19. Cryptographic processor (CRYP)

This section applies to the whole STM32F20x and STM32F21x family, unless otherwise specified.

19.1 CRYP introduction

The cryptographic processor can be used to both encipher and decipher data using the DES, Triple-DES or AES (128, 192, or 256) algorithms. It is a fully compliant implementation of the following standards:

• • The data encryption standard (DES) and Triple-DES (TDES) as defined by Federal Information Processing Standards Publication (FIPS PUB 46-3, 1999 October 25). It follows the American National Standards Institute (ANSI) X9.52 standard.
• • The advanced encryption standard (AES) as defined by Federal Information Processing Standards Publication (FIPS PUB 197, 2001 November 26)

The CRYP processor performs data encryption and decryption using DES and TDES algorithms in Electronic codebook (ECB) or Cipher block chaining (CBC) mode.

The CRYP peripheral is a 32-bit AHB2 peripheral. It supports DMA transfer for incoming and processed data, and has input and output FIFOs (each 8 words deep).

19.2 CRYP main features

• • Suitable for AES, DES and TDES enciphering and deciphering operations
• • AES
  • – Supports the ECB, CBC, CTR chaining algorithms
  • – Supports 128-, 192- and 256-bit keys
  • – 4 × 32-bit initialization vectors (IV) used in the CBC, CTR modes

Table 73. Number of cycles required to process each 128-bit block

• • DES/TDES
  • – Direct implementation of simple DES algorithms (a single key, K1, is used)
  • – Supports the ECB and CBC chaining algorithms
  • – Supports 64-, 128- and 192-bit keys (including parity)
  • – 2 × 32-bit initialization vectors (IV) used in the CBC mode
  • – 16 HCLK cycles to process one 64-bit block in DES
  • – 48 HCLK cycles to process one 64-bit block in TDES
• • Common to DES/TDES and AES
  • – IN and OUT FIFO (each with an 8-word depth, a 32-bit width, corresponding to 4 DES blocks or 2 AES blocks)
  • – Automatic data flow control with support of direct memory access (DMA) (using 2 channels, one for incoming data the other for processed data)
  • – Data swapping logic to support 1-, 8-, 16- or 32-bit data

19.3 CRYP functional description

The cryptographic processor implements a Triple-DES (TDES, that also supports DES) core and an AES cryptographic core. Section 19.3.1 and Section 19.3.2 provide details on these cores.

Since the TDES and the AES algorithms use block ciphers, incomplete input data blocks have to be padded prior to encryption (extra bits should be appended to the trailing end of the data string). After decryption, the padding has to be discarded. The hardware does not manage the padding operation, the software has to handle it.

Figure 195 shows the block diagram of the cryptographic processor.

Figure 195. Block diagram

19.3.1 DES/TDES cryptographic core

The DES/Triple-DES cryptographic core consists of three components:

• • The DES algorithm (DEA)
• • Multiple keys (1 for the DES algorithm, 1 to 3 for the TDES algorithm)
• • The initialization vector (used in the CBC mode)

The basic processing involved in the TDES is as follows: an input block is read in the DEA and encrypted using the first key, K1 (K0 is not used in TDES mode). The output is then decrypted using the second key, K2, and encrypted using the third key, K3. The key depends on the algorithm which is used:

• • DES mode: Key = [K1]
• • TDES mode: Key = [K3 K2 K1]

where Kx=[KxR KxL], R = right, L = left

According to the mode implemented, the resultant output block is used to calculate the ciphertext.

Note that the outputs of the intermediate DEA stages is never revealed outside the cryptographic boundary.

The TDES allows three different keying options:

• • Three independent keys

The first option specifies that all the keys are independent, that is, K1, K2 and K3 are independent. FIPS PUB 46-3 – 1999 (and ANSI X9.52 – 1998) refers to this option as the Keying Option 1 and, to the TDES as 3-key TDES.

• • Two independent keys

The second option specifies that K1 and K2 are independent and K3 is equal to K1, that is, K1 and K2 are independent, K3 = K1. FIPS PUB 46-3 – 1999 (and ANSI X9.52 – 1998) refers to this second option as the Keying Option 2 and, to the TDES as 2-key TDES.

• • Three equal keys

The third option specifies that K1, K2 and K3 are equal, that is, K1 = K2 = K3. FIPS PUB 46-3 – 1999 (and ANSI X9.52 – 1998) refers to the third option as the Keying Option 3. This “1-key” TDES is equivalent to single DES.

FIPS PUB 46-3 – 1999 (and ANSI X9.52-1998) provides a thorough explanation of the processing involved in the four operation modes supplied by the TDEA (TDES algorithm): TDES-ECB encryption, TDES-ECB decryption, TDES-CBC encryption and TDES-CBC decryption.

This reference manual only gives a brief explanation of each mode.

DES and TDES Electronic codebook (DES/TDES-ECB) mode

• • DES/TDES-ECB mode encryption

Figure 196 illustrates the encryption in DES and TDES Electronic codebook (DES/TDES-ECB) mode. A 64-bit plaintext data block (P) is used after bit/byte/half-word swapping (refer to Section 19.3.3: Data type on page 513 ) as the input block (I). The input block is processed through the DEA in the encrypt state using K1. The output of this process is fed back directly to the input of the DEA where the DES is performed in the decrypt state using K2. The output of this process is fed back directly to the input of the DEA where the DES is performed in the encrypt state using K3. The resultant 64-bit output block (O) is used, after bit/byte/half-word swapping, as ciphertext (C) and it is pushed into the OUT FIFO.

• • DES/TDES-ECB mode decryption

Figure 197 illustrates the DES/TDES-ECB decryption. A 64-bit ciphertext block (C) is used, after bit/byte/half-word swapping, as the input block (I). The keying sequence is reversed compared to that used in the encryption process. The input block is processed through the DEA in the decrypt state using K3. The output of this process is fed back directly to the input of the DEA where the DES is performed in the encrypt state using K2. The new result is directly fed to the input of the DEA where the DES is performed in the decrypt state using K1. The resultant 64-bit output block (O), after bit/byte/half-word swapping, produces the plaintext (P).

Figure 196. DES/TDES-ECB mode encryption

ai16069b

• 1. K: key; C: cipher text; I: input block; O: output block; P: plain text.

Figure 197. DES/TDES-ECB mode decryption

MS19021V1

• 1. K: key; C: cipher text; I: input block; O: output block; P: plain text.

DES and TDES Cipher block chaining (DES/TDES-CBC) mode

• • DES/TDES-CBC mode encryption

Figure 198 illustrates the DES and Triple-DES Cipher block chaining (DES/TDES-CBC) mode encryption. This mode begins by dividing a plaintext message into 64-bit data blocks. In TCBC encryption, the first input block ( \( I_1 \) ), obtained after bit/byte/half-word swapping (refer to Section 19.3.3: Data type on page 513 ), is formed by exclusive-ORing the first plaintext data block ( \( P_1 \) ) with a 64-bit initialization vector IV ( \( I_1 = IV \oplus P_1 \) ). The input block is processed through the DEA in the encrypt state using K1. The output of this process is fed back directly to the input of the DEA, which performs the DES in the decrypt state using K2. The output of this process is fed directly to the input of the DEA, which performs the DES in the encrypt state using K3. The resultant 64-bit output block ( \( O_1 \) ) is used directly as the ciphertext ( \( C_1 \) ), that is, \( C_1 = O_1 \) . This first ciphertext block is then exclusive-ORed with the second plaintext data block to produce the second input block, \( (I_2) = (C_1 \oplus P_2) \) . Note that \( I_2 \) and \( P_2 \) now refer to the second block. The second input block is processed through the TDEA to produce the second ciphertext block. This encryption process continues to “chain” successive cipher and plaintext blocks together until the last plaintext block in the message is encrypted. If the message does not consist of an integral number of data blocks, then the final partial data block should be encrypted in a manner specified for the application.

• • DES/TDES-CBC mode decryption

In DES/TDES-CBC decryption (see Figure 199 ), the first ciphertext block ( \( C_1 \) ) is used directly as the input block ( \( I_1 \) ). The keying sequence is reversed compared to that used for the encrypt process. The input block is processed through the DEA in the decrypt state using K3. The output of this process is fed directly to the input of the DEA where the DES is processed in the encrypt state using K2. This resulting value is directly fed to the input of the DEA where the DES is processed in the decrypt state using K1. The resulting output block is exclusive-ORed with the IV (which must be the same as that used during encryption) to produce the first plaintext block ( \( P_1 = O_1 \oplus IV \) ). The second ciphertext block is then used as the next input block and is processed through the TDEA. The resulting output block is exclusive-ORed with the first ciphertext block to produce the second plaintext data block ( \( P_2 = O_2 \oplus C_1 \) ). (Note that \( P_2 \) and \( O_2 \) refer to the second block of data.) The TCBC decryption process continues in this manner until the last complete ciphertext block has been decrypted. Ciphertext representing a partial data block must be decrypted in a manner specified for the application.

Figure 198. DES/TDES-CBC mode encryption

1. 1. K: key; C: cipher text; I: input block; O: output block; Ps: plain text before swapping (when decoding) or after swapping (when encoding); P: plain text; IV: initialization vectors.

Figure 199. DES/TDES-CBC mode decryption

1. 1. K: key; C: cipher text; I: input block; O: output block; Ps: plain text before swapping (when decoding) or after swapping (when encoding); P: plain text; IV: initialization vectors.

19.3.2 AES cryptographic core

The AES cryptographic core consists of three components:

• • The AES algorithm (AEA: advanced encryption algorithm)
• • Multiple keys
• • Initialization vector(s) or Nonce

The AES utilizes keys of 3 possible lengths: 128, 192 or 256 bits and, depending on the operation mode used, zero or one 128-bit initialization vector (IV).

The basic processing involved in the AES is as follows: an input block of 128 bits is read from the input FIFO and sent to the AEA to be encrypted using the key (K0...3). The key format depends on the key size:

• • If Key size = 128: Key = [K3 K2]
• • If Key size = 192: Key = [K3 K2 K1]
• • If Key size = 256: Key = [K3 K2 K1 K0]

where \( Kx = [KxR KxL] \) , R=right, L=left

According to the mode implemented, the resultant output block is used to calculate the ciphertext.

FIPS PUB 197 (November 26, 2001) provides a thorough explanation of the processing involved in the four operation modes supplied by the AES core: AES-ECB encryption, AES-

ECB decryption, AES-CBC encryption and AES-CBC decryption. This reference manual only gives a brief explanation of each mode.

AES Electronic codebook (AES-ECB) mode

• • AES-ECB mode encryption

Figure 200 illustrates the AES Electronic codebook (AES-ECB) mode encryption.

In AES-ECB encryption, a 128-bit plaintext data block (P) is used after bit/byte/half-word swapping (refer to Section 19.3.3: Data type on page 513 ) as the input block (I). The input block is processed through the AEA in the encrypt state using the 128, 192 or 256-bit key. The resultant 128-bit output block (O) is used after bit/byte/half-word swapping as ciphertext (C). It is then pushed into the OUT FIFO.

• • AES-ECB mode decryption

Figure 201 illustrates the AES Electronic codebook (AES-ECB) mode encryption.

To perform an AES decryption in the ECB mode, the secret key has to be prepared (it is necessary to execute the complete key schedule for encryption) by collecting the last round key, and using it as the first round key for the decryption of the ciphertext. This preparation function is computed by the AES core. Refer to Section 19.3.6: Procedure to perform an encryption or a decryption for more details on how to prepare the key.

In AES-ECB decryption, a 128-bit ciphertext block (C) is used after bit/byte/half-word swapping as the input block (I). The keying sequence is reversed compared to that of the encryption process. The resultant 128-bit output block (O), after bit/byte or half-word swapping, produces the plaintext (P).

Figure 200. AES-ECB mode encryption

graph TD
    IN_FIFO["IN FIFO
plaintext P"] -- "P, 128 bits" --> SWAP1["swapping
DATATYPE"]
    SWAP1 -- "I, 128 bits" --> AEA["AEA, encrypt
K0...3(1)
128/192 or 256"]
    AEA --> SWAP2["swapping
DATATYPE"]
    SWAP2 -- "C, 128 bits" --> OUT_FIFO["OUT FIFO
ciphertext C"]
  

1. 1. K: key; C: cipher text; I: input block; O: output block; P: plain text.
2. 2. If Key size = 128: Key = [K3 K2].
   If Key size = 192: Key = [K3 K2 K1]
   If Key size = 256: Key = [K3 K2 K1 K0].

Figure 201. AES-ECB mode decryption

graph TD
    subgraph " "
    A[IN FIFO
ciphertext C] -->|C, 128 bits| B[swapping]
    D[DATATYPE] --> B
    B -->|I, 128 bits| E[AEA, decrypt]
    F["K0...3(1)"] -->|128/192
or 256| E
    E -->|O, 128 bits| G[swapping]
    H[DATATYPE] --> G
    G -->|P, 128 bits| I[OUT FIFO
plaintext P]
    end

1. 1. K: key; C: cipher text; I: input block; O: output block; P: plain text.
2. 2. If Key size = 128 => Key = [K3 K2].
   If Key size = 192 => Key = [K3 K2 K1]
   If Key size = 256 => Key = [K3 K2 K1 K0].

AES Cipher block chaining (AES-CBC) mode

• • AES-CBC mode encryption

The AES Cipher block chaining (AES-CBC) mode decryption is shown on Figure 202 .

In AES-CBC encryption, the first input block ( \( I_1 \) ) obtained after bit/byte/half-word swapping (refer to Section 19.3.3: Data type on page 513 ) is formed by exclusive-ORing the first plaintext data block ( \( P_1 \) ) with a 128-bit initialization vector IV ( \( I_1 = IV \oplus P_1 \) ). The input block is processed through the AEA in the encrypt state using the 128-, 192- or 256-bit key ( \( K_0 \dots K_3 \) ). The resultant 128-bit output block ( \( O_1 \) ) is used directly as ciphertext ( \( C_1 \) ), that is, \( C_1 = O_1 \) . This first ciphertext block is then exclusive-ORed with the second plaintext data block to produce the second input block, \( (I_2) = (C_1 \oplus P_2) \) . Note that \( I_2 \) and \( P_2 \) now refer to the second block. The second input block is processed through the AEA to produce the second ciphertext block. This encryption process continues to “chain” successive cipher and plaintext blocks together until the last plaintext block in the message is encrypted. If the message does not consist of an integral number of data blocks, then the final partial data block should be encrypted in a manner specified for the application.

In the CBC mode, like in the ECB mode, the secret key must be prepared to perform an AES decryption. Refer to Section 19.3.6: Procedure to perform an encryption or a decryption on page 518 for more details on how to prepare the key.

• • AES-CBC mode decryption

In AES-CBC decryption (see Figure 203 ), the first 128-bit ciphertext block ( \( C_1 \) ) is used directly as the input block ( \( I_1 \) ). The input block is processed through the AEA in the decrypt state using the 128-, 192- or 256-bit key. The resulting output block is exclusive-ORed with the 128-bit initialization vector IV (which must be the same as that used during encryption) to produce the first plaintext block ( \( P_1 = O_1 \oplus IV \) ). The second ciphertext block is then used as the next input block and is processed through the AEA. The resulting output block is exclusive-ORed with the first ciphertext block to produce the second plaintext data block ( \( P_2 = O_2 \oplus C_1 \) ). (Note that \( P_2 \) and \( O_2 \) refer to the second

block of data.) The AES-CBC decryption process continues in this manner until the last complete ciphertext block has been decrypted. Ciphertext representing a partial data block must be decrypted in a manner specified for the application.

Figure 202. AES-CBC mode encryption

1. 1. K: key; C: cipher text; I: input block; O: output block; Ps: plain text before swapping (when decoding) or after swapping (when encoding); P: plain text; IV: Initialization vectors.
2. 2. \( IV_x = [IV_{xR} \ IV_{xL}] \) , R=right, L=left.
3. 3. If Key size = 128 => Key = [K3 K2].
   If Key size = 192 => Key = [K3 K2 K1]
   If Key size = 256 => Key = [K3 K2 K1 K0].

Figure 203. AES-CBC mode decryption

1. 1. K: key; C: cipher text; I: input block; O: output block; Ps: plain text before swapping (when decoding) or after swapping (when encoding); P: plain text; IV: Initialization vectors.
2. 2. \( IV_x = [IV_{xR} \ IV_{xL}] \) , R=right, L=left.
3. 3. If Key size = 128 => Key = [K3 K2].
   If Key size = 192 => Key = [K3 K2 K1]
   If Key size = 256 => Key = [K3 K2 K1 K0].

AES counter mode (AES-CTR) mode

The AES counter mode uses the AES block as a key stream generator. The generated keys are then XORed with the plaintext to obtain the cipher. For this reason, it makes no sense to speak of different CTR encryption/decryption, since the two operations are exactly the same.

In fact, given:

• • Plaintext: \( P[0], P[1], \dots, P[n] \) (128 bits each)
• • A key K to be used (the size does not matter)
• • An initial counter block (call it ICB but it has the same functionality as the IV of CBC)

The cipher is computed as follows:

\( C[i] = \text{enc}(\text{iv}[i]) \oplus P[i] \) , where:

\( \text{iv}[0] = \text{ICB} \) and \( \text{iv}[i+1] = \text{func}(\text{iv}[i]) \) , where func is an update function applied to the previous iv block; func is basically an increment of one of the fields composing the iv block.

Given that the ICB for decryption is the same as the one for encryption, the key stream generated during decryption is the same as the one generated during encryption. Then, the ciphertext is XORed with the key stream in order to retrieve the original plaintext. The decryption operation therefore acts exactly in the same way as the encryption operation.

Figure 204 and Figure 205 illustrate AES-CTR encryption and decryption, respectively.

Figure 204. AES-CTR mode encryption

1. 1. K: key; C: cipher text; I: input Block; o: output block; Ps: plain text before swapping (when decoding) or after swapping (when encoding); Cs: cipher text after swapping (when decoding) or before swapping (when encoding); P: plain text; IV: Initialization vectors.

Figure 205. AES-CTR mode decryption

1. 1. K: key; C: cipher text; I: input Block; o: output block; Ps: plain text before swapping (when decoding) or after swapping (when encoding); Cs: cipher text after swapping (when decoding) or before swapping (when encoding); P: plain text; IV: Initialization vectors.

Figure 206 shows the structure of the IV block as defined by the standard [2]. It is composed of three distinct fields.

Figure 206. Initial counter block structure for the Counter mode

• • Nonce is a 32-bit, single-use value. A new nonce should be assigned to each different communication.
• • The initialization vector (IV) is a 64-bit value and the standard specifies that the encryptor must choose IV so as to ensure that a given value is used only once for a given key
• • The counter is a 32-bit big-endian integer that is incremented each time a block has been encrypted. The initial value of the counter should be set to '1'.

The block increments the least significant 32 bits, while it leaves the other (most significant) 96 bits unchanged.

19.3.3 Data type

Data enter the CRYP processor 32 bits (word) at a time as they are written into the CRYP_DIN register. The principle of the DES is that streams of data are processed 64 bits by 64 bits and, for each 64-bit block, the bits are numbered from M1 to M64, with M1 the left-most bit and M64 the right-most bit of the block. The same principle is used for the AES, but with a 128-bit block size.

The system memory organization is little-endian: whatever the data type (bit, byte, 16-bit half-word, 32-bit word) used, the least-significant data occupy the lowest address locations. A bit, byte, or half-word swapping operation (depending on the kind of data to be encrypted) therefore has to be performed on the data read from the IN FIFO before they enter the CRYP processor. The same swapping operation should be performed on the CRYP data before they are written into the OUT FIFO. For example, the operation would be byte swapping for an ASCII text stream.

The kind of data to be processed is configured with the DATATYPE bitfield in the CRYP control register (CRYP_CR).

Table 74. Data types

Table 74. Data types

Figure 207 shows how the 64-bit data block M1...64 is constructed from two consecutive 32-bit words popped off the IN FIFO by the CRYP processor, according to the DATATYPE value. The same schematic can easily be extended to form the 128-bit block for the AES cryptographic algorithm (for the AES, the block length is four 32-bit words, but swapping only takes place at word level, so it is identical to the one described here for the TDES).

Note: The same swapping is performed between the IN FIFO and the CRYP data block, and between the CRYP data block and the OUT FIFO.

Figure 207. 64-bit block construction according to DATATYPE

19.3.4 Initialization vectors - CRYP_IV0...1(L/R)

Initialization vectors are considered as two 64-bit data items. They therefore do not have the same data format and representation in system memory as plaintext or cypher data, and they are not affected by the DATATYPE value.

Initialization vectors are defined by two consecutive 32-bit words, CRYP_IVL (left part, noted as bits IV1...32) and CRYP_IVR (right part, noted as bits IV33...64).

During the DES or TDES CBC encryption, the CRYP_IV0(L/R) bits are XORed with the 64-bit data block popped off the IN FIFO after swapping (according to the DATATYPE value), that is, with the M1...64 bits of the data block. When the output of the DEA3 block is available, it is copied back into the CRYP_IV0(L/R) vector, and this new content is XORed with the next 64-bit data block popped off the IN FIFO, and so on.

During the DES or TDES CBC decryption, the CRYP_IV0(L/R) bits are XORed with the 64-bit data block (that is, with the M1...64 bits) delivered by the TDEA1 block before swapping (according to the DATATYPE value), and pushed into the OUT FIFO. When the XORed result is swapped and pushed into the OUT FIFO, the CRYP_IV0(L/R) value is replaced by the output of the IN FIFO, then the IN FIFO is popped, and a new 64-bit data block can be processed.

During the AES CBC encryption, the CRYP_IV0...1(L/R) bits are XORed with the 128-bit data block popped off the IN FIFO after swapping (according to the DATATYPE value). When the output of the AES core is available, it is copied back into the CRYP_IV0...1(L/R) vector, and this new content is XORed with the next 128-bit data block popped off the IN FIFO, and so on.

During the AES CBC decryption, the CRYP_IV0...1(L/R) bits are XORed with the 128-bit data block delivered by the AES core before swapping (according to the DATATYPE value) and pushed into the OUT FIFO. When the XORed result is swapped and pushed into the OUT FIFO, the CRYP_IV0...1(L/R) value is replaced by the output of the IN FIFO, then the IN FIFO is popped, and a new 128-bit data block can be processed.

During the AES CTR encryption or decryption, the CRYP_IV0...1(L/R) bits are encrypted by the AES core. Then the result of the encryption is XORed with the 128-bit data block popped off the IN FIFO after swapping (according to the DATATYPE value). When the XORed result is swapped and pushed into the OUT FIFO, the counter part of the CRYP_IV0...1(L/R) value (32 LSB) is incremented.

Any write operation to the CRYP_IV0...1(L/R) registers when bit BUSY = 1b in the CRYP_SR register is disregarded (CRYP_IV0...1(L/R) register content not modified). Thus, you must check that bit BUSY = 0b before modifying initialization vectors.

Figure 208. Initialization vectors use in the TDES-CBC encryption

19.3.5 CRYP busy state

When there is enough data in the input FIFO (at least 2 words for the DES or TDES algorithm mode, 4 words for the AES algorithm mode) and enough free-space in the output FIFO (at least 2 (DES/TDES) or 4 (AES) word locations), and when the bit CRYPTEN = 1 in the CRYP_CR register, then the cryptographic processor automatically starts an encryption or decryption process (according to the value of the ALGODIR bit in the CRYP_CR register).

This process takes 48 AHB2 clock cycles for the Triple-DES algorithm, 16 AHB2 clock cycles for the simple DES algorithm, and 14, 16 or 18 AHB2 clock cycles for the AES with key lengths of 128, 192 or 256 bits, respectively. During the whole process, the BUSY bit in the CRYP_SR register is set to '1'. At the end of the process, two (DES/TDES) or four (AES) words are written by the CRYP Core into the output FIFO, and the BUSY bit is cleared. In

the CBC, CTR mode, the initialization vectors CRYP_IVx(L/R)R (x = 0..3) are updated as well.

A write operation to the key registers (CRYP_Kx(L/R)R, x = 0..3), the initialization registers (CRYP_IVx(L/R)R, x = 0..3), or to bits [9:2] in the CRYP_CR register are ignored when the cryptographic processor is busy (bit BUSY = 1b in the CRYP_SR register), and the registers are not modified. It is thus not possible to modify the configuration of the cryptographic processor while it is processing a block of data. It is however possible to clear the CRYPTEN bit while BUSY = 1, in which case the ongoing DES, TDES or AES processing is completed and the two/four word results are written into the output FIFO, and then, only then, the BUSY bit is cleared.

Note: When a block is being processed in the DES or TDES mode, if the output FIFO becomes full and if the input FIFO contains at least one new block, then the new block is popped off the input FIFO and the BUSY bit remains high until there is enough space to store this new block into the output FIFO.

19.3.6 Procedure to perform an encryption or a decryption

Initialization

1. 1. Initialize the peripheral (the order of operations is not important except for the key preparation for AES-ECB or AES-CBC decryption. The key size and the key value must be entered before preparing the key and the algorithm must be configured once the key has been prepared):
   1. a) Configure the key size (128-, 192- or 256-bit, in the AES only) with the KEYSIZE bits in the CRYP_CR register
   2. b) Write the symmetric key into the CRYP_KxL/R registers (2 to 8 registers to be written depending on the algorithm)
   3. c) Configure the data type (1-, 8-, 16- or 32-bit), with the DATATYPE bits in the CRYP_CR register
   4. d) In case of decryption in AES-ECB or AES-CBC, you must prepare the key: configure the key preparation mode by setting the ALGOMODE bits to '111' in the CRYP_CR register. Then write the CRYPTEN bit to '1': the BUSY bit is set. Wait until BUSY returns to 0 (CRYPTEN is automatically cleared as well): the key is prepared for decryption
   5. e) Configure the algorithm and chaining (the DES/TDES in ECB/CBC, the AES in ECB/CBC/CTR) with the ALGOMODE bits in the CRYP_CR register
   6. f) Configure the direction (encryption/decryption), with the ALGODIR bit in the CRYP_CR register
   7. g) Write the initialization vectors into the CRYP_IVxL/R register (in CBC or CTR modes only)
2. 2. Flush the IN and OUT FIFOs by writing the FFLUSH bit to 1 in the CRYP_CR register

Processing when the DMA is used to transfer the data from/to the memory

1. 1. Configure the DMA controller to transfer the input data from the memory. The transfer length is the length of the message. As message padding is not managed by the peripheral, the message length must be an entire number of blocks. The data are transferred in burst mode. The burst length is 4 words in the AES and 2 or 4 words in

the DES/TDES. The DMA should be configured to set an interrupt on transfer completion of the output data to indicate that the processing is finished.

1. 2. Enable the cryptographic processor by writing the CRYPTEN bit to 1. Enable the DMA requests by setting the DIEN and DOEN bits in the CRYP_DMACR register.
2. 3. All the transfers and processing are managed by the DMA and the cryptographic processor. The DMA interrupt indicates that the processing is complete. Both FIFOs are normally empty and BUSY = 0.

Processing when the data are transferred by the CPU during interrupts

1. 1. Enable the interrupts by setting the INIM and OUTIM bits in the CRYP_IMSCR register.
2. 2. Enable the cryptographic processor by setting the CRYPTEN bit in the CRYP_CR register.
3. 3. In the interrupt managing the input data: load the input message into the IN FIFO. You can load 2 or 4 words at a time, or load data until the FIFO is full. When the last word of the message has been entered into the FIFO, disable the interrupt by clearing the INIM bit.
4. 4. In the interrupt managing the output data: read the output message from the OUT FIFO. You can read 1 block (2 or 4 words) at a time or read data until the FIFO is empty. When the last word has been read, INIM=0, BUSY=0 and both FIFOs are empty (IFEM=1 and OFNE=0). You can disable the interrupt by clearing the OUTIM bit and, the peripheral by clearing the CRYPTEN bit.

Processing without using the DMA nor interrupts

1. 1. Enable the cryptographic processor by setting the CRYPTEN bit in the CRYP_CR register.
2. 2. Write the first blocks in the input FIFO (2 to 8 words).
3. 3. Repeat the following sequence until the complete message has been processed:
   1. a) Wait for OFNE=1, then read the OUT-FIFO (1 block or until the FIFO is empty)
   2. b) Wait for IFNF=1, then write the IN FIFO (1 block or until the FIFO is full)
4. 4. At the end of the processing, BUSY=0 and both FIFOs are empty (IFEM=1 and OFNE=0). You can disable the peripheral by clearing the CRYPTEN bit.

19.3.7 Context swapping

If a context switching is needed because a new task launched by the OS requires this resource, the following tasks have to be performed for full context restoration (example when the DMA is used):

Case of the AES and DES

1. 1. Context saving
   1. a) Stop DMA transfers on the IN FIFO by clearing the DIEN bit in the CRYP_DMACR register.
   2. b) Wait until both the IN and OUT FIFOs are empty (IFEM=1 and OFNE=0 in the CRYP_SR register) and the BUSY bit is cleared.
   3. c) Stop DMA transfers on the OUT FIFO by writing the DOEN bit to 0 in the CRYP_DMACR register and clear the CRYPTEN bit.
   4. d) Save the current configuration (bits [9:2] and bits 19 in the CRYP_CR register) and, if not in ECB mode, the initialization vectors. The key value must already be available in the memory. When needed, save the DMA status (pointers for IN and OUT messages, number of remaining bytes, etc.).
2. 2. Configure and execute the other processing.
3. 3. Context restoration
   1. a) Configure the processor as in Section 19.3.6: Procedure to perform an encryption or a decryption on page 518, Initialization with the saved configuration. For the AES-ECB or AES-CBC decryption, the key must be prepared again.
   2. b) If needed, reconfigure the DMA controller to transfer the rest of the message.
   3. c) Enable the processor by setting the CRYPTEN bit and, the DMA requests by setting the DIEN and DOEN bits.

Case of the TDES

Context swapping can be done in the TDES in the same way as in the AES. But as the input FIFO can contain up to 4 unprocessed blocks and as the processing duration per block is higher, it can be faster in certain cases to interrupt the processing without waiting for the IN FIFO to be empty.

1. 1. Context saving
   1. a) Stop DMA transfers on the IN FIFO by clearing the DIEN bit in the CRYP_DMACR register.
   2. b) Disable the processor by clearing the CRYPTEN bit (the processing stops at the end of the current block).
   3. c) Wait until the OUT FIFO is empty (OFNE=0 in the CRYP_SR register) and the BUSY bit is cleared.
   4. d) Stop DMA transfers on the OUT FIFO by writing the DOEN bit to 0 in the CRYP_DMACR register.
   5. e) Save the current configuration (bits [9:2] and bits 19 in the CRYP_CR register) and, if not in ECB mode, the initialization vectors. The key value must already be available in the memory. When needed, save the DMA status (pointers for IN and OUT messages, number of remaining bytes, etc.). Read back the data loaded in

the IN FIFO that have not been processed and save them in the memory until the FIFO is empty.

1. 2. Configure and execute the other processing.
2. 3. Context restoration
   1. a) Configure the processor as in Section 19.3.6: Procedure to perform an encryption or a decryption on page 518, Initialization with the saved configuration. For the AES-ECB or AES-CBC decryption, the key must be prepared again.
   2. b) Write the data that were saved during context saving into the IN FIFO.
   3. c) If needed, reconfigure the DMA controller to transfer the rest of the message.
   4. d) Enable the processor by setting the CRYPTEN bit and, the DMA requests by setting the DIEN and DOEN bits.

19.4 CRYP interrupts

There are two individual maskable interrupt sources generated by the CRYP. These two sources are combined into a single interrupt signal, which is the only interrupt signal from the CRYP that drives the NVIC (nested vectored interrupt controller). This combined interrupt, which is an OR function of the individual masked sources, is asserted if any of the individual interrupts listed below is asserted and enabled.

You can enable or disable the interrupt sources individually by changing the mask bits in the CRYP_IMSCR register. Setting the appropriate mask bit to '1' enables the interrupt.

The status of the individual interrupt sources can be read either from the CRYP_RISR register, for raw interrupt status, or from the CRYP_MISR register, for the masked interrupt status.

Output FIFO service interrupt - OUTMIS

The output FIFO service interrupt is asserted when there is one or more (32-bit word) data items in the output FIFO. This interrupt is cleared by reading data from the output FIFO until there is no valid (32-bit) word left (that is, the interrupt follows the state of the OFNE (output FIFO not empty) flag).

The output FIFO service interrupt OUTMIS is NOT enabled with the CRYP enable bit. Consequently, disabling the CRYP does not force the OUTMIS signal low if the output FIFO is not empty.

Input FIFO service interrupt - INMIS

The input FIFO service interrupt is asserted when there are less than four words in the input FIFO. It is cleared by performing write operations to the input FIFO until it holds four or more words.

The input FIFO service interrupt INMIS is enabled with the CRYP enable bit. Consequently, when CRYP is disabled, the INMIS signal is low even if the input FIFO is empty.

Figure 209. CRYP interrupt mapping diagram

graph LR
    INRIS --> OR1[OR]
    INIM --> OR1
    OR1 -- INMIS --> AND1[AND]
    CRYPEN --> AND1
    AND1 --> OUT1[IN FIFO Interrupt - INMIS]

    OUTRIS --> OR2[OR]
    OUTIM --> OR2
    OR2 -- OUTMIS --> AND2[AND]
    CRYPEN --> AND2
    AND2 --> OUT2[OUT FIFO Interrupt - OUTMIS]

    AND1 --> OR3[OR]
    AND2 --> OR3
    OR3 --> OUT3[Global Interrupt]
  

19.5 CRYP DMA interface

The cryptographic processor provides an interface to connect to the DMA controller. The DMA operation is controlled through the CRYP DMA control register, CRYP_DMACR.

The burst and single transfer request signals are not mutually exclusive. They can both be asserted at the same time. For example, when there are 6 words available in the OUT FIFO, the burst transfer request and the single transfer request are asserted. After a burst transfer of 4 words, the single transfer request only is asserted to transfer the last 2 available words. This is useful for situations where the number of words left to be received in the stream is less than a burst.

Each request signal remains asserted until the relevant DMA clear signal is asserted. After the request clear signal is deasserted, a request signal can become active again, depending on the above described conditions. All request signals are deasserted if the CRYP peripheral is disabled or the DMA enable bit is cleared (DIEN bit for the IN FIFO and DOEN bit for the OUT FIFO in the CRYP_DMACR register).

Note: The DMA controller must be configured to perform burst of 4 words or less. Otherwise some data could be lost.

In order to let the DMA controller empty the OUT FIFO before filling up the IN FIFO, the OUTDMA channel should have a higher priority than the INDMA channel.

19.6 CRYP registers

The cryptographic core is associated with several control and status registers, eight key registers and four initialization vectors registers.

19.6.1 CRYP control register (CRYP_CR)

Address offset: 0x00

Reset value: 0x0000 0000

Bits 31:18 Reserved, must be kept at reset value

Bits 17:16 Reserved, must be kept at reset value

Bit 15 CRYPEN : Cryptographic processor enable

0: CRYP processor is disabled

1: CRYP processor is enabled

Note: The CRYPEN bit is automatically cleared by hardware when the key preparation process ends (ALGOMODE=111b) or GCM_CCM init Phase

Bit 14 FFLUSH : FIFO flush

When CRYPEN = 0, writing this bit to 1 flushes the IN and OUT FIFOs (that is read and write pointers of the FIFOs are reset. Writing this bit to 0 has no effect.

When CRYPEN = 1, writing this bit to 0 or 1 has no effect.

Reading this bit always returns 0.

Bits 13:10 Reserved, must be kept at reset value

Bits 9:8 KEYSIZE[1:0] : Key size selection (AES mode only)

This bitfield defines the bit-length of the key used for the AES cryptographic core. This bitfield is 'don't care' in the DES or TDES modes.

00: 128 bit key length

01: 192 bit key length

10: 256 bit key length

11: Reserved, do not use this value

Bits 7:6 DATATYPE[1:0] : Data type selection

This bitfield defines the format of data entered in the CRYP_DIN register (refer to Section 19.3.3: Data type ).

00: 32-bit data. No swapping of each word. First word pushed into the IN FIFO (or popped off the OUT FIFO) forms bits 1...32 of the data block, the second word forms bits 33...64.

01: 16-bit data, or half-word. Each word pushed into the IN FIFO (or popped off the OUT FIFO) is considered as 2 half-words, which are swapped with each other.

10: 8-bit data, or bytes. Each word pushed into the IN FIFO (or popped off the OUT FIFO) is considered as 4 bytes, which are swapped with each other.

11: bit data, or bit-string. Each word pushed into the IN FIFO (or popped off the OUT FIFO) is considered as 32 bits (1st bit of the string at position 0), which are swapped with each other.

Bits 5:3 ALGOMODE[2:0] : Algorithm mode

000: TDES-ECB (triple-DES Electronic codebook): no feedback between blocks of data. Initialization vectors (CRYP_IV0(L/R)) are not used, three key vectors (K1, K2, and K3) are used (K0 is not used).

001: TDES-CBC (triple-DES Cipher block chaining): output block is XORed with the subsequent input block before its entry into the algorithm. Initialization vectors (CRYP_IV0(L/R)) must be initialized, three key vectors (K1, K2, and K3) are used (K0 is not used).

010: DES-ECB (simple DES Electronic codebook): no feedback between blocks of data. Initialization vectors (CRYP_IV0(L/R)) are not used, only one key vector (K1) is used (K0, K2, K3 are not used).

011: DES-CBC (simple DES Cipher block chaining): output block is XORed with the subsequent input block before its entry into the algorithm. Initialization vectors (CRYP_IV0(L/R)) must be initialized. Only one key vector (K1) is used (K0, K2, K3 are not used).

100: AES-ECB (AES Electronic codebook): no feedback between blocks of data. Initialization vectors (CRYP_IV0(L/R)...1L/R)) are not used. All four key vectors (K0...K3) are used.

101: AES-CBC (AES Cipher block chaining): output block is XORed with the subsequent input block before its entry into the algorithm. Initialization vectors (CRYP_IV0(L/R)...1L/R)) must be initialized. All four key vectors (K0...K3) are used.

110: AES-CTR (AES counter mode): output block is XORed with the subsequent input block before its entry into the algorithm. Initialization vectors (CRYP_IV0(L/R)...1L/R)) must be initialized. All four key vectors (K0...K3) are used. CTR decryption does not differ from CTR encryption, since the core always encrypts the current counter block to produce the key stream that is XORed with the plaintext or cipher in input. Thus, ALGODIR is don't care when ALGOMODE = 110b, and the key must NOT be unrolled (prepared) for decryption.

111: AES key preparation for decryption mode. Writing this value when CRYPTEN = 1 immediately starts an AES round for key preparation. The secret key must have previously been loaded into the K0...K3 registers. The BUSY bit in the CRYP_SR register is set during the key preparation. After key processing, the resulting key is copied back into the K0...K3 registers, and the BUSY bit is cleared.

Bit 2 ALGODIR : Algorithm direction

0: Encrypt

1: Decrypt

Bits 1:0 Reserved, must be kept at reset value

Note: Writing to the KEYSIZE, DATATYPE, ALGOMODE and ALGODIR bits while BUSY=1 has no effect. These bits can only be configured when BUSY=0. The FFLUSH bit has to be set only when BUSY=0. If not, the FIFO is flushed, but the block being processed may be pushed into the output FIFO just after the flush operation, resulting in a nonempty FIFO condition.

19.6.2 CRYP status register (CRYP_SR)

Address offset: 0x04

Reset value: 0x0000 0003

Bits 31:5 Reserved, must be kept at reset value

Bit 4 BUSY : Busy bit

0: The CRYP Core is not processing any data. The reason is either that:

• – the CRYP core is disabled (CRYPEN=0 in the CRYP_CR register) and the last processing has completed, or
• – The CRYP core is waiting for enough data in the input FIFO or enough free space in the output FIFO (that is in each case at least 2 words in the DES, 4 words in the AES).

1: The CRYP core is currently processing a block of data or a key preparation (for AES decryption).

Bit 3 OFFU : Output FIFO full

0: Output FIFO is not full

1: Output FIFO is full

Bit 2 OFNE : Output FIFO not empty

0: Output FIFO is empty

1: Output FIFO is not empty

Bit 1 IFNF : Input FIFO not full

0: Input FIFO is full

1: Input FIFO is not full

Bit 0 IFEM : Input FIFO empty

0: Input FIFO is not empty

1: Input FIFO is empty

19.6.3 CRYP data input register (CRYP_DIN)

Address offset: 0x08

Reset value: 0x0000 0000

The CRYP_DIN register is the data input register. It is 32-bit wide. It is used to enter up to four 64-bit (TDES) or two 128-bit (AES) plaintext (when encrypting) or ciphertext (when decrypting) blocks into the input FIFO, one 32-bit word at a time.

The first word written into the FIFO is the MSB of the input block. The LSB of the input block is written at the end. Disregarding the data swapping, this gives:

• • In the DES/TDES modes: a block is a sequence of bits numbered from bit 1 (leftmost bit) to bit 64 (rightmost bit). Bit 1 corresponds to the MSB (bit 31) of the first word entered into the FIFO, bit 64 corresponds to the LSB (bit 0) of the second word entered into the FIFO.
• • In the AES mode: a block is a sequence of bits numbered from 0 (leftmost bit) to 127 (rightmost bit). Bit 0 corresponds to the MSB (bit 31) of the first word written into the FIFO, bit 127 corresponds to the LSB (bit 0) of the 4th word written into the FIFO.

To fit different data sizes, the data written in the CRYP_DIN register can be swapped before being processed by configuring the DATATYPE bits in the CRYP_CR register. Refer to Section 19.3.3: Data type on page 513 for more details.

When CRYP_DIN register is written to, the data are pushed into the input FIFO. When at least two 32-bit words in the DES/TDES mode (or four 32-bit words in the AES mode) have been pushed into the input FIFO, and when at least 2 words are free in the output FIFO, the CRYP engine starts an encrypting or decrypting process. This process takes two 32-bit words in the DES/TDES mode (or four 32-bit words in the AES mode) from the input FIFO and delivers two 32-bit words (or 4, respectively) to the output FIFO per process round.

When CRYP_DIN register is read:

• • If CRYPTEN = 0, the FIFO is popped, and then the data present in the Input FIFO are returned, from the oldest one (first reading) to the newest one (last reading). The IFEM flag must be checked before each read operation to make sure that the FIFO is not empty.
• • if CRYPTEN = 1, an undefined value is returned.

After the CRYP_DIN register has been read once or several times, the FIFO must be flushed by setting the FFLUSH bit prior to processing new data.

Bits 31:0 DATAIN : Data input

Read = returns Input FIFO content if CRYPTEN = 0, else returns an undefined value.

Write = Input FIFO is written.

19.6.4 CRYP data output register (CRYP_DOUT)

Address offset: 0x0C

Reset value: 0x0000 0000

The CRYP_DOUT register is the data output register. It is read-only and 32-bit wide. It is used to retrieve up to four 64-bit (TDES mode) or two 128-bit (AES mode) ciphertext (when encrypting) or plaintext (when decrypting) blocks from the output FIFO, one 32-bit word at a time.

Like for the input data, the MSB of the output block is the first word read from the output FIFO. The LSB of the output block is read at the end. Disregarding data swapping, this gives:

• • In the DES/TDES modes: Bit 1 (leftmost bit) corresponds to the MSB (bit 31) of the first word read from the FIFO, bit 64 (rightmost bit) corresponds to the LSB (bit 0) of the second word read from the FIFO.
• • In the AES mode: Bit 0 (leftmost bit) corresponds to the MSB (bit 31) of the first word read from the FIFO, bit 127 (rightmost bit) corresponds to the LSB (bit 0) of the 4th word read from the FIFO.

To fit different data sizes, the data can be swapped after processing by configuring the DATATYPE bits in the CRYP_CR register. Refer to Section 19.3.3: Data type on page 513 for more details.

When CRYP_DOUT register is read, the last data entered into the output FIFO (pointed to by the read pointer) is returned.

Bits 31:0 DATAOUT : Data output

Read = returns output FIFO content.

Write = No effect.

19.6.5 CRYP DMA control register (CRYP_DMACR)

Address offset: 0x10

Reset value: 0x0000 0000

Bits 31:2 Reserved, must be kept at reset value

Bit 1 DOEN : DMA output enable

• 0: DMA for outgoing data transfer is disabled
• 1: DMA for outgoing data transfer is enabled

Bit 0 DIEN : DMA input enable

• 0: DMA for incoming data transfer is disabled
• 1: DMA for incoming data transfer is enabled

19.6.6 CRYP interrupt mask set/clear register (CRYP_IMSCR)

Address offset: 0x14

Reset value: 0x0000 0000

The CRYP_IMSCR register is the interrupt mask set or clear register. It is a read/write register. On a read operation, this register gives the current value of the mask on the relevant interrupt. Writing 1 to the particular bit sets the mask, enabling the interrupt to be read. Writing 0 to this bit clears the corresponding mask. All the bits are cleared to 0 when the peripheral is reset.

Bits 31:2 Reserved, must be kept at reset value

Bit 1 OUTIM : Output FIFO service interrupt mask

• 0: Output FIFO service interrupt is masked
• 1: Output FIFO service interrupt is not masked

Bit 0 INIM : Input FIFO service interrupt mask

• 0: Input FIFO service interrupt is masked
• 1: Input FIFO service interrupt is not masked

19.6.7 CRYP raw interrupt status register (CRYP_RISR)

Address offset: 0x18

Reset value: 0x0000 0001

The CRYP_RISR register is the raw interrupt status register. It is a read-only register. On a read, this register gives the current raw status of the corresponding interrupt prior to masking. A write has no effect.

Bits 31:2 Reserved, must be kept at reset value

Bit 1 OUTRIS : Output FIFO service raw interrupt status

Gives the raw interrupt state prior to masking of the output FIFO service interrupt.

0: Raw interrupt not pending

1: Raw interrupt pending

Bit 0 INRIS : Input FIFO service raw interrupt status

Gives the raw interrupt state prior to masking of the Input FIFO service interrupt.

0: Raw interrupt not pending

1: Raw interrupt pending

19.6.8 CRYP masked interrupt status register (CRYP_MISR)

Address offset: 0x1C

Reset value: 0x0000 0000

The CRYP_MISR register is the masked interrupt status register. It is a read-only register. On a read, this register gives the current masked status of the corresponding interrupt prior to masking. A write has no effect.

Bits 31:2 Reserved, must be kept at reset value

Bit 1 OUTMIS : Output FIFO service masked interrupt status

Gives the interrupt state after masking of the output FIFO service interrupt.
0: Interrupt not pending
1: Interrupt pending

Bit 0 INMIS : Input FIFO service masked interrupt status

Gives the interrupt state after masking of the input FIFO service interrupt.
0: Interrupt not pending
1: Interrupt pending when CRYPEN = 1

19.6.9 CRYP key registers (CRYP_K0...3(L/R)R)

Address offset: 0x20 to 0x3C
Reset value: 0x0000 0000

These registers contain the cryptographic keys.

In the TDES mode, keys are 64-bit binary values (number from left to right, that is the leftmost bit is bit 1), named K1, K2 and K3 (K0 is not used), each key consists of 56 information bits and 8 parity bits. The parity bits are reserved for error detection purposes and are not used by the current block. Thus, bits 8, 16, 24, 32, 40, 48, 56 and 64 of each 64-bit key value Kx[1:64] are not used.

In the AES mode, the key is considered as a single 128-, 192- or 256-bit long bit sequence, \( k_0k_1k_2...k_{127/191/255} \) ( \( k_0 \) being the leftmost bit). The AES key is entered into the registers as follows:

• • for AES-128: \( k_0..k_{127} \) corresponds to \( b_{127}..b_0 \) ( \( b_{255}..b_{128} \) are not used),
• • for AES-192: \( k_0..k_{191} \) corresponds to \( b_{191}..b_0 \) ( \( b_{255}..b_{192} \) are not used),
• • for AES-256: \( k_0..k_{255} \) corresponds to \( b_{255}..b_0 \) .

In any case \( b_0 \) is the rightmost bit.

CRYP_K0LR (address offset: 0x20)

CRYP_K0RR (address offset: 0x24)

Note: Write accesses to these registers are disregarded when the cryptographic processor is busy (bit BUSY = 1 in the CRYP_SR register).

Address offset: 0x40 to 0x4C

Reset value: 0x0000 0000

The CRYP_IV0...1(L/R)R are the left-word and right-word registers for the initialization vector (64 bits for DES/TDES and 128 bits for AES) and are used in the CBC (Cipher block chaining) and Counter (CTR) modes. After each computation round of the TDES or AES Core, the CRYP_IV0...1(L/R)R registers are updated as described in Section : DES and TDES Cipher block chaining (DES/TDES-CBC) mode on page 504 , Section : AES Cipher block chaining (AES-CBC) mode on page 508 and Section : AES counter mode (AES-CTR) mode on page 510 .

IV0 is the leftmost bit whereas IV63 (DES, TDES) or IV127 (AES) are the rightmost bits of the initialization vector. IV1(L/R)R is used only in the AES.

Note: In DES/3DES modes, only CRYP_IV0(L/R) is used.

Write access to these registers are disregarded when the cryptographic processor is busy (bit BUSY = 1 in the CRYP_SR register).

Table 75. CRYP register map and reset values (continued)

Refer to Section 2.3: Memory map for the register boundary addresses.