STM32 X-CUBE-Cryptolib - IV length and padding

AGhez · ‎2025-04-17

Hi everyone,

I am trying to use the X-Cube-Cryptolib library to decrypt an array encrypted by an external application.

The original data has been encrypted with the AES-GCM 128 using a key of 16 bytes and an IV of 1 byte.

Now, I am getting an error where trying to set the IV to a length other than 12 byte.

Can you confirm that the method "cmox_cipher_setIV" only accept an IV of 12 byte? It is strange that the method documentation does not contain such info..

I tried with an other library that perform a GHASH padding of the IV and it can decrypt my input data.
Is there any similar implementation of a standard compliant method to perform an IV padding to be used with the ST library?

Thanks,

regards

Arianna

CMYL · ‎2025-04-23

Hi @AGhez

I agree that for handling non-standard IV lengths, you might need to implement a padding mechanism similar to GHASH padding, as you mentioned above.

According to the NIST specifications for AES-GCM, the computation of the initial counter block J0 depends on the length of the IV.

a) If len(IV)=96, then let J0 = IV || 0^31 ||1
b) If len(IV) ≠ 96, then J0= GHASH(IV||0^s+64||[len(IV)]64)

It appears that the cmox_cipher_setIV method in the X-Cube-Cryptolib library does not explicitly document constraints on the IV length.

I will check internally if the library have limitations regarding the IV length ?

Best regards