/Kmel SMART ARM-Based Microcontroller ATI 0764: Software Library for AES-128 Encryption and Decryption Application Note Introduction Advanced Encryption Standard (AES) is a specification for encryption of electronic data established by National Institute of Standards and Technology (NIST) in 2001 as Federal Information Processing Standards (FIPS) 197. This is a symmetric block cipher algorithm used for the encryption and decryption of electronic data. This application note explains the C implementation of AES encryption and decryption algorithm. Features The application note covers the following features. • Compliant with FIPS Publication 197, Advanced Encryption Standard (AES) • AES encryption and decryption algorithm • 1 28 bit cryptographic key supported • Five confidentiality modes of operation of AES specified in FIPS - Electronic Codebook mode (ECB) - Cipher Block Chaining mode(CBC) - Cipher Feedback mode (CFB) - Output Feedback mode (OFB) - Counter mode (CTR) • 8, 16, 32, 64, and 128-bit data sizes possible in CFB mode Atmel SMART” Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Table of Contents Introduction 1 Features 1 1 Glossary 4 2 Hardware and Software Setup 4 3 AES Algorithm 5 3.1 AES Encryption 5 3.1 .1 Add Round Key Transformation 6 3.1 .2 SubBytes Transformation 7 3.1 .3 ShiftRows Transformation 8 3.1.4 MixColumns Transformation 8 3.1.5 C Implementation 8 3.2 Key Expansion 9 3.2.1 C implementation 9 3.3 AES Decryption 9 3.3.1 Inverse of AddRoundKey 10 3.3.2 Inverse SubBytes Transformation 10 3.3.3 Inverse ShiftRows Transformation 11 3.3.4 Inverse MixColumns Transformation 1 1 3.3.5 C Implementation 12 4 Block Cipher Modes of Operation 12 4.1 Electronic Codebook Mode 1 2 4.1 .2 C Implementation of ECB mode 1 3 4.2 The Cipher Block Chaining Mode (CBC) 1 3 4.2.1 CBC Encryption 1 3 4.2.2 CBC Decryption 14 4.2.3 C Implementation of CBC mode 14 4.3 Cipher Feedback mode 15 4.3.1 CFB Encryption 15 4.3.2 CFB Decryption 16 4.3.3 C Implementation 16 4.4 Output Feedback mode 19 4.4.1 OFB Encryption 19 4.4.2 OFB Decryption 19 4.4.3 C Implementation 20 4.5 The Counter Mode (CTR) 21 4.5.1 CTR Encryption 21 4.5.2 CTR Decryption 22 4.5.3 Generation of counter blocks 22 4.5.4 C Implementation of CTR mode 22 5 AES -128 Example Implementation 25 6 Execution of Example in Atmel Studio 26 7 References 28 7.1 FIPS - 197 Advanced Encryption Standard (AES) 28 7.2 FIPS SP 800-38A Recommendation for Block Cipher Modes of Operation 28 Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] ^ IT!©! Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 7.3 SAM D Device Datasheet 28 7.4 Hardware Tools User Guide 28 7.5 Atmel Studio 28 8 Revision History 29 /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 1 Glossary The following terms are used throughout this application note document: Table 1-1. Glossary Glossary Description AES Advanced Encryption Standard Cipher Series of transformations that convert plain text to cipher text using the Cipher Key Cipher Key Secret cryptographic key that is used by the Key Expansion Routine to generate a set of Round Keys Cipher Text Data output from the Cipher or input to the Inverse Cipher Inverse Cipher Series of transformations that converts cipher text to plain text using the Cipher Key Key Expansion Routine used to generate a series of Round Keys from the Cipher Key Nk Number of 32-bit words comprising the Cipher Key. For AES-128, Nk = 4. Plain Text Data input to the Cipher or output from the Inverse Cipher Round Key Values derived from the Cipher Key using the Key Expansion Routine State Intermediate Cipher result S-box Non-linear substitution table used in several byte substitution transformation and in the Key Expansion Routine to perform one-for-one substitution of a byte value. 2 Hardware and Software Setup The application note has been tested in the following test setup: • SAM D21 Xplained Pro Board • Atmel Studio 6.2 SP2 build 1563 Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 /Itmel 3 AES Algorithm Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of standards and Technology (NIST). The Advanced Encryption Standard Algorithm (AES) specifies the FIPS approved (FIPS Pub. 197) cryptographic algorithm that can be used to protect electronic data. AES is a symmetric key algorithm that operates on 128-bit block of input data for a specified number of times. The symmetric key means that same key is used for both encryption and decryption. Encryption process converts the data to unintelligible form called cipher text. Decryption process converts the data back to its original form called plain text from the cipher text. The key size used for an AES encryption and decryption can be 128, 192, or 256 bits for a fixed input block size of 128 bits. The size of the key determines the number of rounds to be performed on an input block of data. The number of rounds of repetition is as follows: • 1 0 rounds of repetition for 1 28-bit keys • 12 rounds of repetition for 192-bit keys • 14 rounds of repetition for 256-bit keys The following sections explains the AES encryption and decryption algorithm. For more details on the AES standard, refer to the AES standard document. 3.1 AES Encryption The AES-128 encryption process involves 10 rounds of encryption along with an initial round for the 128 bit data encryption. To begin with, the 128-bit key is expanded into a set of eleven 128-bit round keys using the Key expansion routine. Each of this keys is used for the rounds, finally resulting in the cipher text output. The initial round in the AES Encryption comprises of the Add Round key step in which the plain text is XOR’ed with the Cipher Key. The subsequent 9 rounds goes through four different byte oriented transformations as listed below. 1 . Byte substitution using S-box (Sub Byte) 2. Shifting rows of the state array by different offsets (Shift Rows) 3. Mixing the data within each column (Mix Columns) 4. Adding Round key to the state (Add Round Key) In the 10 th round, the above steps are repeated excluding the Mix Columns step. Following sections explain each of them in detail. The overall process of AES encryption is illustrated in the figure below: /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Figure 3-1. AES Encryption Block diagram The 128-bit input block of data is processed byte-by-byte and mapped into a 4x4 byte matrix for processing convenience as per the AES standard. Each block of input and the intermediate inputs between the different rounds is mapped into a 4x4 state matrix as shown in the figure below: Figure 3-2. So,Q Sq.i Sq.2 So,3 Sl.Q Si.i Su Si ,3 S2.Q S2,l S2.2 S 2.3 S'3,0 S3 ( 1 $3.2 S3.3 3.1.1 AddRoundKey Transformation In this transformation, the Round key is added to the State by bitwise XOR operation. The Round key for each round has to be generated from the Key Expansion which is explained in the coming sections. Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] lTI©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Figure 3-3. AddRoundKey Transformation So.o So.i So ,2 So ,3 Si.o Si.i Si ,2 Si ,3 S 2.0 S 2.1 82.2 S2.3 S3.0 Ss.i Ss .2 Ss.3 Add Round key SXor (Round key) S'a.n S'o.i S’o.2 S 0.3 S'i.o S'i.i S'l.2 S' 1,3 S'2.0 S ' 2 , 1 S'2.2 S'2.3 S's.d S’3,1 S'a.2 S' 3, 3 3.1.2 SubBytes Transformation The SubBytes Transformation is a non-linear byte substitution that operates independently on each byte of the state using a substitution table(S-Box). The figure below illustrates the S-Box transformation of a matrix of bytes. Figure 3-4. SubBytes Transformation S So.c Sd,i So,2 So. 3 Sl.G Si .1 Si ,2 Si ,3 S 2 .C S 2.1 S 2.2 S2.3 Ss.c Ss.i S3.2 S3. 3 S' The SubBytes transformation applies S-Box to each byte in the state. Figure shows the S-Box substitution values for the AES-128 Encryption. Figure 3-5. S-Box for AES Encryption y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 S3 7c 77 7b £2 6b i 6f □5 30 01 67 2b fm d7 ab 76 1 ca 82 c9 7d £a 59 47 £0 ad d4 a2 a £ 9c a4 72 cG 2 r hi fd 93 26 36 3f £7 cc 34 a5l e5 £1 71 d8 31 15 3 04 c7 23 r c3 13 96 05 9a 07 12] 80 02 &h 27 b2 75 4 09 03 2c la lb 60 5a aO 52 3b d6 b3 29 e3 2f 64 5 53 dl 00 ed 20 £c bl 5b 6a cb be 39 4a 4c 5a cf 6 1 dQ e£ aa fb 43 4d 33 85 45 f 9~j 02 7£ 50 3c 9£ a 8 X 7 51 a3 40 flf 92 9d 30 £5 be b6 da 21 10 ff f3 d2 3 cd Oc 13 ec 5£ 97 44 17 c4 a. 7 70 3d 64 5d 19 73 9 60 31 4f dc 22 2a 1 $0 S8 4 6 aa b8 14 d0 50 0b db a eQ 32 3 a 0 a 4 9 06 2 4 5c c2 d3l at 62 91 95 e4 7 9 b e7 c8 37 6d 3d d5 4£ a9 0 c 56] £4 ea 05 7a ae 08 c ba 7 0 25 2e 1c a 6 b4 c6 08 dd 74 if 4b bd 8b 0a d 70 3e b5 66 43 03 f 6 Oc 61 35 57 b9 86 cl Id 9e e el £8 9S 11 69 69 Be 94 9b le 87 e9 ce 55 28 df f 0 C al B9 Qd bf c6 42 68 41 99] 2d 0£ b0 54 bb 16 /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 7 3.1 .3 ShiftRows T ransformation In this transformation, the bytes in the last three rows of the state are cyclically shifted left over different offsets. The elements in the first row are not shifted. The below representation demonstrates the ShiftRows transformation applied on the state array. Figure 3-6. ShiftRows Transformation 3.1.4 MixColumns Transformation MixColumns transformation operates column by column on the state matrix applying polynomial transformation on each column. The columns are considered as four-term polynomials over GF(2 8 ) and multiplied modulo x 4 +1 with a fixed polynomial a(x), given by: a(x) = {03}x 3 + {01 }x 2 + {01 }x + {02} Figure 3-7. MixColumns Transformation 3.1.5 C Implementation The AES Encryption is implemented in the function aes_cipher() in the aes.c. The steps SubBytes and ShiftRows are combined in a single function to optimize the code. To begin with, one block of the plain text is copied into an intermediate State array. In Round 0, the state array is XOR-ed with the Round key 0. The subsequent 9 Rounds are implemented as in the below code snippet: //Round 1 to 9 for (round = lj round < round ++){ /* Sub Bytes and Shift Rows */ SubBytes_ShiftRows( state l* Mix Columns */ MixCcluimnns( state )' 3 /* Add RoundKey */ AddRoundKey( state j round ) j } The final round is performed excluding the MixColumns step to give the Cipher text output. Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] lTI©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 3.2 Key Expansion The AES algorithm gets the Cipher Key from the user and uses the Key Expansion Routine to generate the Set of Round keys known as the Key Schedule. For the AES-128 encryption and decryption, the Key Expansion Routine generates a set of eleven 128-bit Round keys from the 128-bit Cipher Key. The first 4 words (128 bits of first round key) of the expanded key schedule are kept same as the actual cipher key. The remaining 40 words (for remaining 10 round keys) are calculated using the 3 operations - Rotate, Rcon and S-Box. Rotate In this step, elements in each column in the round key matrix rotated vertically clockwise by 1 byte. Rcon: This step involves XOR with the Round constant for the words in the position of multiple of Nk. S-Box: This takes the 4-byte input and applies the S-Box. 3.2.1 C implementation The key expansion routine is implemented in the function KeyExpansion in the aes.c. The cipher key is retained as the key for Round 0. The subsequent bytes in the key schedule are computed by using the Rotate, Rcon and S-box transformations. The overall implementation of the Key expansion routine is as follows: //Retain the initial for round 0 for ( i = ■&; i < 16; i+t){ round_key[ i ] = key[ i ]; } // Compute Key schedule of block size for each round for f i = 1; i < (AES MUM OF ROUNDS 4 1); i44){ temp = round_key[ i*16 round_key [ i*16 4 O] = round_key[ i*16 4 1] = round_key[i*16 4 2] = round_key[i*16 4 3] = round_key [ i*16 4 4] = round_key[i*16 4 S] = round_key[ i*16 4 6] = round_key[ i*16 4 7] = rou nd_key [ i* 1 6 4 8] = round_key[ i*16 4 9] = round_key[ i*16 4 10] = round_key[i*16 + 11] = - 4 ]i sbo>c[ round_key[i*16 - 3] sbo>c[ round_key[i*16 - 2] sbox[ round_key[i*16 - 1] sbox[ temp ] round_key[ round_key[ (i-l)*16 4 4] round_key[ (i-l)*16 4 5] A round_key[ (i-l)*16 4 6] A round_key[ (i-l)*16 4 7] A round_key[ (i-l)*16 4 8] A round_key[(i-l)*16 4 9] A round_key[ (i-l)*16 410] A round_key[ (i-l)*16 411] A ] * round_key[ (i-l)*16 4 O] A ] A round_key[ (i-l)*16 4 1]^ ] A round_key[ (i-l)*16 4 2]j ( i-1) *16 4 3]; pound_key[i*16 4 0]; round_key[i*16 4 1]; round_key[i*16 4 2]; round_key[ i*16 4 3]; round_key [ i*16 44]; round_key[ i*16 4 5]; round_key[ i*16 4 6]; round_key[ i*16 47]; RCon[ rou nd_key [ i* 1 6 4 12] round_key[ i*16 4 13] round_key[i*16 4 14] round_key[ i*16 4 15] round_key[ (i-l)*16 412] A round_key[i !|: 16 4 8]; round_key[(i-l)*ie 413] A round_key[i*16 4 9]; round_key[ (i-l)*16 414] A round_key[i*16 410]; round_key[ (i-l)*16 415] A round_key[i*16 411]; 3.3 AES Decryption The AES-128 decryption process involves similar number of rounds as the AES-128 Encryption process with corresponding inverse transformations. The initial round includes only the AddRoundKey step which is the same as in AES-128 Encryption. The inverse transformations for the subsequent rounds are as below: 1 . Inverse Shift Rows 2. Inverse SubBytes 3. Add Round Key 4. Inverse Mix Columns In the 10 th round, the above steps are repeated excluding the Mixcolumns step. The overall process of AES decryption is illustrated in the figure below: /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Figure 3-8. AES Decryption Block diagram 3.3.1 Inverse of AddRoundKey This is same as the AddRoundKey transformation as this involves only XOR operation between an input and output blocks. So.o Sa.i So ,2 So, 3 Si.o S i.i S 1.2 Sl,3 S2.0 S 2.1 S2.2 S2.3 Ss.o S3.1 Ss,2 S3.3 Inverse Add Round key SXor (Round key) S' S'o.o S'a.i S'd.2 S’o.3 S'i.o S 1 1 . i S'l,2 S 1 1 , 3 S'2.0 S'2,1 S'2.2 S'2.3 S' 3,0 S' 3, 1 S' 3,2 S'3,3 3.3.2 Inverse SubBytes Transformation This is the inverse of the SubBytes Transformation, in which the inverse S-Box is applied to each element in the State. The inverse S-Box used in this transformation is as below: Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] lTI©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Figure 3-9. Inverse S-Box y 0 1 2 3 4 5 6 7 B 9 a b □ d a f 0 52 1 09 6a d5 30 36 a5 33 bf 40 a3 9a 31 f 3 d7 fb 1 7c e3] 39 B2 9b 2f ff B7 34 Ba 43 44 c4 da a9 cb 2 54 7b 94 32 a6 c2 23 3d ea 4c 95 Ob 42 fa e3 4 a 3 OB 2e al 66 2 3 d9 24 b2 76 5b a 2 49 6d 8b dl 25 4 12 fS f6l 64 36 63 93 16 d4 a 4 5e cc 5d 65 b6 92 5 6 c 70 4 a 50 fd ed b9 da 5a 15 46 57 a7 Sd 9d 84 6 90 da ab 00 Be be d3 0a f 7 a4 53 05 bS b3 45 06 7 d0 2c le af ca 3f Of 02 cl af bd 03 01 13 8a 6b 8 3a 91 11 41 4f 67 dc ea 97 f 2 cf ce fO b4 €6 73 9 96] acl 74 22 a7 ad 35 35 a2 £9 37 *3 1c 75 df 6a a 47 fl la 71 Id 29 □ 5 B9 6f b7 62 Oa a a 18 ba lb b £c 56 3a 4b c6 d2 79 20 9a db cO f e 7S cd 5a £4 c if dd a 3 33 33 07 c7 31 bl 12 10 59 27 80 ec 5f d 60l 5l1 7f a9 19 b5 4a Od 2d a5 7a 9£ 93 c9 9c af a aO e0 3b 4d ae 2a f5 bO cS ab bb 3c S3 53 99 61 f 17 2b 04 7a ba 77 de 26 el 69 14 63 55 21 0e 7d 3.3.3 Inverse ShiftRows Transformation This is the inverse of the ShiftRows transformation. The bytes in the last three rows are cyclically shifted to the right over a different number of bytes. Figure 3-10. Inverse ShiftRows Transformation 3.3.4 Inverse MixColumns Transformation This is an inverse of MixColumns transformation. This operates on a column-by-column basis on the state matrix applying polynomial transformation. Figure 3-11. Inverse MixColumns Transformation So.o Soj So,2 So, 3 Si.o Si/t S 2.0 S21 82.2 82.3 S3.0 Ss.i 83.2 83.3 Inverse MixColumns S'o.D S\ 1 S'n.2 8*0,3 s\i 8*1,2 8*1,3 8 ' 2,0 S’ 2,1 8 ' 2,2 S'2,3 S J 3.0 sv 8 '3.2 8 '3. 3 /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 11 3.3.5 C Implementation The AES decryption is implemented in the function aes_inverse_cipher() in the aes.c. The steps inverse SubBytes and inverse ShiftRows are combined in a single function to optimize the code. To begin with, one block of the cipher text is copied into an intermediate State array. In Round 0, the state array is XOR-ed with the Round key 0. The subsequent 9 Rounds are implemented as in the below code snippet: // Round 9 to 1 for (round = 9; round >0; round--) { /* Inverse Sub Bytes and Shift Rows */ I n v_S h if t R ows_5 u b Bytes (state); /* Inverse Add Round Key */ I nv_A.dd Round Key ( st a t e * ro u nd ) ; /* Inverse Mix Columns */ Inv_MixColumns ( state * round) ; } The final round is performed excluding the MixColumns step to give the plain text output. 4 Block Cipher Modes of Operation In FIPS SP800-38A, NIST recommends five confidentiality modes of operation listed below for use with an underlying symmetric key block cipher algorithm. Mode of operation is an algorithm that describes how to repeatedly apply a cipher’s single-block operation to encrypt data larger than a block. • Electronic Codebook mode (ECB) • Cipher Block Chaining mode (CBC) • Cipher Feedback mode (CFB) • Output Feedback mode (OFB) • Counter mode (CTR) The following sections explain the algorithm of each modes and their C implementation in this application note. The implementation is done in crypt.c/.h file. The standard document (FIPS Pub 800-38A) should be referred for detailed description of mathematic description of each modes. 4.1 Electronic Codebook Mode In this mode, the input is divided in to separate block of 128 bits. Each block is encrypted/decrypted independently. In ECB encryption, the cipher function is directly applied to each input block resulting in a cipher text. In ECB decryption, the inverse cipher function is applied to each block to retrieve the plain text. It is illustrated in the Figure 4-1. Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] TYl©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Figure 4-1 . Electronic Codebook Mode ECB Encryption Plain Text 1 r Cipher function r Cipher Text ECB Decryption CipherText f Inverse Cipher function r Plain Text ECB is the simplest mode of all. As it involves direct encryption of each block, it does not provide better confidentiality and so it is not recommended for cryptographic protocols. 4.1.2 C Implementation of ECB mode As mentioned, the implementation is very direct that input is divided into each block of 128 bits. The number of input blocks (input_block_size) are calculated from the size of the input plain text. Forward and inverse cipher function is applied to them to get the cipher text and plain text respectively as below in the loop for the input_block_size. I void ecb_encrypt (uint8_t *plainText uintS_t ^oipherText uint32._t size) { uint.32._t input_block_size = 0; uintS t block count = Gj //Calculate the number of input blocks input_blcck_size = size/AE5_BILOCK_5IZE j for(block_count = 0^ block_count < input_block_siz-e; block_count++){ //Perform forward cipher for the input blocks aes_cipher(plainTe>ctH-£block_count * AE5_BILQCK_5IZE) j. cipherTeKt+£block_count * AE5_B10CK_5IZE) ) j } } 4.2 The Cipher Block Chaining Mode (CBC) As the name implies, this mode features chaining of plain text with previous cipher text blocks. This mode requires an Initialization Vector (IV) to combine with the first block. The IV is not secret but should be unpredictable. I.e. for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV. Various methods of generation of Initialization vector is explained in Appendix C of FIPS Pub 800-38A. 4.2.1 CBC Encryption In the CBC Encryption, the first block of plain text is XOR-ed with IV. This forms the input block for cipher function which results in the first cipher text block. This cipher text then XOR-ed with the next plain text block and goes through forward cipher to form the second cipher text. Thus further cipher text blocks are formed by applying forward cipher after XOR-ing the respective block of plain text with the previous block’s cipher text. Because of this chaining, one bit change in the plain text or IV could affect all following cipher text blocks. /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 13 Figure 4-2. CBC Encryption Plain Text block n r r IX v: y r Cipher function ' f ( Cipher Text \ block n 4.2.2 CBC Decryption In CBC decryption, the inverse cipher is applied over input cipher text and the resulting output block is XOR-ed with IV to get the first block of plain text. The second cipher text block goes through inverse cipher function and the resulting output block is XOR-ed with previous cipher text block to get the second plain text block. Further plain text blocks are retrieved by applying inverse cipher over respective cipher text block and then XOR-ed the resulting output block with its previous cipher text block. Figure 4-3. CBC Decryption 4.2.3 C Implementation of CBC mode For encryption: The input_block_size is calculated to get the number of input blocks. The initials input block is formed by XOR between IV and plain text as below //Calculate input block size input_block_size = (size / AES_BLGCK_SIZE )j Forward cipher is applied to the input block to get the corresponding cipher text. for ( bloc fc_count = #jblock_count < input_block_size;; block_count-i-+){ //Sending initialization vector to the cipher function to get further output blocks aes_cipher(plainTeKt +(block_count * AE5_BILOCK_SIZE) ^ cipherText +( block_count * AE5_BLOCK_SIZE ) ) j Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] lTI©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 The next input block is formed by XOR of next block of plain text with the previously formed cipher text. This is done until last block is reached. if (bl.ock_count != (input_block_size -1)){ //Move the previous cipher block to feedback for next round for(byte_count = 0; byte_count < AE5_BLQCK_5IZE j byte_count-H-){ // XOR plain text with previous cipher text to forim input for next block plainText [byte_count -I- ( (block_count + 1)*AE5_BLGCK_5IZE) ] = plainText [byte_count + ( (block_count + l)*AES_BLOCK_5IZE)] A cipherText [byte_count -l- (block_count* AES_BI_OCK_5IZE)]; For Decryption: To retrieve the first plain text block, the inverse cipher function is applied to the first block of cipher text. The first block of plain text is formed by XOR of resulting output block with IV as below //Round® aes_inverse_cipher (cipherText^ plainText ) j for(byte_CQunt = Sj byte_count < AE5_BI_OCK_5IZE j, byte_count++){ /* Retrieve the first block of input data by XOR round S * output with Initialization vector */ plainText [byte_count] = plainText[byte_count ] A init_vector [ byte_count ] j } The further plain texts are formed by XOR of resulting output block with previous cipher text for specified number of blocks. for(block_c 0 unt = l;block_count < input_block_size; block_count++){ //Perform inverse cipher for the |input blocks aes_inverse_cipher(cipherText+(block_count * AES_BLOCK_SIZE)j p!ainText+(block_count * AES_BLOCK_SIZE)); for(byte_count = 0j byte_count < AESBLOCKSIZE; byte_count++){ /* XOR output of previous inverse cipher function with previous cipher text to * form the input for next block */ plainText [byte_count + (block_coumt * AES_BLO€K_SIZE)] = plainText [byte_count + (block_count * AE S_B LOC K_S I Z E ) ] A cipherText [byte_count + ( (block_count - 1) * AES_B LOC K_SI ZE ) ] j 4.3 Cipher Feedback mode The Cipher Feedback mode features the feedback of the successive cipher text elements into the input block of the forward cipher function to generate output blocks that are XOR-ed with the plain text to produce the cipher text. This mode requires a unique Initialization vector in addition to the plaintext and cipher key. The CFB mode also needs an integer parameter s, where s should be less than or equal to 128 bits. In the CFB mode, each plain text and cipher text block contain s bits. Correspondingly the modes are named as 1 -bit CFB, 8-bit CFB, 64-bit CFB, 128-bit CFB, etc. 4.3.1 CFB Encryption This Initialization vector (IV) is passed as the first input block to the AES Forward Cipher function to produce the first output block. To generate the cipher text output, the first s bits in the plain text are XOR-ed with the first s bits in the output block. The remaining b-s bits in the output block are discarded (b=128). /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 15 To generate the second input block, the b-s LSBs in the IV are concatenated with the s bits from the cipher text output of the first block. The process is repeated with successive input blocks until the entire plaintext is converted into cipher text output. The encryption process of the CFB mode can be illustrated as below: Figure 4-4. CFB Encryption 4.3.2 CFB Decryption In CFB Decryption, the Initialization vector if given as first input block, and subsequent input blocks are generated by concatenating b-s bits of IV with s bits from the cipher text. The input block is applied to the forward cipher function to obtain the output block. Then the s bits of the cipher text are XOR-ed with s bits of the ciphertext. The Decryption process of the CFB mode can be illustrated as below. Figure 4-5. CFB Decryption 4.3.3 C Implementation The CFB encryption and the decryption functions have been implemented in the crypt.c. Encryption: The encryption function takes the plaintext, array for cipher text, initialization vector, CFB mode in bits and size of the plain text as inputs. To start with, the number of input blocks is calculated from the size parameter. Also, the cfb_byte is calculated from the CFB mode. This is because all the operations are performed in byte level throughout the code. The initialization vector is given to the aes_cipher function for generating the first output block. Then, depending upon the CFB mode, certain number (cfb_byte) of bytes in the plain text are XOR-ed with the output block to get the cipher text output. The implementation of the first encryption block is as below: Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] lTI©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 for(byte_count = byte_count < AE5_BlOCK_SIZEj byte_count44){ //Moving initial vector to a temp array i n it_ve c to r_t emp [ byt e_co u n t ] = i n it_ve c to r [ byt e_c o u nt ] ^ } //Forward cipher of initial vector 1 aes_cipher ( ini't_vector_temp j cipherText ) j //XOR-ing plain text 's' bits with output block s bits for(byte_count = byte_count < cfb_bytei byte_count44){ cipherText [byte_count ] = plainText [by r te_count ] * cipherText[byte_count]; } For the subsequent blocks, the input block (init vector temp) is generated by concatenating the bits from the IV and the cipher text and given to the forward cipher function. Then the cipher text is generated by XOR-ing the bytes of plain text and output block. The implementation of the encryption is as follows: //Encryption of remaining blocks for ( bloc k_count = l;bloek_eount < ( (AES_BLOCK_SIZE * input_block_size) / cfb_byte)i block_count44){ index! = //Preparation of Initialization vector for the next round for (byte_count = O; byte_count < AE5_BLOCK_5IZE j byte_count44){ if ( bloc k_cou nt < ( (AES_BLOCK_5IZE/cfb_byte) )4l){ /* For the first few blocks where initialization vector and cipher output * is used to generate the init_vector_temp */ if ( byte_count < (AES_BLOCK_SIZE - (block_count 4 cfb_byte - !))){ i n it_ve c to r_t emp [ byt e_c o u nt ] = i n it_ve ct o r [ byt e_co u n t 4 ( cf b_byt e 4 bloc k_c o u nt - 1 ) ] j }else{ init_vector_temp [byte_count] = cipherText [indexl4+]; } if (bloc k_co u nt == ( AE S_B LOC K_5 1 Z E / cf b_byt e ) ) { i n d e x2_fl a g = true^ } }else{ /* For the remaining blocks where init_vector_temp is generated from the cipher * output from the previous block. AES Standard FIPS SPSGG-BSA explains more on * generation of init_vector for each block in different CFB modes */ init_vector_temp[byte_count ] = cipherText [ (cfb_byte * index2) 4 byte_count]; } } if (index2_flag == true){ index2 = index24l^ } //Sending initialization vector to the cipher function to get 16 byte output block aes_cipher(init_vector_temip J (cipherText 4 (block_count * cfb_byte))); for(byte_c 0 unt = ■&; byte_count < cf b_byte ■ byte_cou nt44) { //XOR-ing cipher text 's' bits with output block s bits cipherText [ (byte_count 4 (block_count * cfb_byte))] = plainText [ (byte_count 4 (blockcount * cfb_byte))] A cipherText [byte_count 4 (block_count * cfb_byte)]j } } //End of all blocks Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 Decryption: The decryption process is similar to the encryption where the first step is to generate the input block from the initialization vector and the cipher text array. Then the input block is applied to the forward cipher function to get the output block. The s bits of the output block are then XOR-ed with the cipher text to get the plain text output. The implementation of the decryption function is as follows: Decryption of first block: ffor(by'te_count = by"te_countct ^ uintB_t *init_vector J uint32_t size) { uint32_t input_block_size = Gj uintS_t blcck_count = 0^ byte_count = uintS_t input_block[16] = //Calculate the number of blocks input_block_size = (size / AES_BLGCK_5IZE )j for(byte_count = ■&_; byte_count < AES_B1QCK_5IZE; byte_count++) { //Moving initial vector to a temp array input_block[byte_count] = init_vector [byte_count]; } //Encryption of remaining blocks for (blcck_count = 0;block_count < input_block_size j block_count++){ //Sending initialization vector to the cipher function to get 16 byte output block aes_cipher(input_blockj (cipherText+(block_count * AES_BLOCK_SIZE) ) ) j //XQR cipher output with plain text to complete the encryption for a block for (byte_count = 0; byte_count < AES_BL.GCK_SIZE j byte_count++){ cipherTe>ct [by r te_count+ (block_count * AES_BLOCK_SIZE) ] = plainText [byte_count + (block_count * AE5_BLGCK_5IZE ) ] A cipherText [byte_count+ (blockcount * AE5_BLGCK_5IZE ) ]} } } } Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] lTI©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 void of b_decrypt (uint8_t *cipherText J uintS_t ^plainText., uintS_t *init_vectorj uint32_t size) { uint32_t input_block_size = 0 j uintS_t block_count = 0_^ byte_count = 0; uint8_t input_block[16] = {0}; //Calculate the number of input blocks input_block_size = size / AE5_BL0CK_5IZEj for(byte_count = 0; byte_countct[byte_count + (block_count * AES_BL0CK_SIZE ) ] = cipherText [byte_count + (block_count * AES_BLOCK_SIZE) ] A plainText [byte_count -I- (block_count * AES_BLOCK_SIZE) ]; } 4.5 The Counter Mode (CTR) The Counter (CTR) mode is a confidentiality mode that features the application of the forward cipher to a set of input blocks, called counters, to produce a sequence of output blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. In both CTR encryption and CTR decryption, the forward cipher functions can be performed in parallel. Similarly, the plaintext block that corresponds to any particular ciphertext block can be recovered independently from the other plaintext blocks if the corresponding counter block can be determined. Moreover, the forward cipher functions can be applied to the counters prior to the availability of the plaintext or ciphertext data. The sequence of counters must have the property that each block in sequence is different from every other block. Various methods of counter generation are explained in Appendix B of FIPS Pub 800-38A. 4.5.1 CTR Encryption Encryption involves the application of forward cipher over a block of data called counters which is then XOR-ed with plain text to generate the respective cipher text. /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 21 Figure 4-8. Counter mode Encryption Counter 1 1 r Cipher function ,r s V \ p - (^Cipher Text 1^) +1 f \ +1 +1 -n Counter 2 •{ Counter n Plaintext 2 — Cipher Text 2 4.5.2 CTR Decryption For decryption, the forward cipher is applied over counters as in encryption. Then the cipher text is XOR-ed with resulting output block to retrieve the plain text. Figure 4-9. Counter mode Decryption +1 +1 Counter n 4.5.3 Generation of counter blocks This section explain the counter generation method used in this application note. As mentioned earlier AES - CTR requires unique value for each block and communicate this value for the decryption. This is more similar to IV except that it keeps changing for each block. Counter is divided in to three field called • Nonce - 32bit • Initialization Vector - 64bit • Counter block - 32bit The counter is incremented for each block and concatenated with Nonce and IV to form 128 bit vector input for subsequent blocks. As counter is 32-bit, the same key will be repeated after 2 32 bit rounds. So with 32 bit counter 2 31 block of data can be encrypted effectively. 4.5.4 C Implementation of CTR mode The counter block contains: //Counter block structure for AES-CTR mode typedef struct{ uint32_t nonces uint64_t i_vector; uint32_t counter^ } ctr_blk_t i Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] TYl©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 The IV, nonce and counter are concatenated to form the input block and applied to the forward cipher as below: void ctr_inc_counter(ctr_bIk_t ^counter) { //Append INonce to 1st 4 bytes of counter block counter_block[0] = ( (counter~>nonce) >> 24) & 0xFF; counter_block[l] = ( (counter- > nonce) >> 16) & 0xFFj counter_block[2] = ( (counter->nonce) >> 3) & 6 kFF j counter_block[3] = ( (counter->nonce) >> 0) & 0xFFj, //Append IV to next 3 bytes of counter block counter_block[4] = ((counter->i_vector) >> 56) & 0xFFj counter_block[5] = ( (counter ->i_vector) >> 43) & 0xFF j C0unter_block[6] = ( (counter->i_vector) >> 40) & 0xFFj counter_block[7] = ( (counter->i_vector ) >> 32) & 0xFFj counter_block[S] = ( (counter->i_vector) >> 24) & 0xFF; counter_block[9] = ( (counter->i_vector) >> 16) El 0xFF j counter_block[10] = ( (counter->i_vector) >> 3) & 0xFF; counter_block[ll] = (fcounter->i_vector) >> 0) El 0xFF; //Increment next counter counter-> counter += 1; //Append Initial Counter value to remaining 4 bytes of counter block counter_block[12] = ((counter->counter) >> 24) & 0xFF j counter_block[13] = ( (counter->counter) >> 16) & 0xFFj counter_block[14] = ( (counter- >counter) >> 3) & 0xFF; counter_block[15] = ( (counter->counter) >> 0) El 0xFF; } For CTR mode, both encryption and decryption follows the same as explained earlier. So there is only one function for both encryption and decryption. /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 void ctr_encrypt_de crypt (uintS_t *input_block ^ uint8_t *output_t>locfc J ctr_bl.k_t ^counter^ uint32_t size) { uint32_t block_count = 0., input_block_size = 0_i uint3_t byte_count = 0j //Calculate input block size input_block_size = (size / AE5_BL0CK_SIZE )^ //Hove the initial counter to local counter block //Append Nonce to first 4 bytes of counter block counter_block[0] = ( (counter ->nonce) >> 24) H 0xFF^ counter_block[ 1] = ( (counter->nonce) >> 16) El 0kFF^ counter_block[ 2 ] = ( (counter->nonce) >> S) El 0kFF.j counter_block[ 3 ] = ( (counter->nonce) >> 0) & 0xFF^ //Append IV to next S bytes of counter block counter_block[4] = (( counter- >i_vect or) >> 56) & 0xFF,i counter_block[ 5 ] = (( counter- >i_vect or) » 4S) & 0xFF : ; counter_block[ 6 ] = (( counter- >i_vect or) » 40) & 0xFF^ counter_block[7] = (( counter- >i_vect or) » 32) & 0xFF_^ counter_block[ S ] = ( (counter- >i_vector) » 24) & 0xFF^ counter_block[ 9 ] = ( ( counter->i_vector ) >> 16) & 0xFF^ counter_block[10] = ( (counter ->i_vector) >> S) El 0kFF; counter_block[ll] = ( (counter->i_vector) >> 0) & 0xFF^ //Append Initial Counter value to remaining 4 bytes of counter block counter_block[ 12 ] = ( (counter->counter) >> 24) & 0xFF^ counter_block[ 13 ] = ( (counter->counter ) >> 16) El 0xFF j counter_block[14] = ( (counter->counter) >> B) El 0xFF; counter_block[15] = ( (counter->counter) >> 0) & 0xFFj //Run Encryption for input blocks for(block_count = 0^ block_count < input_block_size^ block_count++){ if (0 != b!ock_count) ctr_inc_counter( counter ) j //Forward cipher of counter aes_cipher(counter_blockj output_block 4 (block_count * AE5_BLOCK_5IZE ) ) ± //XGR of plain text with the output block for (byte_count =0; byte_count < AE5_BLOCK_5IZEj byte_count++) { output_block[byte_count + (block_count * AES_BLOCK_SIZE) ] = input_block[byte_count 4 (block_count * AE5_B_OCK_5IZE) ] A output_block[byte_count 4 (block_count * AE5_BLOCK_5IZE) ]; } } } Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] TYl©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 5 AES -128 Example Implementation The application note comes with the source containing the AES library and demo example. This section gives short description about the demo application of AES-128 covering all 5 modes. • AES-128 and five confidentiality modes are implemented at two levels. The AES algorithm explained in chapter 3 of this application note is implemented in aes.c/aes.h file. • The five confidentiality modes are implemented in crypt.c/crypt.h file • The example is implemented in a way that 64 bytes (i.e. 16 input blocks) of plain text are encrypted and decrypted using all modes separately • The decrypting message can be viewed in the terminal window • From the result if the decrypted data is same as the plain text, this conforms the working of each mode • The modes can be independently enabled or disabled in confexample.h as below. By default all the modes are enabled /* Set to true to enable respective mode * set to false to disable the respective mode V //Enable/Disable ECB mode #define AES_ECB true //Enable/Disable CBC mode #define AES_CBC true //Enable/Disable CFB mode #define AE5_CFB true //Enable/Disable OFB mode #define AES_OF6 true //Enable/Disable CTR mode #define AES CTR true /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 25 6 Execution of Example in Atmel Studio The firmware corresponding to this application note comes with the Atmel Software Framework and it can be imported from Atmel Studio as well. The steps below explain the execution of this application. 1 . Import the example in Atmel Studio from “File — > New — > Example Project — > AES Software Library Demo - SAM D21 Xplained Pro” 2. To build the project, go to Atmel Studio -> Build -> Build Solution 3. Open Terminal window with EDBG COM port with configuration 115200, no parity, one stop bit and hardware control none. 4. Go to Tools -> Device Programming’ Window in Atmel Studio. Too s Window Help a Command Prompt: Device Programming Ctrl+5hift+P 51 Add target:... 5. Read the device id after selection appropriate tools and device to ensure proper connection EDBG (ATM IL213Q02 1800006944) © - Device Programming 6. Go to ‘Memories’ tab. Select the exe file and click program. EDBG (ATM L2130O2 1800006678) © - Device Programming f S3 Tool 1 Device 2 Interface 3 EDBG * ATSAMD21J18A * SWD * Apply ^ Device signature 5 0x10010100 Read Target Voltage 33 V Read Interface settings Tool information Device information Device Erase -Chip w Erase now Flash (256 KB) 8 Memories Fuses Security D:\AES_libra ry_D21\A ES_I i b ra ry_D2 l\Debug\AES_l i brary_D21.elf Erase Flash before programming g 7\ Verify Flash after programming Program Verify Read, User Page (64 bytes) 0 Erase User Page before programming 0 Verify User Page after programming Proqrat reri Read, Erasing device,., OK Programming Flash.,, OK Verifying Flash, ..OK * [ Verifying Flash., .OK 7. In the terminal window the decrypted and actual input message can be viewed. Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] TYl©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 The message to be encrypted is: I nput_Text_blckl I nput_Text_blck2 I nput_Text_blck3 I nput_Text_blck4 Decrypted message using flES-ECB mode : I nput_Text_blcki I nput_Text_blck2 I nput_Text_blck3 I nput_Text_blck4 Decrypted message using AES-CFB mode : I nput_Text_blckl I nput_Text_blck2 I nput_Text_blck3 I nput_Text_blck4 Decrypted message using AES-OFB mode : I nput_Text_blcki I nput_Text_blck2 I nput_Text_blck3 I nput_Text_blck4 Decrypted message using AES-CTR mode : I nput_Text_blckl I nput_Text_blck2 I nput_Text_blck3 I nput_Text_blck4 Decrypted message using AES-CBC mode : I nput_Text_blcki I nput_Text_blck2 I nput_Text_blck3 I nput_Text_blck4 i 8. The Application can be debugged or can downloaded without debugging using below shown options. Debu g Tools Window Help Windows * m Start Debugging and Break Alt+ F5 0 Attach to Target 1 Stop Debugging Ctrl+ Shift + F5 => Start Without Debugging Ctrl + Alt+ F5 Disable debug WIRE and Close /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 7 References 7.1 FIPS - 197 Advanced Encryption Standard (AES) FIPS-197 published by NIST contains the mathematical calculation of AES-128 algorithm for Encryption and Decryption. It can be availed from http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. 7.2 FIPS SP 800-38A Recommendation for Block Cipher Modes of Operation FIPS special publication 800-38A provides detailed description about the five modes of confidentiality. It also explains the generation of Initialization vector and counter used in each modes. It is available at http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf. 7.3 SAM D Device Datasheet The device datasheet contains the block diagrams of the peripherals and details about implementing firmware for the device. It also contains the electrical specifications and expected characteristics of the device. Datasheet is available on www.atmel.com in the Documents section of Atmel SAM D21 product page. 7.4 Hardware Tools User Guide SAM D21 Xplained Pro board user Guide can be downloadable from http://www.atmel.com/tools/ATSAMD21- XPRO.aspx. 7.5 Atmel Studio The latest version of Atmel Studio can be downloaded from http://www.atmel.com/tools/atmelstudio.aspx. Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] TYl©i Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 8 Revision History Doc Rev. Date Comments 42508A 08/2015 Initial document release. /Itmel Software Library for AES-128 Encryption and Decryption [APPLICATION NOTE] Atmel-42508A-AT 1 0764-Software-Library-for-AES-1 28-Encryption-and-Decryption_ApplicationNote_08/201 5 29 ARM® CONNECTED yitmel Enabling Unlimited Possibilities' li B30D w Atmel Corporation 1600 Technology Drive, San Jose, CA 95110 USA T: (+1)(408) 441 .031 1 F: (+1)(408) 436.4200 www.atmel.com ©2015 Atmel Corporation. / Rev.: Atmel-42508A-AT10764-Software-Library-for-AES-128-Encryption-and-Decryption_ApplicationNote_08/2015 Atmel®, Atmel logo and combinations thereof, Enabling Unlimited Possibilities®, and others are registered trademarks or trademarks of Atmel Corporation in U.S. and other countries. ARM®, ARM Connected® logo, and others are the registered trademarks or trademarks of ARM Ltd. Other terms and product names may be trademarks of others. DISCLAIMER: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN THE ATMEL TERMS AND CONDITIONS OF SALES LOCATED ON THE ATMEL WEBSITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS AND PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and products descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life. SAFETY-CRITICAL, MILITARY, AND AUTOMOTIVE APPLICATIONS DISCLAIMER: Atmel products are not designed for and will not be used in connection with any applications where the failure of such products would reasonably be expected to result in significant personal injury or death (“Safety-Critical Applications”) without an Atmel officer's specific written consent. Safety-Critical Applications include, without limitation, life support devices and systems, equipment or systems for the operation of nuclear facilities and weapons systems. Atmel products are not designed nor intended for use in military or aerospace applications or environments unless specifically designated by Atmel as military-grade. Atmel products are not designed nor intended for use in automotive applications unless specifically designated by Atmel as automotive -grade.