- = is the assignment operator
- != is the inequality operator
- x || y is concatenation of the octet strings x and y
- XOR is the bitwise exclusive OR operator
- len(x) is the length of x in bits.
- zeropad(x) right pads an octet string x with zeroes to a multiple of 128 bits
- truncate(x, t) is the truncation operation. The first t bits of x are kept
- n is the number of 128-bit chunks in zeropad(P)
- m is the number of 128-bit chunks in zeropad(A)
- POLYVAL is defined in
- BE32(x) is the big-endian encoding of 32-bit integer x
- LE64(x) is the little-endian encoding of 64-bit integer x
- A[y] is the 128-bit chunk with index y in the array A; the first chunk has index 0.
- A[x:y] are the range of chunks x to y in the array A

- The key
MUST be randomly chosen from a uniform distribution. - For a given key, the nonce
MUST NOT be reused under any circumstances. - Supported tag_length associated with the key.
- Definitions of supported input-output lengths.

- Key K (variable-length octet string)
- Nonce N (variable-length octet string)
- Associated data A (variable-length octet string)
- Plaintext P (variable-length octet string)

- Ciphertext ct (variable-length octet string)
- Tag tag (octet string with length tag_length)

- If the lengths of K, N, A, P are not supported return error and abort
- Initiate keystream generator with K and N
- Let H = Z[0], Q = Z[1], M = Z[2]
- Let ct = P XOR truncate(Z[3:n + 2], len(P))
- Let S = zeropad(A) || zeropad(ct) || LE64(len(ct)) || LE64(len(A))
- Let X = POLYVAL(H, S[0], S[1], ..., S[m + n - 1])
- Let full_tag = POLYVAL(Q, X XOR S[m + n]) XOR M
- Let tag = truncate(full_tag, tag_length)
- Return (ct, tag)

- The calculation of the plaintext P (step 8)
MAY be done in parallel with the tag verification (step 2-7). If tag verification fails, the plaintext P and the expected_tagMUST NOT be given as output. - The comparison of the input tag with the expected_tag
MUST be done in constant time. - Supported tag_length associated with the key.
- Definitions of supported input-output lengths.

- Key K (variable-length octet string)
- Nonce N (variable-length octet string)
- Associated data A (variable-length octet string)
- Ciphertext ct (variable-length octet string)
- Tag tag (octet string with length tag_length)

- Plaintext P (variable-length octet string) or an error indicating that the authentication tag is invalid for the given inputs.

- If the lengths of K, N, A, or ct are not supported, or if len(tag) != tag_length return error and abort
- Initiate keystream generator with K and N
- Let H = Z[0], Q = Z[1], M = Z[2]
- Let S = zeropad(A) || zeropad(ct) || LE64(len(ct)) || LE64(len(A))
- Let X = POLYVAL(H, S[0], S[1], ..., S[m + n - 1])
- Let T = POLYVAL(Q, X XOR S[m + n]) XOR M
- Let expected_tag = truncate(T, tag_length)
- If tag != expected_tag, return error and abort
- Let P = ct XOR truncate(Z[3:n + 2], len(ct))
- Return P

Numeric ID | Name | K_LEN (bytes) | tag_length (bits) |
---|---|---|---|

TBD1 | AEAD_AES_128_GCM_SST_4 | 16 | 32 |

TBD2 | AEAD_AES_128_GCM_SST_8 | 16 | 64 |

TBD3 | AEAD_AES_128_GCM_SST_10 | 16 | 80 |

TBD4 | AEAD_AES_256_GCM_SST_4 | 32 | 32 |

TBD5 | AEAD_AES_256_GCM_SST_8 | 32 | 64 |

TBD6 | AEAD_AES_256_GCM_SST_10 | 32 | 80 |

- P_MAX (maximum size of the plaintext) is 2
^{36}- 48 octets. - A_MAX (maximum size of the associated data) is 2
^{36}octets. - N_MIN and N_MAX (minimum and maximum size of the nonce) are both 12 octets
- C_MAX (maximum size of the ciphertext and tag) is P_MAX + tag_length (in bytes)