idnits 2.17.00 (12 Aug 2021) /tmp/idnits7253/draft-irtf-cfrg-gcmsiv-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 19, 2018) is 1272 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '15' on line 362 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Gueron 3 Internet-Draft University of Haifa and Amazon Web Services 4 Intended status: Informational A. Langley 5 Expires: May 23, 2019 Google LLC 6 Y. Lindell 7 Bar Ilan University 8 November 19, 2018 10 AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption 11 draft-irtf-cfrg-gcmsiv-09 13 Abstract 15 This memo specifies two authenticated encryption algorithms that are 16 nonce misuse-resistant - that is that they do not fail 17 catastrophically if a nonce is repeated. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on May 23, 2019. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 55 3. POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 5. Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 6. AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 59 7. Field operation examples . . . . . . . . . . . . . . . . . . 10 60 8. Worked example . . . . . . . . . . . . . . . . . . . . . . . 10 61 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 63 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 64 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 65 12.1. Normative References . . . . . . . . . . . . . . . . . . 15 66 12.2. Informative References . . . . . . . . . . . . . . . . . 15 67 Appendix A. The relationship between POLYVAL and GHASH . . . . . 16 68 Appendix B. Additional comparisons with AES-GCM . . . . . . . . 18 69 Appendix C. Test vectors . . . . . . . . . . . . . . . . . . . . 18 70 C.1. AEAD_AES_128_GCM_SIV . . . . . . . . . . . . . . . . . . 18 71 C.2. AEAD_AES_256_GCM_SIV . . . . . . . . . . . . . . . . . . 28 72 C.3. Counter wrap tests . . . . . . . . . . . . . . . . . . . 39 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 75 1. Introduction 77 The concept of "Authenticated encryption with additional data" (AEAD 78 [RFC5116]) couples confidentiality and integrity in a single 79 operation, avoiding the risks of the previously common practice of 80 using ad-hoc constructions of block-cipher and hash primitives. The 81 most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its 82 attractive performance. 84 However, some AEADs (including AES-GCM) suffer catastrophic failures 85 of confidentiality and/or integrity when two distinct messages are 86 encrypted with the same key and nonce. While the requirements for 87 AEADs specify that the pair of (key, nonce) shall only ever be used 88 once, and thus prohibit this, in practice this is a worry. 90 Nonce misuse-resistant AEADs do not suffer from this problem. For 91 this class of AEADs, encrypting two messages with the same nonce only 92 discloses whether the messages were equal or not. This is the 93 minimum amount of information that a deterministic algorithm can leak 94 in this situation. 96 This memo specifies two nonce misuse-resistant AEADs: 97 "AEAD_AES_128_GCM_SIV" and "AEAD_AES_256_GCM_SIV". These AEADs are 98 designed to be able to take advantage of existing hardware support 99 for AES-GCM and can decrypt within 5% of the speed of AES-GCM (for 100 multi-kilobyte messages). Encryption is, perforce, slower than AES- 101 GCM because two passes are required in order to achieve that nonce 102 misuse-resistance property. However, measurements suggest that it 103 can still run at two-thirds of the speed of AES-GCM. 105 We suggest that these AEADs be considered in any situation where 106 nonce uniqueness cannot be guaranteed. This includes situations 107 where there is no stateful counter or where such state cannot be 108 guaranteed, as when multiple encryptors use the same key. As 109 discussed in Section 9, it is RECOMMENDED to use this scheme with 110 randomly chosen nonces. 112 2. Requirements Language 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 116 document are to be interpreted as described in RFC 2119 [RFC2119]. 118 3. POLYVAL 120 The GCM-SIV construction is similar to GCM: the block cipher is used 121 in counter mode to encrypt the plaintext and a polynomial 122 authenticator is used to provide integrity. The authenticator in 123 GCM-SIV is called POLYVAL. 125 POLYVAL, like GHASH (the authenticator in AES-GCM, see [GCM] section 126 6.4), operates in a binary field of size 2^128. The field is defined 127 by the irreducible polynomial x^128 + x^127 + x^126 + x^121 + 1. The 128 sum of any two elements in the field is the result of XORing them. 129 The product of any two elements is calculated using standard (binary) 130 polynomial multiplication followed by reduction modulo the 131 irreducible polynomial. 133 We define another binary operation on elements of the field: dot(a, 134 b), where dot(a, b) = a * b * x^-128. The value of the field element 135 x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1. The result, 136 dot(a, b), of this multiplication is another field element. 138 Polynomials in this field are converted to and from 128-bit strings 139 by taking the least-significant bit of the first byte to be the 140 coefficient of x^0, the most-significant bit of the first byte to the 141 coefficient of x^7 and so on, until the most-significant bit of the 142 last byte is the coefficient of x^127. 144 POLYVAL takes a field element, H, and a series of field elements X_1, 145 ..., X_s. Its result is S_s, where S is defined by the iteration S_0 146 = 0; S_j = dot(S_{j-1} + X_j, H), for j = 1..s 148 We note that POLYVAL(H, X_1, X_2, ...) is equal to 149 ByteReverse(GHASH(ByteReverse(H) * x, ByteReverse(X_1), 150 ByteReverse(X_2), ...)), where ByteReverse is a function that 151 reverses the order of 16 bytes. See Appendix A for a more detailed 152 explanation. 154 4. Encryption 156 AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a 157 96-bit nonce, and variable-length plaintext & additional data byte- 158 strings. It outputs an authenticated ciphertext that will be 16 159 bytes longer than the plaintext. Both encryption and decryption are 160 only defined on inputs that are a whole number of bytes. 162 If the key-generating key is 16 bytes long then AES-128 is used 163 throughout. Otherwise AES-256 is used throughout. 165 The first step of encryption is to generate per-nonce, message- 166 authentication and message-encryption keys. The message- 167 authentication key is 128-bit and the message-encryption key is 168 either 128- (for AES-128) or 256-bit (for AES-256). 170 These keys are generated by encrypting a series of plaintext blocks 171 that contain a 32-bit, little-endian counter followed by the nonce, 172 and then discarding the second half of the resulting ciphertext. In 173 the AES-128 case, 128 + 128 = 256 bits of key material need to be 174 generated and, since encrypting each block yields 64 bits after 175 discarding half, four blocks need to be encrypted. The counter 176 values for these blocks are 0, 1, 2 and 3. For AES-256, six blocks 177 are needed in total, with counter values 0 through 5 (inclusive). 179 In pseudocode form, where ++ indicates concatenation and x[:8] 180 indicates taking only the first eight bytes from x: 182 func derive_keys(key_generating_key, nonce) { 183 message_authentication_key = 184 AES(key = key_generating_key, 185 block = little_endian_uint32(0) ++ nonce)[:8] ++ 186 AES(key = key_generating_key, 187 block = little_endian_uint32(1) ++ nonce)[:8] 188 message_encryption_key = 189 AES(key = key_generating_key, 190 block = little_endian_uint32(2) ++ nonce)[:8] ++ 191 AES(key = key_generating_key, 192 block = little_endian_uint32(3) ++ nonce)[:8] 194 if bytelen(key_generating_key) == 32 { 195 message_encryption_key ++= 196 AES(key = key_generating_key, 197 block = little_endian_uint32(4) ++ nonce)[:8] ++ 198 AES(key = key_generating_key, 199 block = little_endian_uint32(5) ++ nonce)[:8] 200 } 202 return message_authentication_key, message_encryption_key 203 } 205 Define the "length block" as a 16-byte value that is the 206 concatenation of the 64-bit, little-endian encodings of 207 bytelen(additional_data) * 8 and bytelen(plaintext) * 8. Pad the 208 plaintext and additional data with zeros until they are each a 209 multiple of 16 bytes, the AES block size. Then X_1, X_2, ... (the 210 series of field elements that are inputs to POLYVAL) are the 211 concatenation of the padded additional data, the padded plaintext, 212 and the length block. 214 Calculate S_s = POLYVAL(message-authentication-key, X_1, X_2, ...). 215 XOR the first twelve bytes of S_s with the nonce and clear the most- 216 significant bit of the last byte. Encrypt the result with AES using 217 the message-encryption key to produce the tag. 219 (It's worth highlighting a contrast with AES-GCM here: AES-GCM 220 authenticates the encoded additional data and ciphertext, while AES- 221 GCM-SIV authenticates the encoded additional data and _plaintext_.) 223 The encrypted plaintext is produced by using AES, with the message- 224 encryption key, in counter mode (see [SP800-38A], section 6.5) on the 225 unpadded plaintext. The initial counter block is the tag with the 226 most-significant bit of the last byte set to one. The counter 227 advances by incrementing the first 32 bits interpreted as an 228 unsigned, little-endian integer, wrapping at 2^32. The result of the 229 encryption is the encrypted plaintext (truncated to the length of the 230 plaintext) followed by the tag. 232 In pseudo-code form, the encryption process can be expressed as: 234 func right_pad_to_multiple_of_16_bytes(input) { 235 while (bytelen(input) % 16 != 0) { 236 input = input ++ "\x00" 237 } 238 return input 239 } 241 func AES_CTR(key, initial_counter_block, in) { 242 block = initial_counter_block 244 output = "" 245 while bytelen(in) > 0 { 246 keystream_block = AES(key = key, block = block) 247 block[0:4] = little_endian_uint32( 248 read_little_endian_uint32(block[0:4]) + 1) 250 todo = min(bytelen(in), bytelen(keystream_block) 251 for j = 0; j < todo; j++ { 252 output = output ++ (keystream_block[j] ^ in[j]) 253 } 255 in = in[todo:] 256 } 258 return output 259 } 261 func encrypt(key_generating_key, 262 nonce, 263 plaintext, 264 additional_data) { 265 if bytelen(plaintext) > 2**36 { 266 fail() 267 } 268 if bytelen(additional_data) > 2**36 { 269 fail() 270 } 272 message_encryption_key, message_authentication_key = 273 derive_keys(key_generating_key, nonce) 275 length_block = 276 little_endian_uint64(bytelen(additional_data) * 8) ++ 277 little_endian_uint64(bytelen(plaintext) * 8) 278 padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext) 279 padded_ad = right_pad_to_multiple_of_16_bytes(additional_data) 280 S_s = POLYVAL(key = message_authentication_key, 281 input = padded_ad ++ padded_plaintext ++ 282 length_block) 283 for i = 0; i < 12; i++ { 284 S_s[i] ^= nonce[i] 285 } 286 S_s[15] &= 0x7f 287 tag = AES(key = message_encryption_key, block = S_s) 289 counter_block = tag 290 counter_block[15] |= 0x80 291 return AES_CTR(key = message_encryption_key, 292 initial_counter_block = counter_block, 293 in = plaintext) ++ 294 tag 295 } 297 5. Decryption 299 Decryption takes a 16- or 32-byte key-generating key, a 96-bit nonce, 300 and variable-length ciphertext & additional data byte-strings. It 301 either fails, or outputs a plaintext that is 16 bytes shorter than 302 the ciphertext. 304 To decrypt an AES-GCM-SIV ciphertext, first derive the message- 305 encryption and message-authentication keys in the same manner as when 306 encrypting. 308 If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes, 309 then fail. Otherwise split the input into the encrypted plaintext 310 and a 16-byte tag. Decrypt the encrypted plaintext with the message- 311 encryption key in counter mode, where the initial counter block is 312 the tag with the most-significant bit of the last byte set to one. 313 Advance the counter for each block in the same way as when 314 encrypting. At this point the plaintext is unauthenticated and MUST 315 NOT be output until the following tag confirmation is complete: 317 Pad the additional data and plaintext with zeros until they are each 318 a multiple of 16 bytes, the AES block size. Calculate the length 319 block and X_1, X_2, ... as above and compute S_s = POLYVAL(message- 320 authentication-key, X_1, X_2, ...). Compute the expected tag by 321 XORing S_s and the nonce, clearing the most-significant bit of the 322 last byte and encrypting with the message-encryption key. Compare 323 the provided and expected tag values in constant time. Fail the 324 decryption if they do not match (and do not release the plaintext), 325 otherwise return the plaintext. 327 In pseudo-code form, the decryption process can be expressed as: 329 func decrypt(key_generating_key, 330 nonce, 331 ciphertext, 332 additional_data) { 333 if bytelen(ciphertext) < 16 || bytelen(ciphertext) > 2**36 + 16 { 334 fail() 335 } 336 if bytelen(additional_data) > 2**36 { 337 fail() 338 } 340 message_encryption_key, message_authentication_key = 341 derive_keys(key_generating_key, nonce) 343 tag = ciphertext[bytelen(ciphertext)-16:] 345 counter_block = tag 346 counter_block[15] |= 0x80 347 plaintext = AES_CTR(key = message_encryption_key, 348 initial_counter_block = counter_block, 349 in = ciphertext[:bytelen(ciphertext)-16]) 351 length_block = 352 little_endian_uint64(bytelen(additional_data) * 8) ++ 353 little_endian_uint64(bytelen(plaintext) * 8) 354 padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext) 355 padded_ad = right_pad_to_multiple_of_16_bytes(additional_data) 356 S_s = POLYVAL(key = message_authentication_key, 357 input = padded_ad ++ padded_plaintext ++ 358 length_block) 359 for i = 0; i < 12; i++ { 360 S_s[i] ^= nonce[i] 361 } 362 S_s[15] &= 0x7f 363 expected_tag = AES(key = message_encryption_key, block = S_s) 365 xor_sum = 0 366 for i := 0; i < bytelen(expected_tag); i++ { 367 xor_sum |= expected_tag[i] ^ tag[i] 368 } 370 if xor_sum != 0 { 371 fail() 372 } 374 return plaintext 375 } 377 6. AEADs 379 We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV: 380 AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. They differ only in 381 the size of the AES key used. 383 The key input to these AEADs becomes the key-generating key. Thus 384 AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV 385 takes a 32-byte key. 387 The parameters for AEAD_AES_128_GCM_SIV are then: K_LEN is 16, P_MAX 388 is 2^36, A_MAX is 2^36, N_MIN and N_MAX are 12 and C_MAX is 2^36 + 389 16. 391 The parameters for AEAD_AES_256_GCM_SIV differ only in the key size: 392 K_LEN is 32, P_MAX is 2^36, A_MAX is 2^36, N_MIN and N_MAX are 12 and 393 C_MAX is 2^36 + 16. 395 7. Field operation examples 397 Polynomials in this document will be written as 16-byte values. For 398 example, the sixteen bytes 01000000000000000000000000000492 would 399 represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is 400 also the value of x^-128 in this field. 402 If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b = 403 ff000000000000000000000000000000 then a + b = 404 99e94bd4ef8a2c3b884cfa59ca342b2e, a * b = 405 37856175e9dc9df26ebc6d6171aa0ae9 and dot(a, b) = 406 ebe563401e7e91ea3ad6426b8140c394. 408 8. Worked example 410 Consider the encryption of the plaintext "Hello world" with the 411 additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c 412 using AEAD_AES_128_GCM_SIV. The random nonce that we'll use for this 413 example is 752abad3e0afb5f434dc4310. 415 In order to generate the message-authentication and message- 416 encryption keys, a counter is combined with the nonce to form four 417 blocks. These blocks are encrypted with key given above: 419 Counter | Nonce Ciphertext 420 00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e 421 01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450 422 02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b 423 03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7 424 The latter halves of the ciphertext blocks are discarded and the 425 remaining bytes are concatenated to form the per-message keys. Thus 426 the message-authentication key is 310728d9911f1f3837b24316c3fab9a0 427 and the message-encryption key is a4c5ae6249963279c100be4d7e2c6edd. 429 The length block contains the encoding of the bit-lengths of the 430 additional data and plaintext, respectively. The string "example" is 431 seven characters, thus 56 bits (or 0x38 in hex). The string "Hello 432 world" is 11 characters, or 88 = 0x58 bits. Thus the length block is 433 38000000000000005800000000000000. 435 The input to POLYVAL is the padded additional data, padded plaintext 436 and then the length block. This is 6578616d706c650000000000000000004 437 8656c6c6f20776f726c64000000000038000000000000005800000000000000, 438 based on the ASCII encoding of "example" (6578616d706c65) and of 439 "Hello world" (48656c6c6f20776f726c64). 441 Calling POLYVAL with the message-authentication key and the input 442 above results in S_s = ad7fcf0b5169851662672f3c5f95138f. 444 Before encrypting, the nonce is XORed in and the most-significant bit 445 of the last byte is cleared. This gives 446 d85575d8b1c630e256bb6c2c5f95130f because that bit happened to be one 447 previously. Encrypting with the message-encryption key (using AES- 448 128) gives the tag, which is 4fbcdeb7e4793f4a1d7e4faa70100af1. 450 In order to form the initial counter block, the most-significant bit 451 of the last byte of the tag is set to one. That doesn't result in a 452 change in this example. Encrypting this with the message key (using 453 AES-128) gives the first block of the keystream: 454 1551f2c1787e81deac9a99f139540ab5. 456 The final ciphertext is the result of XORing the plaintext with the 457 keystream and appending the tag. That gives 458 5d349ead175ef6b1def6fd4fbcdeb7e4793f4a1d7e4faa70100af1. 460 9. Security Considerations 462 AES-GCM-SIV decryption involves first producing an unauthenticated 463 plaintext. This plaintext is vulnerable to manipulation by an 464 attacker thus, if an implementation released some or all of the 465 plaintext before authenticating it, other parts of a system may 466 process malicious data as if it were authentic. AES-GCM might be 467 less likely to lead implementations to do this because, there, the 468 ciphertext is generally authenticated before, or concurrently with, 469 the plaintext calculation. Therefore this text requires that 470 implementations MUST NOT release unauthenticated plaintext. Thus 471 system designers should consider memory limitations when picking the 472 size of AES-GCM-SIV plaintexts: large plaintexts may not fit in the 473 availible memory of some machines, tempting implementations to 474 release unverified plaintext. 476 A detailed cryptographic analysis of AES-GCM-SIV appears in 477 [AES-GCM-SIV] and the remainder of this section is a summary of that 478 paper. 480 The AEADs defined in this document calculate fresh AES keys for each 481 nonce. This allows a larger number of plaintexts to be encrypted 482 under a given key. Without this step, AES-GCM-SIV encryption would 483 be limited by the birthday bound like other standard modes (e.g., 484 AES-GCM, AES-CCM [RFC3610], and AES-SIV [RFC5297]). This means that 485 when 2^64 blocks have been encrypted overall, a distinguishing 486 adversary, who is trying to break the confidentiality of the scheme, 487 has an advantage of 1/2. Thus, in order to limit the adversary's 488 advantage to 2^-32, at most 2^48 blocks can be encrypted overall. In 489 contrast, by deriving fresh keys from each nonce, it is possible to 490 encrypt a far larger number of messages and blocks with AES-GCM-SIV. 492 We stress that nonce-misuse resistant schemes guarantee that if a 493 nonce repeats then the only security loss is that identical 494 plaintexts will produce identical ciphertexts. Since this can also 495 be a concern (as the fact that the same plaintext has been encrypted 496 twice is revealed), we do not recommend using a fixed nonce as a 497 policy. In addition, as we show below, better-than-birthday bounds 498 are achieved by AES-GCM-SIV when the nonce repetition rate is low. 499 Finally, as shown in [BHT18], there is a great security benefit in 500 the multi-user/multi-key setting when each particular nonce is re- 501 used by a small number of users only. We stress that the nonce 502 misuse-resistance property is not intended to be coupled with 503 intentional nonce-reuse; rather, such schemes provide the best 504 possible security in the event of nonce reuse. Due to all of the 505 above, it is RECOMMENDED that AES-GCM-SIV nonces be randomly 506 generated. 508 Some example usage bounds for AES-GCM-SIV are given below. The 509 adversary's advantage is the "AdvEnc" from [key-derive] and is 510 colloquially the ability of an attacker to distinguish ciphertexts 511 from random bit-strings. The bounds below limit this advantage to 512 2^-32. For up to 256 uses of the same nonce and key (i.e., where one 513 can assume that nonce misuse is no more than this bound), the 514 following message limits should be respected (this assumes a short 515 AAD, i.e. less than 64 bytes): 517 2^29 messages, where each plaintext is at most 1GiB 519 2^35 messages, where each plaintext is at most 128MiB 520 2^49 messages, where each plaintext is at most 1MiB 522 2^61 messages, where each plaintext is at most 16KiB 524 Suzuki et al [multi-birthday] show that even if nonces are selected 525 uniformly at random, the probability that one or more values would be 526 repeated 256 or more times is negligible until the number of nonces 527 reaches 2^102. (Specifically the probability is 1/((2^96)^(255)) * 528 Binomial(q, 256), where q is the number of nonces.) Since 2^102 is 529 vastly greater than the limit on the number of plaintexts per key 530 given above, we don't feel that this limit on the number of repeated 531 nonces will be a problem. This also means that selecting nonces at 532 random is a safe practice with AES-GCM-SIV. The bounds obtained for 533 random nonces are as follows (as above, for these bounds the 534 adversary's advantage is at most 2^-32): 536 2^32 messages, where each plaintext is at most 8GiB 538 2^48 messages, where each plaintext is at most 32MiB 540 2^64 messages, where each plaintext is at most 128KiB 542 For situations where, for some reason, an even higher number of nonce 543 repeats is possible (e.g. in devices with very poor randomness), the 544 message limits need to be reconsidered. Theorem 7 in [AES-GCM-SIV] 545 contains more details but, for up to 1,024 repeats of each nonce, the 546 limits would be (again assuming a short AAD, i.e. less than 64 547 bytes): 549 2^25 messages, where each plaintext is at most 1GiB 551 2^31 messages, where each plaintext is at most 128MiB 553 2^45 messages, where each plaintext is at most 1MiB 555 2^57 messages, where each plaintext is at most 16KiB 557 In addition to calculating fresh AES keys for each nonce, these AEADs 558 also calculate fresh POLYVAL keys. Previous versions of GCM-SIV did 559 not do this and, instead, used part of the AEAD's key as the POLYVAL 560 key. Bleichenbacher pointed out that this allowed an attacker who 561 controlled the AEAD key to force the POLYVAL key to be zero. If a 562 user of this AEAD authenticated messages with a secret additional- 563 data value then this would be insecure as the attacker could 564 calculate a valid authenticator without knowing the input. This does 565 not violate the standard properties of an AEAD as the additional data 566 is not assumed to be confidential. However, we want these AEADs to 567 be robust to plausible misuse and also to be drop-in replacements for 568 AES-GCM and so derive nonce-specific POLYVAL keys to avoid this 569 issue. 571 We also wish to note that the probability of successful forgery 572 increases with the number of attempts that an attacker is permitted. 573 The advantage defined in [key-derive] and used above is specified in 574 terms of the ability of an attacker to distinguish ciphertexts from 575 random bit-strings. It thus covers both confidentiality and 576 integrity and theorem 6.2 in [key-derive] shows that the advantage 577 increases with the number of decryption attempts. (Although much 578 more slowly than with the number of encryptions; the dependence on 579 the number of decryption queries for forgery is actually only linear, 580 not quadratic. The latter is an artifact of the bound in the paper 581 not being tight.) If an attacker is permitted extremely large 582 numbers of attempts then the tiny probability that any given attempt 583 succeeds may sum to a non-trivial chance. 585 A security analysis of a similar scheme without nonce-based key 586 derivation appears in [GCM-SIV] and a full analysis of the bounds 587 when applying nonce-based key derivation appears in [key-derive]. A 588 larger table of bounds and other information appears at 589 [aes-gcm-siv-homepage]. 591 The multi-user/multi-key security of AES-GCM-SIV was studied by 592 [BHT18] who showed that security is almost like in the single user 593 setting, as long as nonces do not repeat many times across many 594 users. This is the case when nonces are chosen randomly. 596 10. IANA Considerations 598 IANA is requested to add two entries to the registry of AEAD 599 algorithms: AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV, both 600 referencing this document as their specification. 602 11. Acknowledgements 604 The authors would like to thank Uri Blumenthal, Ondrej Mosnacek, 605 Daniel Bleichenbacher, Kenny Paterson, Bart Preneel, John Mattsson, 606 Scott Fluhrer, Tibor Jager, Bjoern Tackmann, Yannick Seurin, Tetsu 607 Iwata and Deb Cooley's team at NSA Information Assurance for their 608 helpful suggestions and review. 610 12. References 611 12.1. Normative References 613 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 614 Requirement Levels", BCP 14, RFC 2119, 615 DOI 10.17487/RFC2119, March 1997, 616 . 618 [SP800-38A] 619 Dworkin, M., "SP 800-38A: Recommendation for Block Cipher 620 Modes of Operation: Methods and Techniques", NIST SP- 621 800-38A, December 2001, 622 . 625 12.2. Informative References 627 [AES-GCM-SIV] 628 Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: 629 specification and analysis", July 2017, 630 . 632 [aes-gcm-siv-homepage] 633 Gueron, S., Langley, A., and Y. Lindell, "Webpage for the 634 AES-GCM-SIV Mode of Operation", 2017, 635 . 637 [BHT18] Bose, P., Hoang, V., and S. Tessaro, "Revisiting AES-GCM- 638 SIV: Multi-user Security, Faster Key Derivation, and 639 Better Bounds", Proceedings of EUROCRYPT 2018 , May 2018, 640 . 642 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 643 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP- 644 800-38D, November 2007, 645 . 648 [GCM-SIV] Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse- 649 Resistant Authenticated Encryption at Under One Cycle Per 650 Byte", Proceedings of the 22nd ACM SIGSAC Conference on 651 Computer and Communications Security , 2015, 652 . 654 [key-derive] 655 Gueron, S. and Y. Lindell, "Better Bounds for Block Cipher 656 Modes of Operation via Nonce-Based Key Derivation", 657 Proceedings of the 24th ACM SIGSAC Conference on Computer 658 and Communications Security , 2017, 659 . 661 [multi-birthday] 662 Suzuki, K., Tonien, D., Kurosawa, K., and K. Toyota, 663 "Birthday Paradox for Multi-collisions", ICISC 2006: 9th 664 International Conference, Busan, Korea, November 30 - 665 December 1, 2006. Proceedings , 2006, 666 . 668 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 669 CBC-MAC (CCM)", RFC 3610, DOI 10.17487/RFC3610, September 670 2003, . 672 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 673 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 674 . 676 [RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV) 677 Authenticated Encryption Using the Advanced Encryption 678 Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October 679 2008, . 681 Appendix A. The relationship between POLYVAL and GHASH 683 GHASH and POLYVAL both operate in GF(2^128), although with different 684 irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + 685 x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note 686 that these irreducible polynomials are the "reverse" of each other. 688 GHASH also has a different mapping between 128-bit strings and field 689 elements. Where as POLYVAL takes the least-significant to most- 690 significant bits of the first byte to be the coefficients of x^0 to 691 x^7, GHASH takes them to be the coefficients of x^7 to x^0. This 692 continues until, for the last byte, POLYVAL takes the least- 693 significant to most-significant bits to be the coefficients of x^120 694 to x^127 while GHASH takes them to be the coefficients of x^127 to 695 x^120. 697 The combination of these facts means that it's possible to "convert" 698 values between the two by reversing the order of the bytes in a 699 16-byte string. The differing interpretations of bit order takes 700 care of reversing the bits within each byte and then reversing the 701 bytes does the rest. This may have a practical benefit for 702 implementations that wish to implement both GHASH and POLYVAL. 704 In order to be clear which field a given operation is performed in, 705 let mulX_GHASH be a function that takes a 16-byte string, converts it 706 to an element of GHASH's field using GHASH's convention, multiplies 707 it by x and converts back to a string. Likewise, let mulX_POLYVAL be 708 a function that converts a 16-byte string to an element of POLYVAL's 709 field using POLYVAL's convention, multiplies it by x and converts 710 back. 712 Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH 713 of that string is 00800000000000000000000000000000 and mulX_POLYVAL 714 of that string is 02000000000000000000000000000000. As a more 715 general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH 716 of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL 717 of it is 3931819bf271fada0503eb52574ca5f2. 719 Lastly, let ByteReverse be the function that takes a 16-byte string 720 and returns a copy where the order of the bytes has been reversed. 722 Now GHASH and POLYVAL can be defined in terms of one another: 724 POLYVAL(H, X_1, ..., X_n) = 725 ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ..., 726 ByteReverse(X_n))) 728 GHASH(H, X_1, ..., X_n) = 729 ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1), 730 ..., ByteReverse(X_n))) 732 As a worked example, let H = 25629347589242761d31f826ba4b757b, X_1 = 733 4f4f95668c83dfb6401762bb2d01a262 and X_2 = 734 d1a24ddd2721d006bbe45f20d3c9f362. POLYVAL(H, X_1, X_2) = 735 f7a3b47b846119fae5b7866cf5e5b77e. If we wished to calculate this 736 given only an implementation of GHASH then the key for GHASH would be 737 mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112. Then 738 ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2))) = 739 f7a3b47b846119fae5b7866cf5e5b77e, as required. 741 In the other direction, GHASH(H, X_1, X_2) = 742 bd9b3997046731fb96251b91f9c99d7a. If we wished to calculate this 743 given only an implementation of POLYVAL then we would first calculate 744 the key for POLYVAL, mulX_POLYVAL(ByteReverse(H)), which is 745 f6ea96744df0633aec8424b18e26c54a. Then ByteReverse(POLYVAL(f6ea..., 746 ByteReverse(X_1), ByteReverse(X_2))) = 747 bd9b3997046731fb96251b91f9c99d7a. 749 Appendix B. Additional comparisons with AES-GCM 751 Some functional properties also differ between AES-GCM and AES-GCM- 752 SIV that are worth noting: 754 AES-GCM allows plaintexts to be encrypted in a streaming fashion, 755 i.e. the beginning of the plaintext can be encrypted and transmitted 756 before the entire message has been processed. AES-GCM-SIV requires 757 two passes for encryption and so cannot do this. 759 AES-GCM allows a constant additional-data input to be precomputed in 760 order to save per-message computation. AES-GCM-SIV varies the 761 authenticator key based on the nonce and so does not permit this. 763 The performance for AES-GCM vs AES-GCM-SIV on small machines can be 764 roughly characterised by the number of AES operations and the number 765 of GF(2^128) multiplications needed to process a message. Let a = 766 (bytelen(additional-data) + 15) / 16 and p = (bytelen(plaintext) + 767 15) / 16. Then AES-GCM requires p + 1 AES operations and p + a + 1 768 field multiplications. 770 Defined similarly, AES-GCM-SIV with AES-128 requires p + 5 AES 771 operations and p + a + 1 field multiplications. With AES-256 that 772 becomes p + 7 AES operations. 774 With large machines, the available parallelism becomes far more 775 important and such simple performance analysis is no longer 776 representative. For such machines, we find that decryption of AES- 777 GCM-SIV is only about 5% slower then AES-GCM, as long as the message 778 is at least a couple of kilobytes. Encryption tends to run about 779 two-thirds the speed because of the additional pass required. 781 Appendix C. Test vectors 783 C.1. AEAD_AES_128_GCM_SIV 785 Plaintext (0 bytes) = 786 AAD (0 bytes) = 787 Key = 01000000000000000000000000000000 788 Nonce = 030000000000000000000000 789 Record authentication key = d9b360279694941ac5dbc6987ada7377 790 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 791 POLYVAL input = 00000000000000000000000000000000 792 POLYVAL result = 00000000000000000000000000000000 793 POLYVAL result XOR nonce = 03000000000000000000000000000000 794 ... and masked = 03000000000000000000000000000000 795 Tag = dc20e2d83f25705bb49e439eca56de25 796 Initial counter = dc20e2d83f25705bb49e439eca56dea5 797 Result (16 bytes) = dc20e2d83f25705bb49e439eca56de25 799 Plaintext (8 bytes) = 0100000000000000 800 AAD (0 bytes) = 801 Key = 01000000000000000000000000000000 802 Nonce = 030000000000000000000000 803 Record authentication key = d9b360279694941ac5dbc6987ada7377 804 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 805 POLYVAL input = 01000000000000000000000000000000 806 00000000000000004000000000000000 807 POLYVAL result = eb93b7740962c5e49d2a90a7dc5cec74 808 POLYVAL result XOR nonce = e893b7740962c5e49d2a90a7dc5cec74 809 ... and masked = e893b7740962c5e49d2a90a7dc5cec74 810 Tag = 578782fff6013b815b287c22493a364c 811 Initial counter = 578782fff6013b815b287c22493a36cc 812 Result (24 bytes) = b5d839330ac7b786578782fff6013b81 813 5b287c22493a364c 815 Plaintext (12 bytes) = 010000000000000000000000 816 AAD (0 bytes) = 817 Key = 01000000000000000000000000000000 818 Nonce = 030000000000000000000000 819 Record authentication key = d9b360279694941ac5dbc6987ada7377 820 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 821 POLYVAL input = 01000000000000000000000000000000 822 00000000000000006000000000000000 823 POLYVAL result = 48eb6c6c5a2dbe4a1dde508fee06361b 824 POLYVAL result XOR nonce = 4beb6c6c5a2dbe4a1dde508fee06361b 825 ... and masked = 4beb6c6c5a2dbe4a1dde508fee06361b 826 Tag = a4978db357391a0bc4fdec8b0d106639 827 Initial counter = a4978db357391a0bc4fdec8b0d1066b9 828 Result (28 bytes) = 7323ea61d05932260047d942a4978db3 829 57391a0bc4fdec8b0d106639 831 Plaintext (16 bytes) = 01000000000000000000000000000000 832 AAD (0 bytes) = 833 Key = 01000000000000000000000000000000 834 Nonce = 030000000000000000000000 835 Record authentication key = d9b360279694941ac5dbc6987ada7377 836 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 837 POLYVAL input = 01000000000000000000000000000000 838 00000000000000008000000000000000 839 POLYVAL result = 20806c26e3c1de019e111255708031d6 840 POLYVAL result XOR nonce = 23806c26e3c1de019e111255708031d6 841 ... and masked = 23806c26e3c1de019e11125570803156 842 Tag = 303aaf90f6fe21199c6068577437a0c4 843 Initial counter = 303aaf90f6fe21199c6068577437a0c4 844 Result (32 bytes) = 743f7c8077ab25f8624e2e948579cf77 845 303aaf90f6fe21199c6068577437a0c4 847 Plaintext (32 bytes) = 01000000000000000000000000000000 848 02000000000000000000000000000000 849 AAD (0 bytes) = 850 Key = 01000000000000000000000000000000 851 Nonce = 030000000000000000000000 852 Record authentication key = d9b360279694941ac5dbc6987ada7377 853 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 854 POLYVAL input = 01000000000000000000000000000000 855 02000000000000000000000000000000 856 00000000000000000001000000000000 857 POLYVAL result = ce6edc9a50b36d9a98986bbf6a261c3b 858 POLYVAL result XOR nonce = cd6edc9a50b36d9a98986bbf6a261c3b 859 ... and masked = cd6edc9a50b36d9a98986bbf6a261c3b 860 Tag = 1a8e45dcd4578c667cd86847bf6155ff 861 Initial counter = 1a8e45dcd4578c667cd86847bf6155ff 862 Result (48 bytes) = 84e07e62ba83a6585417245d7ec413a9 863 fe427d6315c09b57ce45f2e3936a9445 864 1a8e45dcd4578c667cd86847bf6155ff 866 Plaintext (48 bytes) = 01000000000000000000000000000000 867 02000000000000000000000000000000 868 03000000000000000000000000000000 869 AAD (0 bytes) = 870 Key = 01000000000000000000000000000000 871 Nonce = 030000000000000000000000 872 Record authentication key = d9b360279694941ac5dbc6987ada7377 873 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 874 POLYVAL input = 01000000000000000000000000000000 875 02000000000000000000000000000000 876 03000000000000000000000000000000 877 00000000000000008001000000000000 878 POLYVAL result = 81388746bc22d26b2abc3dcb15754222 879 POLYVAL result XOR nonce = 82388746bc22d26b2abc3dcb15754222 880 ... and masked = 82388746bc22d26b2abc3dcb15754222 881 Tag = 5e6e311dbf395d35b0fe39c2714388f8 882 Initial counter = 5e6e311dbf395d35b0fe39c2714388f8 883 Result (64 bytes) = 3fd24ce1f5a67b75bf2351f181a475c7 884 b800a5b4d3dcf70106b1eea82fa1d64d 885 f42bf7226122fa92e17a40eeaac1201b 886 5e6e311dbf395d35b0fe39c2714388f8 888 Plaintext (64 bytes) = 01000000000000000000000000000000 889 02000000000000000000000000000000 890 03000000000000000000000000000000 891 04000000000000000000000000000000 892 AAD (0 bytes) = 893 Key = 01000000000000000000000000000000 894 Nonce = 030000000000000000000000 895 Record authentication key = d9b360279694941ac5dbc6987ada7377 896 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 897 POLYVAL input = 01000000000000000000000000000000 898 02000000000000000000000000000000 899 03000000000000000000000000000000 900 04000000000000000000000000000000 901 00000000000000000002000000000000 902 POLYVAL result = 1e39b6d3344d348f6044f89935d1cf78 903 POLYVAL result XOR nonce = 1d39b6d3344d348f6044f89935d1cf78 904 ... and masked = 1d39b6d3344d348f6044f89935d1cf78 905 Tag = 8a263dd317aa88d56bdf3936dba75bb8 906 Initial counter = 8a263dd317aa88d56bdf3936dba75bb8 907 Result (80 bytes) = 2433668f1058190f6d43e360f4f35cd8 908 e475127cfca7028ea8ab5c20f7ab2af0 909 2516a2bdcbc08d521be37ff28c152bba 910 36697f25b4cd169c6590d1dd39566d3f 911 8a263dd317aa88d56bdf3936dba75bb8 913 Plaintext (8 bytes) = 0200000000000000 914 AAD (1 bytes) = 01 915 Key = 01000000000000000000000000000000 916 Nonce = 030000000000000000000000 917 Record authentication key = d9b360279694941ac5dbc6987ada7377 918 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 919 POLYVAL input = 01000000000000000000000000000000 920 02000000000000000000000000000000 921 08000000000000004000000000000000 922 POLYVAL result = b26781e7e2c1376f96bec195f3709b2a 923 POLYVAL result XOR nonce = b16781e7e2c1376f96bec195f3709b2a 924 ... and masked = b16781e7e2c1376f96bec195f3709b2a 925 Tag = 3b0a1a2560969cdf790d99759abd1508 926 Initial counter = 3b0a1a2560969cdf790d99759abd1588 927 Result (24 bytes) = 1e6daba35669f4273b0a1a2560969cdf 928 790d99759abd1508 930 Plaintext (12 bytes) = 020000000000000000000000 931 AAD (1 bytes) = 01 932 Key = 01000000000000000000000000000000 933 Nonce = 030000000000000000000000 934 Record authentication key = d9b360279694941ac5dbc6987ada7377 935 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 936 POLYVAL input = 01000000000000000000000000000000 937 02000000000000000000000000000000 938 08000000000000006000000000000000 939 POLYVAL result = 111f5affb18e4cc1164a01bdc12a4145 940 POLYVAL result XOR nonce = 121f5affb18e4cc1164a01bdc12a4145 941 ... and masked = 121f5affb18e4cc1164a01bdc12a4145 942 Tag = 08299c5102745aaa3a0c469fad9e075a 943 Initial counter = 08299c5102745aaa3a0c469fad9e07da 944 Result (28 bytes) = 296c7889fd99f41917f4462008299c51 945 02745aaa3a0c469fad9e075a 947 Plaintext (16 bytes) = 02000000000000000000000000000000 948 AAD (1 bytes) = 01 949 Key = 01000000000000000000000000000000 950 Nonce = 030000000000000000000000 951 Record authentication key = d9b360279694941ac5dbc6987ada7377 952 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 953 POLYVAL input = 01000000000000000000000000000000 954 02000000000000000000000000000000 955 08000000000000008000000000000000 956 POLYVAL result = 79745ab508622c8a958543675fac4688 957 POLYVAL result XOR nonce = 7a745ab508622c8a958543675fac4688 958 ... and masked = 7a745ab508622c8a958543675fac4608 959 Tag = 8f8936ec039e4e4bb97ebd8c4457441f 960 Initial counter = 8f8936ec039e4e4bb97ebd8c4457449f 961 Result (32 bytes) = e2b0c5da79a901c1745f700525cb335b 962 8f8936ec039e4e4bb97ebd8c4457441f 964 Plaintext (32 bytes) = 02000000000000000000000000000000 965 03000000000000000000000000000000 966 AAD (1 bytes) = 01 967 Key = 01000000000000000000000000000000 968 Nonce = 030000000000000000000000 969 Record authentication key = d9b360279694941ac5dbc6987ada7377 970 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 971 POLYVAL input = 01000000000000000000000000000000 972 02000000000000000000000000000000 973 03000000000000000000000000000000 974 08000000000000000001000000000000 975 POLYVAL result = 2ce7daaf7c89490822051255b12eca6b 976 POLYVAL result XOR nonce = 2fe7daaf7c89490822051255b12eca6b 977 ... and masked = 2fe7daaf7c89490822051255b12eca6b 978 Tag = e6af6a7f87287da059a71684ed3498e1 979 Initial counter = e6af6a7f87287da059a71684ed3498e1 980 Result (48 bytes) = 620048ef3c1e73e57e02bb8562c416a3 981 19e73e4caac8e96a1ecb2933145a1d71 982 e6af6a7f87287da059a71684ed3498e1 984 Plaintext (48 bytes) = 02000000000000000000000000000000 985 03000000000000000000000000000000 986 04000000000000000000000000000000 987 AAD (1 bytes) = 01 988 Key = 01000000000000000000000000000000 989 Nonce = 030000000000000000000000 990 Record authentication key = d9b360279694941ac5dbc6987ada7377 991 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 992 POLYVAL input = 01000000000000000000000000000000 993 02000000000000000000000000000000 994 03000000000000000000000000000000 995 04000000000000000000000000000000 996 08000000000000008001000000000000 997 POLYVAL result = 9ca987715d69c1786711dfcd22f830fc 998 POLYVAL result XOR nonce = 9fa987715d69c1786711dfcd22f830fc 999 ... and masked = 9fa987715d69c1786711dfcd22f8307c 1000 Tag = 6a8cc3865f76897c2e4b245cf31c51f2 1001 Initial counter = 6a8cc3865f76897c2e4b245cf31c51f2 1002 Result (64 bytes) = 50c8303ea93925d64090d07bd109dfd9 1003 515a5a33431019c17d93465999a8b005 1004 3201d723120a8562b838cdff25bf9d1e 1005 6a8cc3865f76897c2e4b245cf31c51f2 1007 Plaintext (64 bytes) = 02000000000000000000000000000000 1008 03000000000000000000000000000000 1009 04000000000000000000000000000000 1010 05000000000000000000000000000000 1011 AAD (1 bytes) = 01 1012 Key = 01000000000000000000000000000000 1013 Nonce = 030000000000000000000000 1014 Record authentication key = d9b360279694941ac5dbc6987ada7377 1015 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 1016 POLYVAL input = 01000000000000000000000000000000 1017 02000000000000000000000000000000 1018 03000000000000000000000000000000 1019 04000000000000000000000000000000 1020 05000000000000000000000000000000 1021 08000000000000000002000000000000 1022 POLYVAL result = ffcd05d5770f34ad9267f0a59994b15a 1023 POLYVAL result XOR nonce = fccd05d5770f34ad9267f0a59994b15a 1024 ... and masked = fccd05d5770f34ad9267f0a59994b15a 1025 Tag = cdc46ae475563de037001ef84ae21744 1026 Initial counter = cdc46ae475563de037001ef84ae217c4 1027 Result (80 bytes) = 2f5c64059db55ee0fb847ed513003746 1028 aca4e61c711b5de2e7a77ffd02da42fe 1029 ec601910d3467bb8b36ebbaebce5fba3 1030 0d36c95f48a3e7980f0e7ac299332a80 1031 cdc46ae475563de037001ef84ae21744 1033 Plaintext (4 bytes) = 02000000 1034 AAD (12 bytes) = 010000000000000000000000 1035 Key = 01000000000000000000000000000000 1036 Nonce = 030000000000000000000000 1037 Record authentication key = d9b360279694941ac5dbc6987ada7377 1038 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 1039 POLYVAL input = 01000000000000000000000000000000 1040 02000000000000000000000000000000 1041 60000000000000002000000000000000 1042 POLYVAL result = f6ce9d3dcd68a2fd603c7ecc18fb9918 1043 POLYVAL result XOR nonce = f5ce9d3dcd68a2fd603c7ecc18fb9918 1044 ... and masked = f5ce9d3dcd68a2fd603c7ecc18fb9918 1045 Tag = 07eb1f84fb28f8cb73de8e99e2f48a14 1046 Initial counter = 07eb1f84fb28f8cb73de8e99e2f48a94 1047 Result (20 bytes) = a8fe3e8707eb1f84fb28f8cb73de8e99 1048 e2f48a14 1050 Plaintext (20 bytes) = 03000000000000000000000000000000 1051 04000000 1052 AAD (18 bytes) = 01000000000000000000000000000000 1053 0200 1054 Key = 01000000000000000000000000000000 1055 Nonce = 030000000000000000000000 1056 Record authentication key = d9b360279694941ac5dbc6987ada7377 1057 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 1058 POLYVAL input = 01000000000000000000000000000000 1059 02000000000000000000000000000000 1060 03000000000000000000000000000000 1061 04000000000000000000000000000000 1062 9000000000000000a000000000000000 1063 POLYVAL result = 4781d492cb8f926c504caa36f61008fe 1064 POLYVAL result XOR nonce = 4481d492cb8f926c504caa36f61008fe 1065 ... and masked = 4481d492cb8f926c504caa36f610087e 1066 Tag = 24afc9805e976f451e6d87f6fe106514 1067 Initial counter = 24afc9805e976f451e6d87f6fe106594 1068 Result (36 bytes) = 6bb0fecf5ded9b77f902c7d5da236a43 1069 91dd029724afc9805e976f451e6d87f6 1070 fe106514 1072 Plaintext (18 bytes) = 03000000000000000000000000000000 1073 0400 1074 AAD (20 bytes) = 01000000000000000000000000000000 1075 02000000 1076 Key = 01000000000000000000000000000000 1077 Nonce = 030000000000000000000000 1078 Record authentication key = d9b360279694941ac5dbc6987ada7377 1079 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 1080 POLYVAL input = 01000000000000000000000000000000 1081 02000000000000000000000000000000 1082 03000000000000000000000000000000 1083 04000000000000000000000000000000 1084 a0000000000000009000000000000000 1085 POLYVAL result = 75cbc23a1a10e348aeb8e384b5cc79fd 1086 POLYVAL result XOR nonce = 76cbc23a1a10e348aeb8e384b5cc79fd 1087 ... and masked = 76cbc23a1a10e348aeb8e384b5cc797d 1088 Tag = bff9b2ef00fb47920cc72a0c0f13b9fd 1089 Initial counter = bff9b2ef00fb47920cc72a0c0f13b9fd 1090 Result (34 bytes) = 44d0aaf6fb2f1f34add5e8064e83e12a 1091 2adabff9b2ef00fb47920cc72a0c0f13 1092 b9fd 1094 Plaintext (0 bytes) = 1095 AAD (0 bytes) = 1096 Key = e66021d5eb8e4f4066d4adb9c33560e4 1097 Nonce = f46e44bb3da0015c94f70887 1098 Record authentication key = 036ee1fe2d7926af68898095e54e7b3c 1099 Record encryption key = 5e46482396008223b5c1d25173d87539 1100 POLYVAL input = 00000000000000000000000000000000 1101 POLYVAL result = 00000000000000000000000000000000 1102 POLYVAL result XOR nonce = f46e44bb3da0015c94f7088700000000 1103 ... and masked = f46e44bb3da0015c94f7088700000000 1104 Tag = a4194b79071b01a87d65f706e3949578 1105 Initial counter = a4194b79071b01a87d65f706e39495f8 1106 Result (16 bytes) = a4194b79071b01a87d65f706e3949578 1108 Plaintext (3 bytes) = 7a806c 1109 AAD (5 bytes) = 46bb91c3c5 1110 Key = 36864200e0eaf5284d884a0e77d31646 1111 Nonce = bae8e37fc83441b16034566b 1112 Record authentication key = 3e28de1120b2981a0155795ca2812af6 1113 Record encryption key = 6d4b78b31a4c9c03d8db0f42f7507fae 1114 POLYVAL input = 46bb91c3c50000000000000000000000 1115 7a806c00000000000000000000000000 1116 28000000000000001800000000000000 1117 POLYVAL result = 43d9a745511dcfa21b96dd606f1d5720 1118 POLYVAL result XOR nonce = f931443a99298e137ba28b0b6f1d5720 1119 ... and masked = f931443a99298e137ba28b0b6f1d5720 1120 Tag = 711bd85bc1e4d3e0a462e074eea428a8 1121 Initial counter = 711bd85bc1e4d3e0a462e074eea428a8 1122 Result (19 bytes) = af60eb711bd85bc1e4d3e0a462e074ee 1123 a428a8 1125 Plaintext (6 bytes) = bdc66f146545 1126 AAD (10 bytes) = fc880c94a95198874296 1127 Key = aedb64a6c590bc84d1a5e269e4b47801 1128 Nonce = afc0577e34699b9e671fdd4f 1129 Record authentication key = 43b8de9cea62330d15cccfc84a33e8c8 1130 Record encryption key = 8e54631607e431e095b54852868e3a27 1131 POLYVAL input = fc880c94a95198874296000000000000 1132 bdc66f14654500000000000000000000 1133 50000000000000003000000000000000 1134 POLYVAL result = 26498e0d2b1ef004e808c458e8f2f515 1135 POLYVAL result XOR nonce = 8989d9731f776b9a8f171917e8f2f515 1136 ... and masked = 8989d9731f776b9a8f171917e8f2f515 1137 Tag = d6a9c45545cfc11f03ad743dba20f966 1138 Initial counter = d6a9c45545cfc11f03ad743dba20f9e6 1139 Result (22 bytes) = bb93a3e34d3cd6a9c45545cfc11f03ad 1140 743dba20f966 1142 Plaintext (9 bytes) = 1177441f195495860f 1143 AAD (15 bytes) = 046787f3ea22c127aaf195d1894728 1144 Key = d5cc1fd161320b6920ce07787f86743b 1145 Nonce = 275d1ab32f6d1f0434d8848c 1146 Record authentication key = 8a51df64d93eaf667c2c09bd454ce5c5 1147 Record encryption key = 43ab276c2b4a473918ca73f2dd85109c 1148 POLYVAL input = 046787f3ea22c127aaf195d189472800 1149 1177441f195495860f00000000000000 1150 78000000000000004800000000000000 1151 POLYVAL result = 63a3451c0b23345ad02bba59956517cf 1152 POLYVAL result XOR nonce = 44fe5faf244e2b5ee4f33ed5956517cf 1153 ... and masked = 44fe5faf244e2b5ee4f33ed59565174f 1154 Tag = 1d02fd0cd174c84fc5dae2f60f52fd2b 1155 Initial counter = 1d02fd0cd174c84fc5dae2f60f52fdab 1156 Result (25 bytes) = 4f37281f7ad12949d01d02fd0cd174c8 1157 4fc5dae2f60f52fd2b 1159 Plaintext (12 bytes) = 9f572c614b4745914474e7c7 1160 AAD (20 bytes) = c9882e5386fd9f92ec489c8fde2be2cf 1161 97e74e93 1162 Key = b3fed1473c528b8426a582995929a149 1163 Nonce = 9e9ad8780c8d63d0ab4149c0 1164 Record authentication key = 22f50707a95dd416df069d670cb775e8 1165 Record encryption key = f674a5584ee21fe97b4cebc468ab61e4 1166 POLYVAL input = c9882e5386fd9f92ec489c8fde2be2cf 1167 97e74e93000000000000000000000000 1168 9f572c614b4745914474e7c700000000 1169 a0000000000000006000000000000000 1170 POLYVAL result = 0cca0423fba9d77fe7e2e6963b08cdd0 1171 POLYVAL result XOR nonce = 9250dc5bf724b4af4ca3af563b08cdd0 1172 ... and masked = 9250dc5bf724b4af4ca3af563b08cd50 1173 Tag = c1dc2f871fb7561da1286e655e24b7b0 1174 Initial counter = c1dc2f871fb7561da1286e655e24b7b0 1175 Result (28 bytes) = f54673c5ddf710c745641c8bc1dc2f87 1176 1fb7561da1286e655e24b7b0 1178 Plaintext (15 bytes) = 0d8c8451178082355c9e940fea2f58 1179 AAD (25 bytes) = 2950a70d5a1db2316fd568378da107b5 1180 2b0da55210cc1c1b0a 1181 Key = 2d4ed87da44102952ef94b02b805249b 1182 Nonce = ac80e6f61455bfac8308a2d4 1183 Record authentication key = 0b00a29a83e7e95b92e3a0783b29f140 1184 Record encryption key = a430c27f285aed913005975c42eed5f3 1185 POLYVAL input = 2950a70d5a1db2316fd568378da107b5 1186 2b0da55210cc1c1b0a00000000000000 1187 0d8c8451178082355c9e940fea2f5800 1188 c8000000000000007800000000000000 1189 POLYVAL result = 1086ef25247aa41009bbc40871d9b350 1190 POLYVAL result XOR nonce = bc0609d3302f1bbc8ab366dc71d9b350 1191 ... and masked = bc0609d3302f1bbc8ab366dc71d9b350 1192 Tag = 83b3449b9f39552de99dc214a1190b0b 1193 Initial counter = 83b3449b9f39552de99dc214a1190b8b 1194 Result (31 bytes) = c9ff545e07b88a015f05b274540aa183 1195 b3449b9f39552de99dc214a1190b0b 1197 Plaintext (18 bytes) = 6b3db4da3d57aa94842b9803a96e07fb 1198 6de7 1199 AAD (30 bytes) = 1860f762ebfbd08284e421702de0de18 1200 baa9c9596291b08466f37de21c7f 1201 Key = bde3b2f204d1e9f8b06bc47f9745b3d1 1202 Nonce = ae06556fb6aa7890bebc18fe 1203 Record authentication key = 21c874a8bad3603d1c3e8784df5b3f9f 1204 Record encryption key = d1c16d72651c3df504eae27129d818e8 1205 POLYVAL input = 1860f762ebfbd08284e421702de0de18 1206 baa9c9596291b08466f37de21c7f0000 1207 6b3db4da3d57aa94842b9803a96e07fb 1208 6de70000000000000000000000000000 1209 f0000000000000009000000000000000 1211 POLYVAL result = 55462a5afa0da8d646481e049ef9c764 1212 POLYVAL result XOR nonce = fb407f354ca7d046f8f406fa9ef9c764 1213 ... and masked = fb407f354ca7d046f8f406fa9ef9c764 1214 Tag = 3e377094f04709f64d7b985310a4db84 1215 Initial counter = 3e377094f04709f64d7b985310a4db84 1216 Result (34 bytes) = 6298b296e24e8cc35dce0bed484b7f30 1217 d5803e377094f04709f64d7b985310a4 1218 db84 1220 Plaintext (21 bytes) = e42a3c02c25b64869e146d7b233987bd 1221 dfc240871d 1222 AAD (35 bytes) = 7576f7028ec6eb5ea7e298342a94d4b2 1223 02b370ef9768ec6561c4fe6b7e7296fa 1224 859c21 1225 Key = f901cfe8a69615a93fdf7a98cad48179 1226 Nonce = 6245709fb18853f68d833640 1227 Record authentication key = 3724f55f1d22ac0ab830da0b6a995d74 1228 Record encryption key = 75ac87b70c05db287de779006105a344 1229 POLYVAL input = 7576f7028ec6eb5ea7e298342a94d4b2 1230 02b370ef9768ec6561c4fe6b7e7296fa 1231 859c2100000000000000000000000000 1232 e42a3c02c25b64869e146d7b233987bd 1233 dfc240871d0000000000000000000000 1234 1801000000000000a800000000000000 1235 POLYVAL result = 4cbba090f03f7d1188ea55749fa6c7bd 1236 POLYVAL result XOR nonce = 2efed00f41b72ee7056963349fa6c7bd 1237 ... and masked = 2efed00f41b72ee7056963349fa6c73d 1238 Tag = 2d15506c84a9edd65e13e9d24a2a6e70 1239 Initial counter = 2d15506c84a9edd65e13e9d24a2a6ef0 1240 Result (37 bytes) = 391cc328d484a4f46406181bcd62efd9 1241 b3ee197d052d15506c84a9edd65e13e9 1242 d24a2a6e70 1244 C.2. AEAD_AES_256_GCM_SIV 1246 Plaintext (0 bytes) = 1247 AAD (0 bytes) = 1248 Key = 01000000000000000000000000000000 1249 00000000000000000000000000000000 1250 Nonce = 030000000000000000000000 1251 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1252 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1253 456e3c6c05ecc157cdbf0700fedad222 1254 POLYVAL input = 00000000000000000000000000000000 1255 POLYVAL result = 00000000000000000000000000000000 1256 POLYVAL result XOR nonce = 03000000000000000000000000000000 1257 ... and masked = 03000000000000000000000000000000 1258 Tag = 07f5f4169bbf55a8400cd47ea6fd400f 1259 Initial counter = 07f5f4169bbf55a8400cd47ea6fd408f 1260 Result (16 bytes) = 07f5f4169bbf55a8400cd47ea6fd400f 1262 Plaintext (8 bytes) = 0100000000000000 1263 AAD (0 bytes) = 1264 Key = 01000000000000000000000000000000 1265 00000000000000000000000000000000 1266 Nonce = 030000000000000000000000 1267 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1268 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1269 456e3c6c05ecc157cdbf0700fedad222 1270 POLYVAL input = 01000000000000000000000000000000 1271 00000000000000004000000000000000 1272 POLYVAL result = 05230f62f0eac8aa14fe4d646b59cd41 1273 POLYVAL result XOR nonce = 06230f62f0eac8aa14fe4d646b59cd41 1274 ... and masked = 06230f62f0eac8aa14fe4d646b59cd41 1275 Tag = 843122130f7364b761e0b97427e3df28 1276 Initial counter = 843122130f7364b761e0b97427e3dfa8 1277 Result (24 bytes) = c2ef328e5c71c83b843122130f7364b7 1278 61e0b97427e3df28 1280 Plaintext (12 bytes) = 010000000000000000000000 1281 AAD (0 bytes) = 1282 Key = 01000000000000000000000000000000 1283 00000000000000000000000000000000 1284 Nonce = 030000000000000000000000 1285 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1286 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1287 456e3c6c05ecc157cdbf0700fedad222 1288 POLYVAL input = 01000000000000000000000000000000 1289 00000000000000006000000000000000 1290 POLYVAL result = 6d81a24732fd6d03ae5af544720a1c13 1291 POLYVAL result XOR nonce = 6e81a24732fd6d03ae5af544720a1c13 1292 ... and masked = 6e81a24732fd6d03ae5af544720a1c13 1293 Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e 1294 Initial counter = 8ca50da9ae6559e48fd10f6e5c9ca1fe 1295 Result (28 bytes) = 9aab2aeb3faa0a34aea8e2b18ca50da9 1296 ae6559e48fd10f6e5c9ca17e 1298 Plaintext (16 bytes) = 01000000000000000000000000000000 1299 AAD (0 bytes) = 1300 Key = 01000000000000000000000000000000 1301 00000000000000000000000000000000 1302 Nonce = 030000000000000000000000 1303 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1304 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1305 456e3c6c05ecc157cdbf0700fedad222 1306 POLYVAL input = 01000000000000000000000000000000 1307 00000000000000008000000000000000 1308 POLYVAL result = 74eee2bf7c9a165f8b25dea73db32a6d 1309 POLYVAL result XOR nonce = 77eee2bf7c9a165f8b25dea73db32a6d 1310 ... and masked = 77eee2bf7c9a165f8b25dea73db32a6d 1311 Tag = c9eac6fa700942702e90862383c6c366 1312 Initial counter = c9eac6fa700942702e90862383c6c3e6 1313 Result (32 bytes) = 85a01b63025ba19b7fd3ddfc033b3e76 1314 c9eac6fa700942702e90862383c6c366 1316 Plaintext (32 bytes) = 01000000000000000000000000000000 1317 02000000000000000000000000000000 1318 AAD (0 bytes) = 1319 Key = 01000000000000000000000000000000 1320 00000000000000000000000000000000 1321 Nonce = 030000000000000000000000 1322 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1323 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1324 456e3c6c05ecc157cdbf0700fedad222 1325 POLYVAL input = 01000000000000000000000000000000 1326 02000000000000000000000000000000 1327 00000000000000000001000000000000 1328 POLYVAL result = 899b6381b3d46f0def7aa0517ba188f5 1329 POLYVAL result XOR nonce = 8a9b6381b3d46f0def7aa0517ba188f5 1330 ... and masked = 8a9b6381b3d46f0def7aa0517ba18875 1331 Tag = e819e63abcd020b006a976397632eb5d 1332 Initial counter = e819e63abcd020b006a976397632ebdd 1333 Result (48 bytes) = 4a6a9db4c8c6549201b9edb53006cba8 1334 21ec9cf850948a7c86c68ac7539d027f 1335 e819e63abcd020b006a976397632eb5d 1337 Plaintext (48 bytes) = 01000000000000000000000000000000 1338 02000000000000000000000000000000 1339 03000000000000000000000000000000 1340 AAD (0 bytes) = 1341 Key = 01000000000000000000000000000000 1342 00000000000000000000000000000000 1343 Nonce = 030000000000000000000000 1344 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1345 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1346 456e3c6c05ecc157cdbf0700fedad222 1347 POLYVAL input = 01000000000000000000000000000000 1348 02000000000000000000000000000000 1349 03000000000000000000000000000000 1350 00000000000000008001000000000000 1351 POLYVAL result = c1f8593d8fc29b0c290cae1992f71f51 1352 POLYVAL result XOR nonce = c2f8593d8fc29b0c290cae1992f71f51 1353 ... and masked = c2f8593d8fc29b0c290cae1992f71f51 1354 Tag = 790bc96880a99ba804bd12c0e6a22cc4 1355 Initial counter = 790bc96880a99ba804bd12c0e6a22cc4 1356 Result (64 bytes) = c00d121893a9fa603f48ccc1ca3c57ce 1357 7499245ea0046db16c53c7c66fe717e3 1358 9cf6c748837b61f6ee3adcee17534ed5 1359 790bc96880a99ba804bd12c0e6a22cc4 1361 Plaintext (64 bytes) = 01000000000000000000000000000000 1362 02000000000000000000000000000000 1363 03000000000000000000000000000000 1364 04000000000000000000000000000000 1365 AAD (0 bytes) = 1366 Key = 01000000000000000000000000000000 1367 00000000000000000000000000000000 1368 Nonce = 030000000000000000000000 1369 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1370 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1371 456e3c6c05ecc157cdbf0700fedad222 1372 POLYVAL input = 01000000000000000000000000000000 1373 02000000000000000000000000000000 1374 03000000000000000000000000000000 1375 04000000000000000000000000000000 1376 00000000000000000002000000000000 1377 POLYVAL result = 6ef38b06046c7c0e225efaef8e2ec4c4 1378 POLYVAL result XOR nonce = 6df38b06046c7c0e225efaef8e2ec4c4 1379 ... and masked = 6df38b06046c7c0e225efaef8e2ec444 1380 Tag = 112864c269fc0d9d88c61fa47e39aa08 1381 Initial counter = 112864c269fc0d9d88c61fa47e39aa88 1382 Result (80 bytes) = c2d5160a1f8683834910acdafc41fbb1 1383 632d4a353e8b905ec9a5499ac34f96c7 1384 e1049eb080883891a4db8caaa1f99dd0 1385 04d80487540735234e3744512c6f90ce 1386 112864c269fc0d9d88c61fa47e39aa08 1388 Plaintext (8 bytes) = 0200000000000000 1389 AAD (1 bytes) = 01 1390 Key = 01000000000000000000000000000000 1391 00000000000000000000000000000000 1392 Nonce = 030000000000000000000000 1393 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1394 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1395 456e3c6c05ecc157cdbf0700fedad222 1396 POLYVAL input = 01000000000000000000000000000000 1397 02000000000000000000000000000000 1398 08000000000000004000000000000000 1399 POLYVAL result = 34e57bafe011b9b36fc6821b7ffb3354 1400 POLYVAL result XOR nonce = 37e57bafe011b9b36fc6821b7ffb3354 1401 ... and masked = 37e57bafe011b9b36fc6821b7ffb3354 1402 Tag = 91213f267e3b452f02d01ae33e4ec854 1403 Initial counter = 91213f267e3b452f02d01ae33e4ec8d4 1404 Result (24 bytes) = 1de22967237a813291213f267e3b452f 1405 02d01ae33e4ec854 1407 Plaintext (12 bytes) = 020000000000000000000000 1408 AAD (1 bytes) = 01 1409 Key = 01000000000000000000000000000000 1410 00000000000000000000000000000000 1411 Nonce = 030000000000000000000000 1412 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1413 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1414 456e3c6c05ecc157cdbf0700fedad222 1415 POLYVAL input = 01000000000000000000000000000000 1416 02000000000000000000000000000000 1417 08000000000000006000000000000000 1418 POLYVAL result = 5c47d68a22061c1ad5623a3b66a8e206 1419 POLYVAL result XOR nonce = 5f47d68a22061c1ad5623a3b66a8e206 1420 ... and masked = 5f47d68a22061c1ad5623a3b66a8e206 1421 Tag = c1a4a19ae800941ccdc57cc8413c277f 1422 Initial counter = c1a4a19ae800941ccdc57cc8413c27ff 1423 Result (28 bytes) = 163d6f9cc1b346cd453a2e4cc1a4a19a 1424 e800941ccdc57cc8413c277f 1426 Plaintext (16 bytes) = 02000000000000000000000000000000 1427 AAD (1 bytes) = 01 1428 Key = 01000000000000000000000000000000 1429 00000000000000000000000000000000 1430 Nonce = 030000000000000000000000 1431 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1432 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1433 456e3c6c05ecc157cdbf0700fedad222 1434 POLYVAL input = 01000000000000000000000000000000 1435 02000000000000000000000000000000 1436 08000000000000008000000000000000 1437 POLYVAL result = 452896726c616746f01d11d82911d478 1438 POLYVAL result XOR nonce = 462896726c616746f01d11d82911d478 1439 ... and masked = 462896726c616746f01d11d82911d478 1440 Tag = b292d28ff61189e8e49f3875ef91aff7 1441 Initial counter = b292d28ff61189e8e49f3875ef91aff7 1442 Result (32 bytes) = c91545823cc24f17dbb0e9e807d5ec17 1443 b292d28ff61189e8e49f3875ef91aff7 1445 Plaintext (32 bytes) = 02000000000000000000000000000000 1446 03000000000000000000000000000000 1447 AAD (1 bytes) = 01 1448 Key = 01000000000000000000000000000000 1449 00000000000000000000000000000000 1450 Nonce = 030000000000000000000000 1451 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1452 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1453 456e3c6c05ecc157cdbf0700fedad222 1454 POLYVAL input = 01000000000000000000000000000000 1455 02000000000000000000000000000000 1456 03000000000000000000000000000000 1457 08000000000000000001000000000000 1458 POLYVAL result = 4e58c1e341c9bb0ae34eda9509dfc90c 1459 POLYVAL result XOR nonce = 4d58c1e341c9bb0ae34eda9509dfc90c 1460 ... and masked = 4d58c1e341c9bb0ae34eda9509dfc90c 1461 Tag = aea1bad12702e1965604374aab96dbbc 1462 Initial counter = aea1bad12702e1965604374aab96dbbc 1463 Result (48 bytes) = 07dad364bfc2b9da89116d7bef6daaaf 1464 6f255510aa654f920ac81b94e8bad365 1465 aea1bad12702e1965604374aab96dbbc 1467 Plaintext (48 bytes) = 02000000000000000000000000000000 1468 03000000000000000000000000000000 1469 04000000000000000000000000000000 1470 AAD (1 bytes) = 01 1471 Key = 01000000000000000000000000000000 1472 00000000000000000000000000000000 1473 Nonce = 030000000000000000000000 1474 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1475 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1476 456e3c6c05ecc157cdbf0700fedad222 1477 POLYVAL input = 01000000000000000000000000000000 1478 02000000000000000000000000000000 1479 03000000000000000000000000000000 1480 04000000000000000000000000000000 1481 08000000000000008001000000000000 1482 POLYVAL result = 2566a4aff9a525df9772c16d4eaf8d2a 1483 POLYVAL result XOR nonce = 2666a4aff9a525df9772c16d4eaf8d2a 1484 ... and masked = 2666a4aff9a525df9772c16d4eaf8d2a 1485 Tag = 03332742b228c647173616cfd44c54eb 1486 Initial counter = 03332742b228c647173616cfd44c54eb 1487 Result (64 bytes) = c67a1f0f567a5198aa1fcc8e3f213143 1488 36f7f51ca8b1af61feac35a86416fa47 1489 fbca3b5f749cdf564527f2314f42fe25 1490 03332742b228c647173616cfd44c54eb 1492 Plaintext (64 bytes) = 02000000000000000000000000000000 1493 03000000000000000000000000000000 1494 04000000000000000000000000000000 1495 05000000000000000000000000000000 1496 AAD (1 bytes) = 01 1497 Key = 01000000000000000000000000000000 1498 00000000000000000000000000000000 1499 Nonce = 030000000000000000000000 1500 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1501 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1502 456e3c6c05ecc157cdbf0700fedad222 1503 POLYVAL input = 01000000000000000000000000000000 1504 02000000000000000000000000000000 1505 03000000000000000000000000000000 1506 04000000000000000000000000000000 1507 05000000000000000000000000000000 1508 08000000000000000002000000000000 1509 POLYVAL result = da58d2f61b0a9d343b2f37fb0c519733 1510 POLYVAL result XOR nonce = d958d2f61b0a9d343b2f37fb0c519733 1511 ... and masked = d958d2f61b0a9d343b2f37fb0c519733 1512 Tag = 5bde0285037c5de81e5b570a049b62a0 1513 Initial counter = 5bde0285037c5de81e5b570a049b62a0 1514 Result (80 bytes) = 67fd45e126bfb9a79930c43aad2d3696 1515 7d3f0e4d217c1e551f59727870beefc9 1516 8cb933a8fce9de887b1e40799988db1f 1517 c3f91880ed405b2dd298318858467c89 1518 5bde0285037c5de81e5b570a049b62a0 1520 Plaintext (4 bytes) = 02000000 1521 AAD (12 bytes) = 010000000000000000000000 1522 Key = 01000000000000000000000000000000 1523 00000000000000000000000000000000 1524 Nonce = 030000000000000000000000 1525 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1526 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1527 456e3c6c05ecc157cdbf0700fedad222 1528 POLYVAL input = 01000000000000000000000000000000 1529 02000000000000000000000000000000 1530 60000000000000002000000000000000 1531 POLYVAL result = 6dc76ae84b88916e073a303aafde05cf 1532 POLYVAL result XOR nonce = 6ec76ae84b88916e073a303aafde05cf 1533 ... and masked = 6ec76ae84b88916e073a303aafde054f 1534 Tag = 1835e517741dfddccfa07fa4661b74cf 1535 Initial counter = 1835e517741dfddccfa07fa4661b74cf 1536 Result (20 bytes) = 22b3f4cd1835e517741dfddccfa07fa4 1537 661b74cf 1539 Plaintext (20 bytes) = 03000000000000000000000000000000 1540 04000000 1541 AAD (18 bytes) = 01000000000000000000000000000000 1542 0200 1543 Key = 01000000000000000000000000000000 1544 00000000000000000000000000000000 1545 Nonce = 030000000000000000000000 1546 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1547 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1548 456e3c6c05ecc157cdbf0700fedad222 1549 POLYVAL input = 01000000000000000000000000000000 1550 02000000000000000000000000000000 1551 03000000000000000000000000000000 1552 04000000000000000000000000000000 1553 9000000000000000a000000000000000 1554 POLYVAL result = 973ef4fd04bd31d193816ab26f8655ca 1555 POLYVAL result XOR nonce = 943ef4fd04bd31d193816ab26f8655ca 1556 ... and masked = 943ef4fd04bd31d193816ab26f86554a 1557 Tag = b879ad976d8242acc188ab59cabfe307 1558 Initial counter = b879ad976d8242acc188ab59cabfe387 1559 Result (36 bytes) = 43dd0163cdb48f9fe3212bf61b201976 1560 067f342bb879ad976d8242acc188ab59 1561 cabfe307 1563 Plaintext (18 bytes) = 03000000000000000000000000000000 1564 0400 1565 AAD (20 bytes) = 01000000000000000000000000000000 1566 02000000 1567 Key = 01000000000000000000000000000000 1568 00000000000000000000000000000000 1569 Nonce = 030000000000000000000000 1570 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1571 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1572 456e3c6c05ecc157cdbf0700fedad222 1573 POLYVAL input = 01000000000000000000000000000000 1574 02000000000000000000000000000000 1575 03000000000000000000000000000000 1576 04000000000000000000000000000000 1577 a0000000000000009000000000000000 1578 POLYVAL result = 2cbb6b7ab2dbffefb797f825f826870c 1579 POLYVAL result XOR nonce = 2fbb6b7ab2dbffefb797f825f826870c 1580 ... and masked = 2fbb6b7ab2dbffefb797f825f826870c 1581 Tag = cfcdf5042112aa29685c912fc2056543 1582 Initial counter = cfcdf5042112aa29685c912fc20565c3 1583 Result (34 bytes) = 462401724b5ce6588d5a54aae5375513 1584 a075cfcdf5042112aa29685c912fc205 1585 6543 1587 Plaintext (0 bytes) = 1588 AAD (0 bytes) = 1589 Key = e66021d5eb8e4f4066d4adb9c33560e4 1590 f46e44bb3da0015c94f7088736864200 1591 Nonce = e0eaf5284d884a0e77d31646 1592 Record authentication key = e40d26f82774aa27f47b047b608b9585 1593 Record encryption key = 7c7c3d9a542cef53dde0e6de9b580040 1594 0f82e73ec5f7ee41b7ba8dcb9ba078c3 1595 POLYVAL input = 00000000000000000000000000000000 1596 POLYVAL result = 00000000000000000000000000000000 1597 POLYVAL result XOR nonce = e0eaf5284d884a0e77d3164600000000 1598 ... and masked = e0eaf5284d884a0e77d3164600000000 1599 Tag = 169fbb2fbf389a995f6390af22228a62 1600 Initial counter = 169fbb2fbf389a995f6390af22228ae2 1601 Result (16 bytes) = 169fbb2fbf389a995f6390af22228a62 1603 Plaintext (3 bytes) = 671fdd 1604 AAD (5 bytes) = 4fbdc66f14 1605 Key = bae8e37fc83441b16034566b7a806c46 1606 bb91c3c5aedb64a6c590bc84d1a5e269 1607 Nonce = e4b47801afc0577e34699b9e 1608 Record authentication key = b546f5a850d0a90adfe39e95c2510fc6 1609 Record encryption key = b9d1e239d62cbb5c49273ddac8838bdc 1610 c53bca478a770f07087caa4e0a924a55 1611 POLYVAL input = 4fbdc66f140000000000000000000000 1612 671fdd00000000000000000000000000 1613 28000000000000001800000000000000 1614 POLYVAL result = b91f91f96b159a7c611c05035b839e92 1615 POLYVAL result XOR nonce = 5dabe9f8c4d5cd0255759e9d5b839e92 1616 ... and masked = 5dabe9f8c4d5cd0255759e9d5b839e12 1617 Tag = 93da9bb81333aee0c785b240d319719d 1618 Initial counter = 93da9bb81333aee0c785b240d319719d 1619 Result (19 bytes) = 0eaccb93da9bb81333aee0c785b240d3 1620 19719d 1622 Plaintext (6 bytes) = 195495860f04 1623 AAD (10 bytes) = 6787f3ea22c127aaf195 1624 Key = 6545fc880c94a95198874296d5cc1fd1 1625 61320b6920ce07787f86743b275d1ab3 1626 Nonce = 2f6d1f0434d8848c1177441f 1627 Record authentication key = e156e1f9b0b07b780cbe30f259e3c8da 1628 Record encryption key = 6fc1c494519f944aae52fcd8b14e5b17 1629 1b5a9429d3b76e430d49940c0021d612 1630 POLYVAL input = 6787f3ea22c127aaf195000000000000 1631 195495860f0400000000000000000000 1632 50000000000000003000000000000000 1633 POLYVAL result = 2c480ed9d236b1df24c6eec109bd40c1 1634 POLYVAL result XOR nonce = 032511dde6ee355335b1aade09bd40c1 1635 ... and masked = 032511dde6ee355335b1aade09bd4041 1636 Tag = 6b62b84dc40c84636a5ec12020ec8c2c 1637 Initial counter = 6b62b84dc40c84636a5ec12020ec8cac 1638 Result (22 bytes) = a254dad4f3f96b62b84dc40c84636a5e 1639 c12020ec8c2c 1641 Plaintext (9 bytes) = c9882e5386fd9f92ec 1642 AAD (15 bytes) = 489c8fde2be2cf97e74e932d4ed87d 1643 Key = d1894728b3fed1473c528b8426a58299 1644 5929a1499e9ad8780c8d63d0ab4149c0 1645 Nonce = 9f572c614b4745914474e7c7 1646 Record authentication key = 0533fd71f4119257361a3ff1469dd4e5 1647 Record encryption key = 4feba89799be8ac3684fa2bb30ade0ea 1648 51390e6d87dcf3627d2ee44493853abe 1649 POLYVAL input = 489c8fde2be2cf97e74e932d4ed87d00 1650 c9882e5386fd9f92ec00000000000000 1651 78000000000000004800000000000000 1652 POLYVAL result = bf160bc9ded8c63057d2c38aae552fb4 1653 POLYVAL result XOR nonce = 204127a8959f83a113a6244dae552fb4 1654 ... and masked = 204127a8959f83a113a6244dae552f34 1655 Tag = c0fd3dc6628dfe55ebb0b9fb2295c8c2 1656 Initial counter = c0fd3dc6628dfe55ebb0b9fb2295c8c2 1657 Result (25 bytes) = 0df9e308678244c44bc0fd3dc6628dfe 1658 55ebb0b9fb2295c8c2 1660 Plaintext (12 bytes) = 1db2316fd568378da107b52b 1661 AAD (20 bytes) = 0da55210cc1c1b0abde3b2f204d1e9f8 1662 b06bc47f 1663 Key = a44102952ef94b02b805249bac80e6f6 1664 1455bfac8308a2d40d8c845117808235 1665 Nonce = 5c9e940fea2f582950a70d5a 1666 Record authentication key = 64779ab10ee8a280272f14cc8851b727 1667 Record encryption key = 25f40fc63f49d3b9016a8eeeb75846e0 1668 d72ca36ddbd312b6f5ef38ad14bd2651 1669 POLYVAL input = 0da55210cc1c1b0abde3b2f204d1e9f8 1670 b06bc47f000000000000000000000000 1671 1db2316fd568378da107b52b00000000 1672 a0000000000000006000000000000000 1673 POLYVAL result = cc86ee22c861e1fd474c84676b42739c 1674 POLYVAL result XOR nonce = 90187a2d224eb9d417eb893d6b42739c 1675 ... and masked = 90187a2d224eb9d417eb893d6b42731c 1676 Tag = 404099c2587f64979f21826706d497d5 1677 Initial counter = 404099c2587f64979f21826706d497d5 1678 Result (28 bytes) = 8dbeb9f7255bf5769dd56692404099c2 1679 587f64979f21826706d497d5 1681 Plaintext (15 bytes) = 21702de0de18baa9c9596291b08466 1682 AAD (25 bytes) = f37de21c7ff901cfe8a69615a93fdf7a 1683 98cad481796245709f 1684 Key = 9745b3d1ae06556fb6aa7890bebc18fe 1685 6b3db4da3d57aa94842b9803a96e07fb 1686 Nonce = 6de71860f762ebfbd08284e4 1687 Record authentication key = 27c2959ed4daea3b1f52e849478de376 1688 Record encryption key = 307a38a5a6cf231c0a9af3b527f23a62 1689 e9a6ff09aff8ae669f760153e864fc93 1690 POLYVAL input = f37de21c7ff901cfe8a69615a93fdf7a 1691 98cad481796245709f00000000000000 1692 21702de0de18baa9c9596291b0846600 1693 c8000000000000007800000000000000 1694 POLYVAL result = c4fa5e5b713853703bcf8e6424505fa5 1695 POLYVAL result XOR nonce = a91d463b865ab88beb4d0a8024505fa5 1696 ... and masked = a91d463b865ab88beb4d0a8024505f25 1697 Tag = b3080d28f6ebb5d3648ce97bd5ba67fd 1698 Initial counter = b3080d28f6ebb5d3648ce97bd5ba67fd 1699 Result (31 bytes) = 793576dfa5c0f88729a7ed3c2f1bffb3 1700 080d28f6ebb5d3648ce97bd5ba67fd 1702 Plaintext (18 bytes) = b202b370ef9768ec6561c4fe6b7e7296 1703 fa85 1704 AAD (30 bytes) = 9c2159058b1f0fe91433a5bdc20e214e 1705 ab7fecef4454a10ef0657df21ac7 1706 Key = b18853f68d833640e42a3c02c25b6486 1707 9e146d7b233987bddfc240871d7576f7 1708 Nonce = 028ec6eb5ea7e298342a94d4 1709 Record authentication key = 670b98154076ddb59b7a9137d0dcc0f0 1710 Record encryption key = 78116d78507fbe69d4a820c350f55c7c 1711 b36c3c9287df0e9614b142b76a587c3f 1712 POLYVAL input = 9c2159058b1f0fe91433a5bdc20e214e 1713 ab7fecef4454a10ef0657df21ac70000 1714 b202b370ef9768ec6561c4fe6b7e7296 1715 fa850000000000000000000000000000 1716 f0000000000000009000000000000000 1718 POLYVAL result = 4e4108f09f41d797dc9256f8da8d58c7 1719 POLYVAL result XOR nonce = 4ccfce1bc1e6350fe8b8c22cda8d58c7 1720 ... and masked = 4ccfce1bc1e6350fe8b8c22cda8d5847 1721 Tag = 454fc2a154fea91f8363a39fec7d0a49 1722 Initial counter = 454fc2a154fea91f8363a39fec7d0ac9 1723 Result (34 bytes) = 857e16a64915a787637687db4a951963 1724 5cdd454fc2a154fea91f8363a39fec7d 1725 0a49 1727 Plaintext (21 bytes) = ced532ce4159b035277d4dfbb7db6296 1728 8b13cd4eec 1729 AAD (35 bytes) = 734320ccc9d9bbbb19cb81b2af4ecbc3 1730 e72834321f7aa0f70b7282b4f33df23f 1731 167541 1732 Key = 3c535de192eaed3822a2fbbe2ca9dfc8 1733 8255e14a661b8aa82cc54236093bbc23 1734 Nonce = 688089e55540db1872504e1c 1735 Record authentication key = cb8c3aa3f8dbaeb4b28a3e86ff6625f8 1736 Record encryption key = 02426ce1aa3ab31313b0848469a1b5fc 1737 6c9af9602600b195b04ad407026bc06d 1738 POLYVAL input = 734320ccc9d9bbbb19cb81b2af4ecbc3 1739 e72834321f7aa0f70b7282b4f33df23f 1740 16754100000000000000000000000000 1741 ced532ce4159b035277d4dfbb7db6296 1742 8b13cd4eec0000000000000000000000 1743 1801000000000000a800000000000000 1744 POLYVAL result = ffd503c7dd712eb3791b7114b17bb0cf 1745 POLYVAL result XOR nonce = 97558a228831f5ab0b4b3f08b17bb0cf 1746 ... and masked = 97558a228831f5ab0b4b3f08b17bb04f 1747 Tag = 9d6c7029675b89eaf4ba1ded1a286594 1748 Initial counter = 9d6c7029675b89eaf4ba1ded1a286594 1749 Result (37 bytes) = 626660c26ea6612fb17ad91e8e767639 1750 edd6c9faee9d6c7029675b89eaf4ba1d 1751 ed1a286594 1753 C.3. Counter wrap tests 1755 The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to 1756 test correct wrapping of the block counter. 1758 Plaintext (32 bytes) = 00000000000000000000000000000000 1759 4db923dc793ee6497c76dcc03a98e108 1760 AAD (0 bytes) = 1761 Key = 00000000000000000000000000000000 1762 00000000000000000000000000000000 1763 Nonce = 000000000000000000000000 1764 Record authentication key = dc95c078a24089895275f3d86b4fb868 1765 Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3 1766 75d11b0e3a68c422845c7d4690fa594f 1767 POLYVAL input = 00000000000000000000000000000000 1768 4db923dc793ee6497c76dcc03a98e108 1769 00000000000000000001000000000000 1770 POLYVAL result = 7367cdb411b730128dd56e8edc0eff56 1771 POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56 1772 ... and masked = 7367cdb411b730128dd56e8edc0eff56 1773 Tag = ffffffff000000000000000000000000 1774 Initial counter = ffffffff000000000000000000000080 1775 Result (48 bytes) = f3f80f2cf0cb2dd9c5984fcda908456c 1776 c537703b5ba70324a6793a7bf218d3ea 1777 ffffffff000000000000000000000000 1779 Plaintext (24 bytes) = eb3640277c7ffd1303c7a542d02d3e4c 1780 0000000000000000 1781 AAD (0 bytes) = 1782 Key = 00000000000000000000000000000000 1783 00000000000000000000000000000000 1784 Nonce = 000000000000000000000000 1785 Record authentication key = dc95c078a24089895275f3d86b4fb868 1786 Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3 1787 75d11b0e3a68c422845c7d4690fa594f 1788 POLYVAL input = eb3640277c7ffd1303c7a542d02d3e4c 1789 00000000000000000000000000000000 1790 0000000000000000c000000000000000 1791 POLYVAL result = 7367cdb411b730128dd56e8edc0eff56 1792 POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56 1793 ... and masked = 7367cdb411b730128dd56e8edc0eff56 1794 Tag = ffffffff000000000000000000000000 1795 Initial counter = ffffffff000000000000000000000080 1796 Result (40 bytes) = 18ce4f0b8cb4d0cac65fea8f79257b20 1797 888e53e72299e56dffffffff00000000 1798 0000000000000000 1800 Authors' Addresses 1801 Shay Gueron 1802 University of Haifa and Amazon Web Services 1803 Abba Khoushy Ave 199 1804 Haifa 3498838 1805 Israel 1807 Email: shay@math.haifa.ac.il 1809 Adam Langley 1810 Google LLC 1811 345 Spear St 1812 San Francisco, CA 94105 1813 US 1815 Email: agl@google.com 1817 Yehuda Lindell 1818 Bar Ilan University 1819 Ramat Gan 1820 5290002 1821 Israel 1823 Email: Yehuda.Lindell@biu.ac.il