SLAU846B June 2023 – November 2024 MSPM0G1105 , MSPM0G1106 , MSPM0G1107 , MSPM0G1505 , MSPM0G1506 , MSPM0G1507 , MSPM0G1519 , MSPM0G3105 , MSPM0G3105-Q1 , MSPM0G3106 , MSPM0G3106-Q1 , MSPM0G3107 , MSPM0G3107-Q1 , MSPM0G3505 , MSPM0G3505-Q1 , MSPM0G3506 , MSPM0G3506-Q1 , MSPM0G3507 , MSPM0G3507-Q1 , MSPM0G3519
A GCM protocol operation is a combined operation, consisting of encryption/decryption and authentication. Figure 24-7 illustrates an overview of the GCM operation.
A part of the input data stream can be authenticated only, while normally most of the input data is encrypted/decrypted and authenticated. The authentication only data always needs to be in front of the data that requires encryption. Within GCM, the authentication only data is called the AAD (Additional Authentication Data). The AAD is fetched independently of the other data.
The intermediate (temp) result data is used as input for the remaining authentication operation. Since the authentication operation does not require the encryption core but only the polynomial multiplication, both encryption/decryption and authentication are performed in parallel. After encryption of the last data block, an additional polynomial multiplication and encryption are required to respectively authenticate a 128-bit length vector and finally encrypt the authentication result.
GMAC operations, as specified in [NIST-SP800-38D], are also supported via the GCM operation. GMAC is a special use of GCM where no crypto data is processed and only AAD data is provided to produce a MAC of the input data. The crypto data length is set to zero for this case.
Figure 24-8 illustrates the operations performed in one round. In one round of a GCM operation for both encryption and decryption, a 32-bit counter is used as IV (as it is for CTR mode). The data is encrypted the same way as CTR mode, by XOR-ing the crypto output with the input. After the encryption/decryption, the ciphertext is XOR-ed with the intermediate authentication result. The XOR-ed result is used as input for the polynomial multiplication to create the next (intermediate) authentication result.