The GCM mode including both encryption and decryption parts is supported in this implementation.
Attention
The bit-width of the interfaces provided is shown as follows:
payload | lenPld | AAD | lenAAD | IV | cipherkey | cipher | lenCph | tag | |
GCM-AES128 | 128 | 64 | 128 | 64 | 96 | 128 | 128 | 64 | 128 |
GCM-AES192 | 128 | 64 | 128 | 64 | 96 | 192 | 128 | 64 | 128 |
GCM-AES256 | 128 | 64 | 128 | 64 | 96 | 256 | 128 | 64 | 128 |
Caution
Applicable conditions:
1. The bit-width of initialization vector must be precisely 96 as recommended in the standard to promote interoperability, efficiency, and simplicity of the design.
1.The MAC value instead of a FAIL flag in decryption part is provided, therefore, take care of the MAC, which is given by the encryption part to judge the authenticity of the data. If the data is authentic, the MACs should be equal.
The algorithm flow chart of encryption part of GCM mode is shown below:
As seen from the chart, the GCM encryption part can be divided into two individual parts: The Counter Mode (CTR) and The Galois Message Authentication Code (GMAC). GCM is used to encrypt the plaintext to ciphertext, and GMAC is used to generate the MAC. The algorithm flow chart of decryption part of GCM mode is shown as follows:
The decryption part is very similar with the encryption part of GCM mode. The only difference is that the ciphertext to plaintext is decrypted in the decryption part.
The internal structure of both encryption and decryption parts of GCM is shown in the following figures:
In the implementation, the encryption part of GCM mode has two modules, which are aesGctrEncrypt and genGMAC. Use the first two iterations in aesGctrEncrypt to calculate the hash subkey (H) and E(K,Y0), and pass them onto the genGMAC module through streams in dataflow region instead of implementing the AES block cipher in genGMAC to save the resources. As the two modules can work independently, they are designed into parallel dataflow processes, and connected by streams (FIFOs). The decryption part can be deduced in the same way, the only difference is that the ciphertext and its length streams, which are fed to genGMAC, are directly taken from the input ports.