idnits 2.17.1 draft-cope-heh-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 21, 2016) is 2654 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'N-1' is mentioned on line 402, but not defined == Unused Reference: 'HEH' is defined on line 538, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Crypto Forum Research Group A. Cope 3 Internet-Draft Google 4 Intended status: Informational December 21, 2016 5 Expires: June 24, 2017 7 Hash-Encrypt-Hash, a block cipher mode of operation 8 draft-cope-heh-01 10 Abstract 12 This memo describes a block cipher mode of operation known as Hash- 13 Encrypt-Hash (HEH). 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at http://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on June 24, 2017. 32 Copyright Notice 34 Copyright (c) 2016 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents 39 (http://trustee.ietf.org/license-info) in effect on the date of 40 publication of this document. Please review these documents 41 carefully, as they describe your rights and restrictions with respect 42 to this document. Code Components extracted from this document must 43 include Simplified BSD License text as described in Section 4.e of 44 the Trust Legal Provisions and are provided without warranty as 45 described in the Simplified BSD License. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 50 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 51 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3.1. Key size . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3.2. Block cipher . . . . . . . . . . . . . . . . . . . . . . 4 55 3.3. Nonce and AAD . . . . . . . . . . . . . . . . . . . . . . 4 56 4. GF(2^128) math . . . . . . . . . . . . . . . . . . . . . . . 4 57 4.1. GF(2^128) . . . . . . . . . . . . . . . . . . . . . . . . 4 58 4.2. Multiplication in GF(2^128) . . . . . . . . . . . . . . . 4 59 4.3. Addition in GF(2^128) . . . . . . . . . . . . . . . . . . 5 60 5. Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 5.1. generate_keys . . . . . . . . . . . . . . . . . . . . . . 5 62 5.2. generate_betas . . . . . . . . . . . . . . . . . . . . . 6 63 5.3. poly_hash . . . . . . . . . . . . . . . . . . . . . . . . 6 64 5.4. HEH_hash . . . . . . . . . . . . . . . . . . . . . . . . 7 65 5.5. HEH_hash_inv . . . . . . . . . . . . . . . . . . . . . . 8 66 5.6. CTS_2ECB_encrypt . . . . . . . . . . . . . . . . . . . . 9 67 5.7. CTS_2ECB_decrypt . . . . . . . . . . . . . . . . . . . . 9 68 5.8. HEH_encrypt . . . . . . . . . . . . . . . . . . . . . . . 10 69 5.9. HEH_decrypt . . . . . . . . . . . . . . . . . . . . . . . 10 70 6. HEH as an AEAD . . . . . . . . . . . . . . . . . . . . . . . 10 71 6.1. HEH_AEAD_encrypt . . . . . . . . . . . . . . . . . . . . 10 72 6.2. HEH_AEAD_decrypt . . . . . . . . . . . . . . . . . . . . 11 73 7. Security considerations . . . . . . . . . . . . . . . . . . . 11 74 7.1. Security implementations of nonce use . . . . . . . . . . 11 75 7.2. Authentication . . . . . . . . . . . . . . . . . . . . . 12 76 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 77 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 78 8.2. Informative References . . . . . . . . . . . . . . . . . 12 79 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12 80 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 82 1. Introduction 84 This memo describes the implementation of the Hash Encrypt Hash (HEH) 85 block cipher mode of operation as both an encryption algorithm and an 86 AEAD. The primary benefit of HEH is that it extends the strong 87 pseudorandom permutation property of block ciphers to arbitrary- 88 length messages. This means that if any bit of the plaintext is 89 flipped, each bit in the ciphertext will flip with 50% probability. 90 No block cipher mode of operation that is currently in widespread use 91 has this property. Additionally, HEH is more resistant to misuse 92 than commonly-used block cipher modes of operation. For example, if 93 nonces are reused, CTR fails catastrophically, and CBC will leak 94 common prefixes of the underlying block size. HEH has neither of 95 those problems. 97 1.1. Requirements Language 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 101 document are to be interpreted as described in RFC 2119 [RFC2119]. 103 2. Notation 105 ecb_key - key for the underlying ecb block cipher calls, generated 106 by generate_keys. 108 block - 16 bytes. 110 buffer[i] - block i of buffer. Defined for 0 <= i < N. 112 buffer[N+] - bytes 16 * N until the end of buffer. The unpadded 113 partial block. 115 EMPTY - buffer of length 0. 117 GF(2^128) - The Galois field of 2^128 elements, as defined in 118 section 4.1. 120 msg - shorthand for message, a buffer that is an input to a 121 function. 123 N - FLOOR(msg_length / 16), number of full blocks of msg. 125 out_msg - buffer that is a transformation of msg. out_msg_length = 126 msg_length unless otherwise explicitly specified. 128 prf_key - pseudo-random function key. The key passed as input to 129 HEH. 131 tau_key - 16 byte key used to compute the hash, generated by 132 generate_keys. 134 XOR - bitwise exclusive-or. 136 XXXX_length - length of XXXX in bytes. 138 * - Multiplication in GF(2^128) as defined in section 4.2. 140 + - Addition in GF(2^128) as defined in section 4.3. 142 0^i - buffer of i zero bytes. 144 || - concatenation. 146 3. Overview 148 3.1. Key size 150 The HEH key is a single key of the same length as the underlying 151 block cipher key. HEH uses CMAC to derive subkeys from the HEH key. 153 3.2. Block cipher 155 HEH MUST use a block cipher with a block size of 128-bits. 157 3.3. Nonce and AAD 159 HEH SHOULD support a 16-byte nonce. Support for other nonce lengths 160 between 0 and 2^32-1 (inclusive) bytes is OPTIONAL. Support for 161 additional authenticated data (AAD) and support for varying AAD 162 lengths between 0 and 2^32-1 (inclusive) bytes is OPTIONAL. Security 163 implications are discussed in section 7.1 165 4. GF(2^128) math 167 4.1. GF(2^128) 169 GF(2^128) is the Galois field of 2^128 elements defined by the 170 irreducible polynomial x^128 + x^7 + x^2 + x + 1. 172 Elements in the field are converted to and from 128-bit strings by 173 taking the least-significant bit of the first byte to be the 174 coefficient of x^0, the most-significant bit of the first byte to the 175 the coefficient of x^7, and so on, until the most-significant bit of 176 the last byte is the coefficient of x^127 [AES-GCM-SIV]. 178 Examples: 179 10000111 || 0^15 = x^7 + x^2 + x + 1 180 0^15 || 00000001 = x^120. 181 0^15 || 10000000 = x^127. 183 4.2. Multiplication in GF(2^128) 185 Input 186 Two 128-bit elements X, Y 188 Output 189 128-bit element X * Y 191 Multiplication is defined on 128-bit blocks by converting them to 192 polynomials as described above, and then computing the resulting 193 product modulo x^128 + x^7 + x^2 + x + 1. 195 4.3. Addition in GF(2^128) 197 Input 198 Two 128-bit elements X, Y 200 Output 201 128-bit element X + Y 203 For any two 128-bit elements X, Y in the Galois field, X + Y is 204 defined as X XOR Y. 206 The operations + and XOR are interchangeable within this document. 207 For consistency we use + on 128-bit strings and XOR if the arguments 208 are not 128-bits long. 210 5. Algorithm 212 When appropriate, we will explain the output as both a mathematical 213 formula and in pseudo-code. This information is redundant, and it 214 exists to provide additional clarity. Implementations need not 215 implement the exact algorithm specified by the pseudocode, so long as 216 the output matches what the pseudocode would produce. 218 5.1. generate_keys 220 ecb_key and tau_key are generated from prf_key by taking the CMAC as 221 defined in [CMAC] of fixed one-block messages. The input to the CMAC 222 used to generate ecb and tau key will never collide with the input 223 used to generate any beta_key, because when generating a beta_key, 224 the last 4 bytes of the input are always zero. 226 Input 227 msg, prf_key 229 Output 230 tau_key = CMAC(key = prf_key, message = 0x00...01) 231 ecb_key = CMAC(key = prf_key, message = 0x00...02) || 232 CMAC(key = prf_key, message = 0x00...03) 233 truncated to perf_key_length bytes 235 5.2. generate_betas 237 To generate the beta_keys needed by HEH_hash, we take the CMAC as 238 defined in [CMAC] of the nonce, AAD, nonce_length, AAD_length and 239 plaintext_length. We use CMAC because it is a pseudorandom function 240 on variable length inputs. 242 Input 243 prf_key, nonce, AAD, plaintext_length 245 Output 246 beta1_key = CMAC(key = prf_key, message = pad_16(nonce) || 247 pad_16(AAD) || pad_16(nonce_length | 248 | AAD_length || plaintext_length)) 249 beta2_key = x * beta1_key 250 return beta1_key, beta2_key 252 Where pad_16(X) = X right-padded with 0s up to a multiple of 16 253 bytes. If X is already a multiple of 16 bytes (including if X is 0 254 bytes), this is a no-op. 256 The following MUST be true in order to generate conformant 257 ciphertext: 259 o nonce_length, AAD_length, and plaintext_length MUST be 4 bytes 260 long. 262 o nonce_length, AAD_length, and plaintext_length MUST be stored in 263 little-endian format. 265 o The input to CMAC MUST be right-padded with 0x00 bytes up to a 266 multiple of 16 bytes. 268 o CMAC MUST use the same block cipher that is used in 269 CTS_2ECB_encrypt. 271 o CMAC MUST be implemented as described in [CMAC]. In particular, 272 if CMAC is being reimplemented for HEH, be advised that there is a 273 multiply-by-x substep of CMAC that uses a different finite field 274 representation than the one described in section 4. 276 5.3. poly_hash 278 Poly_hash treats each block of msg as a coefficient to a polynomial 279 in GF(2^128), and evaluates that polynomial at tau_key to create a 280 hash. Poly_hash is called as a subroutine of HEH_hash so that any 281 minor change to msg will result in every block being changed in 282 HEH_hash with high probability. Note that the coefficients of 283 m_{N-1} and m_N are flipped if there is a partial block. This is 284 done to simplify the implementation of HEH_hash_inv. 286 Input 287 msg, tau_key 288 Output 289 if (no partial block) 290 k^{N-1} * m_0 + ... + k * m_{N-2} + m_{N-1} 291 else if (partial block) 292 k^N * m_0 + ... + k^2 * m_{N-2} + k * m_N + m_{N-1} 293 Where k = tau_key, 294 m_i = msg[i], for i = 0 to N-1, 295 m_N = msg[N+] right padded up to 16 bytes with a 0x00 bytes. 296 Undefined when msg_length is a multiple of 16 298 pseudo-code: 299 p = 0^16 300 For i = 0 to N - 2 301 p *= tau_key 302 p += msg[i] 303 if msg_length % 16 != 0 304 p *= tau_key 305 p += m_N // as defined above 306 p *= tau_key 307 p += msg[N-1] 308 return p 310 5.4. HEH_hash 312 HEH_hash is the hash step in Hash-Encrypt-Hash. It is an invertible 313 hash function used to ensure any change to msg will result in every 314 full block being modified with high probability. 316 Input 317 msg, beta_key, tau_key 319 Output 320 out_msg = (m_0 + R, ..., m_{N-2} + R, R, m_N) + 321 (xb, x^2b, ..., x^{N-1}b, b, 0) 322 where m_i = msg[i] for i = 0 to N-1, 323 m_N = msg[N+], 324 R = out_msg of poly_hash, 325 b = beta_key, 326 x is the element x in GF(2^128). 328 pseudo-code: 329 R = poly_hash(msg, tau_key) 330 e = beta_key * x 331 For i = 0 to N-2 332 out_msg[i] = msg[i] + R + e 333 e = e * x 334 out_msg[N-1] = R + beta_key 335 out_msg[N+] = msg[N+] 336 return out_msg 338 5.5. HEH_hash_inv 340 Inverse of HEH_hash 342 Input 343 msg, beta_key, tau_key 344 Output 345 out_msg 347 pseudo-code 348 R = msg[N-1] + beta_key 349 e = beta_key * x 350 For i = 0 to N-2 351 out_msg[i] = msg[i] + R + e 352 e = e * x 353 out_msg[N+] = msg[N+] 354 out_msg[N-1] = 0^16 355 // now all blocks in out_msg are correct except for 356 // out_msg[N-1], which is all zeroes 357 R_without_constant_term = poly_hash(out_msg, tau_key) 358 out_msg[N-1] = R + R_without_constant_term 359 return out_msg 361 5.6. CTS_2ECB_encrypt 363 The encryption step of Hash-Encrypt-Hash. CTS_2ECB_encrypt uses a 364 modification of CTS-ECB. Because HEH_hash is the identity function 365 on partial blocks, we encrypt the partial block by xoring it with a 366 pad created by encrypting the last full block of plaintext XOR the 367 last full block ciphertext 369 Input 370 msg, ecb_key 371 Output 372 out_msg 374 pseudo-code 375 For i = 0 to N-1 376 out_msg[i] = block_cipher_encrypt(ecb_key, msg[i]) 377 if msg_length % 16 != 0 378 partial_block_pad = 379 block_cipher_encrypt(ecb_key, out_msg[N-1] XOR msg[N-1]) 380 // XOR the partial block with the first k bytes of 381 // partial_block_pad, where k is the number of bytes 382 // in the partial block 383 out_msg[N+] = msg[N+] XOR partial_block_pad 384 return out_msg 386 5.7. CTS_2ECB_decrypt 388 Inverse of CTS_2ECB_encrypt. CTS_2ECB_decrypt is identical to 389 CTS_2ECB_encrypt except the initial block_cipher_encrypt calls are 390 now block_cipher_decrypt calls 392 Input 393 msg, ecb_key 394 Output 395 out_msg 397 pseudo-code 398 For i = 0 to N-1 399 out_msg[i] = block_cipher_decrypt(ecb_key, msg[i]) 400 if msg_length % 16 != 0 401 partial_block_pad = 402 block_cipher_encrypt(ecb_key, out_msg[N-1] XOR msg[N-1]) 403 // XOR the partial block with the first k bytes of 404 // partial_block_pad, where k is the number of bytes 405 // in the partial block 406 out_msg[N+] = msg[N+] XOR partial_block_pad 407 return out_msg 409 5.8. HEH_encrypt 411 Core encryption function of HEH. 413 Input 414 prf_key, ecb_key, tau_key, nonce, AAD, msg 415 Output 416 out_msg 418 pseudo-code 419 beta1_key, beta2_key = generate_betas(prf_key, nonce, AAD, 420 msg_length) 421 out_msg = HEH_hash(msg, beta1_key, tau_key) 422 out_msg = CTS_2ECB_encrypt(out_msg, ecb_key) 423 out_msg = HEH_hash_inv(out_msg, beta2_key, tau_key) 424 return out_msg 426 5.9. HEH_decrypt 428 Core decryption function of HEH. 430 Input 431 prf_key, ecb_key, tau_key, nonce, AAD, msg 432 Output 433 out_msg 435 pseudo-code 436 beta1_key, beta2_key = generate_betas(prf_key, nonce, AAD, 437 msg_length) 438 out_msg = HEH_hash(msg, beta2_key, tau_key) 439 out_msg = CTS_2ECB_decrypt(out_msg, ecb_key) 440 out_msg = HEH_hash_inv(out_msg, beta1_key, tau_key) 441 return out_msg 443 6. HEH as an AEAD 445 Because HEH is a strong pseudorandom permutation, it can also provide 446 authentication with minimal modification. Support for authentication 447 is OPTIONAL. To provide authentication, append 16 zero bytes to the 448 end of the plaintext, then encrypt. When decrypting, we can 449 determine authenticity of the message by verifying that the final 16 450 bytes of the plaintext are the expected zero bytes. 452 6.1. HEH_AEAD_encrypt 454 The authenticated encryption function of HEH. HEH_AEAD_encrypt 455 returns ciphertext which is 16 bytes longer than plaintext msg. 457 Input 458 prf_key, ecb_key, tau_key, nonce, AAD, msg 459 Output 460 padded_out_msg 462 pseudo-code 463 // append a full block of zeroes 464 padded_msg = msg || 0^16 465 return HEH_encrypt(prf_key, ecb_key, tau_key, nonce, AAD, 466 padded_msg) 468 6.2. HEH_AEAD_decrypt 470 The authenticated decryption function of HEH. HEH_AEAD_decrypt 471 returns either plaintext which is 16 bytes shorter than msg or 472 indication of inauthenticity FAIL. 474 Input 475 prf_key, ecb_key, tau_key, nonce, AAD, msg, 476 Output 477 unpadded_out_msg or FAIL 479 pseudo-code 480 out_msg = HEH_DECRYPT(prf_key, ecb_key, tau_key, nonce, AAD, 481 msg) 483 // If final block is not all zeros, FAIL 484 if out_msg[(out_msg_length - 16):out_msg_length] != 0^16 485 return FAIL 487 // Drop the zero-block that was added in HEH_AEAD_encrypt 488 unpadded_out_msg = out_msg[0:(out_msg_length - 16)] 489 return unpadded_out_msg 491 7. Security considerations 493 The minimum length of the plaintext for HEH is 16 bytes. The maximum 494 length is 2^32 - 1 bytes. When using HEH as an AEAD, this minimum 495 and maximum apply to padded_msg. 497 7.1. Security implementations of nonce use 499 If no nonce is used (or, equivalently, if a 'nonce' is re-used for 500 multiple messages) then HEH is a strong pseudorandom permutation. Of 501 course, if the same plaintext, nonce, and key are used together more 502 than once, the ciphertext will collide. 504 If a unique nonce is used for each plaintext and key combination, 505 then HEH is semantically secure. We make no claim that using 506 randomly-generated nonces or using longer nonces generates additional 507 security. 509 7.2. Authentication 511 As HEH is a strong pseudorandom permutation, [AUTH] shows that 512 authentication can be provided by appending a known authentication 513 code to the plaintext and then encrypting. 515 8. References 517 8.1. Normative References 519 [CMAC] National Institute of Standards and Technology, "NIST 520 Special Publication 800-38B", 2005. 522 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 523 Requirement Levels", BCP 14, RFC 2119, 524 DOI 10.17487/RFC2119, March 1997, 525 . 527 8.2. Informative References 529 [AES-GCM-SIV] 530 Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: 531 Nonce Misuse-Resistant Authenticated Encryption. draft- 532 gueron-gcmsiv-03", 2016. 534 [AUTH] Bellare, M. and P. Rogaway, "Encode-then-encipher 535 encryption: How to exploit nonces or redundancy in 536 plaintexts for efficient cryptography", 2000. 538 [HEH] Sarkar, P., "Efficient Tweakable Enciphering Schemes from 539 (Block-Wise) Universal Hash Functions", 2008. 541 [NIST.500-20.1977] 542 National Institute of Standards and Technology, 543 "Validating the Correctness of Hardware Implementations of 544 the NBS Data Encryption Standard", NIST 500-20, November 545 1977. 547 Appendix A. Test Vectors 549 AES-128 was used as the block cipher for all of the test vectors. 551 key = 00000000000000000000000000000000 552 nonce = EMPTY 553 AAD = EMPTY 554 plaintext = 00000000000000000000000000000000 555 ciphertext = a1726260d1450ae4aba906e79e584e07 557 key = 000102030405060708090A0B0C0D0E0F 558 nonce = EMPTY 559 AAD = EMPTY 560 plaintext = 00000000000000000000000000000000 561 00000000000000000000000000000000 562 00000000000000000000000000000000 563 000000000000000000000000000000 564 ciphertext = f5eec4375cefa15fc3eff7a271779231 565 ce03afa9eeacf9ad060a62602e6dc202 566 3598944729eb848d13f9b7d362e6d5f6 567 4e648e38553415f44ff37752954da7 569 key = 000102030405060708090A0B0C0D0E0F 570 nonce = EMPTY 571 AAD = EMPTY 572 plaintext = 00000000000000000000000000000000 573 00000000000000000000000000000000 574 00000000000000000000000000000001 575 000000000000000000000000000000 576 ciphertext = 4efc731cacbbaa2713a051e663ddaeb0 577 4c1b25a3ee7aa4c125c9547154c74923 578 90b5f7fac503f527b8cdffe21bb96201 579 b0dc409fed9e9123379e5a6f101bd2 581 key = 000102030405060708090A0B0C0D0E0F 582 nonce = 00000000000000000000000000000000 583 AAD = EMPTY 584 plaintext = 000102030405060708090A0B0C0D0E0F 585 ciphertext = d8bd40bfcae5ee810f3d1f1fae890755 587 key = a8da249b5efa13c2c194bf32ba38a377 588 nonce = 4d4761372b4786f0d647b5c2e8cf8527 589 AAD = EMPTY 590 plaintext = b8ee29e4a5d1e755d0fde722637636e2 591 f80cf8fe6576e7cac142f5ca5aa8ac2a 592 ciphertext = 59f2784e1094f95c2223782a30481197 593 b1fe70c4efdf04ef163904cfc0959a98 595 key = 000102030405060708090A0B0C0D0E0F 596 nonce = 00000000000000000000000000000000 597 AAD = EMPTY 598 plaintext = 00000000000000000000000000000000 599 00000000000000000000000000000000 600 00000000000000000000000000000000 601 000000000000000000000000000000 602 ciphertext = e040ebe952be6560e46868a37375b852 603 ef386a872525f604e58ebe148b02141f 604 a973b7ad15be9ca0d28a2cdcd4e30555 605 0af5f851eee562a571a77c155d7a9e 607 key = 000102030405060708090A0B0C0D0E0F 608 nonce = 00000000000000000000000000000000 609 AAD = EMPTY 610 plaintext = 00000000000000000000000000000000 611 00000000000000000000000000000000 612 00000000000000000000000000000001 613 000000000000000000000000000000 614 ciphertext = 4b1a15a0af086d70f0a797b5314b8cc3 615 4df27a9dddd4159957adc6b13569f56a 616 2d70e49749b29f71de22b5708c6924d3 617 ad80584890e4edba763d717c572587 619 key = 000102030405060708090A0B0C0D0E0F 620 nonce = 000102030405060708090A0B0C0D0E0F 621 AAD = 000102030405060708090A0B0C0D0E0F 622 plaintext = 00000000000000000000000000000000 623 00000000000000000000000000000000 624 ciphertext = 16c3f198c970dd0db9b25beedbacb615 625 b2ee9c51ece5d2426b9f5420be8b1b19 627 key = 000102030405060708090A0B0C0D0E0F 628 nonce = 000102030405060708090A0B0C0D0E0F 629 000102030405 630 AAD = 0102030405060708090A0B0C0D0E0F00 631 010203 632 plaintext = 00000000000000000000000000000000 633 00000000000000000000000000000000 634 ciphertext = 2aa635491098bc45b711a5d950cc4988 635 1d110f20056c9d220d125fabfd7ab941 637 key = 36DAF975AAE45061AF88079422E5E6A9 638 nonce = 4164A1FFAEEF4B23324C47279AFB02E8 639 AAD = 948F6D03EA0BDE71A0233AC87753F10E 640 plaintext = 6A2EDA8E07C10918507F0B5E4F32053C 641 335D179A8F476ED1D08A458C00726F63 642 6365BF26A7003F43C0270BBB44EC780E 643 6119FA19AA99F0265850BD29C49E2436 644 A9 645 ciphertext = d3312031380deb46e7f56220c934a759 646 55a95fc750f3e535ada7d371ad60b3a7 647 c6406389a62b1e66be371baa8adba267 648 225d522936c3829c035ab109526d296f 649 12 651 key = 880D8B115BA55842FF4505C5E45F78F6 652 nonce = 131D6E569B5CCB6E563D2CED8616E6AC 653 AAD = 01BD52F7065A35A07EE70D9A881EDDB4 654 plaintext = 00000000000000000000000000000000 655 B1E0CC8A07264432823C68B2EF59E592 656 D271271029F6364CEEE577D9FDA8E5C4 657 131D6E569B5CCB6E563D2CED8616E6AC 658 C6 659 ciphertext = 395f5d80788231bd0cc055ef1fd83941 660 7501a2b4d9c42952ffcbd98be6393305 661 41968ef42d589e5eb807054af2557905 662 12bb5dda5be418335ae9b7e9d18c8ce8 663 f7 665 key = 880D8B115BA55842FF4505C5E45F78F6 666 nonce = 131D6E569B5CCB6E563D2CED8616E6AC 667 AAD = 01BD52F7065A35A07EE70D9A881EDDB4 668 plaintext = 01000000000000000000000000000000 669 B1E0CC8A07264432823C68B2EF59E592 670 D271271029F6364CEEE577D9FDA8E5C4 671 131D6E569B5CCB6E563D2CED8616E6AC 672 C6 673 ciphertext = e6807e6ba3f4fba237c996f91bf6beba 674 bf243915da3e8ab4c73c5ed9c0a8136b 675 00dc6d7b4994b7c8551b5bf1a042c2f2 676 2da1129fcbe45e310f880552a27b3f5b 677 84 679 Author's Address 680 Alex Cope 681 Google 682 747 6th St S 683 Kirkland, WA 98033 684 USA 686 Email: alexcope@google.com