector is used when processing the first block. Counter Mode, CTR. A 32-bit counter is used in addition to a nonce value for the XOR operation with the Cypher text or plain text. Galois Counter Mode, GCM. Used to encrypt and authenticate the plain text generating the corresponding Cypher text and the tag, also known as the Message Authentication Code or Message Integrity Check. It is based on the AES's counter mode for confidentiality and uses a multiplier over a fixed finite field for generating the tag. It requires an initialization vector at the beginning. Galois Message Authentication Code Mode or GMAC. GMAC is the same as GSM applied on a message composed of only the header. All steps and headings are the same except the payload phrase will not be used. Cypher Message Authentication Code Mode, CMAC. CMAC is used to authenticate the plain text generating the corresponding tag. The message is composed of only the header phrase and the tag phrase. The CCM standard defines specific encoding rules for the first authentication block called B0 in the standard. In particular, the first block includes flags, a nonce, and the payload length expressed in bytes. The error flags block checks the behavior of the AES accelerator via two different flags. The read error flag or RDERR is set in the AES status register when an unexpected read operation is detected during the computation phase or during the input phase. The write error flag or WRERR is set in the AES status register when an unexpected write operation is detected during the output phase or during the computation phase. An interrupt can be generated when one of these two error flags is set if the error interrupt enable or ERRIE bit in the AES control register was previously set. Two extra flags are available for the AES accelerator to give the status of current operation. The computation complete flag, CCF, is set by hardware when the computation is complete. An interrupt is generated if the CCF interrupt enable bit was previously set. The busy flag used only with GCM mode indicates that a higher priority message can interrupt the current message during GCM payload phase for encryption mode. The following slides give the processing times for each of the operating modes according to the selected chaining mode. Here are the processing times depending on the key size and algorithms. To complete the feature, here are the processing times for GCM and GMAC algorithms. Here is a summary of the events able to trigger an interrupt in the nested vectored interrupt controller. AES computation completed. AES read error and AES write error. Direct memory access requests are generated internally for both incoming and outgoing data. The DMA channel must be configured in memory to peripheral or peripheral to memory mode with a data size equal to 32 bits. Here is an overview of the status of the AES accelerator in each of the low power modes. AES operations are not possible when the device is in stop mode. The AES encryption and decryption algorithms are suitable for a variety of applications such as secure networking routers, wireless communications, encrypted data storage including secure smart cards, secure video surveillance systems, secure electronic financial transactions, etc. The sender sends a plain text message encrypted with a secret key and the receiver decrypts the message with the same secret key. This is a list of peripherals related to the AES accelerator. Please refer to these peripheral trainings for more information if needed. For more details, please refer to these application notes and user manual available on our website.