idnits 2.17.1 draft-irtf-cfrg-gcmsiv-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (January 18, 2017) is 2654 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Gueron 3 Internet-Draft University of Haifa and Intel Corporation 4 Intended status: Informational A. Langley 5 Expires: July 22, 2017 Google 6 Y. Lindell 7 Bar Ilan University 8 January 18, 2017 10 AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption 11 draft-irtf-cfrg-gcmsiv-03 13 Abstract 15 This memo specifies two authenticated encryption algorithms that are 16 nonce misuse-resistant - that is that they do not fail 17 catastrophically if a nonce is repeated. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 22, 2017. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 55 3. POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 5. Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 6. AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 7. Field operation examples . . . . . . . . . . . . . . . . . . 7 60 8. Worked example . . . . . . . . . . . . . . . . . . . . . . . 7 61 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 62 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 63 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 64 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 66 12.2. Informative References . . . . . . . . . . . . . . . . . 9 67 Appendix A. The relationship between POLYVAL and GHASH . . . . . 10 68 Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 11 69 B.1. AEAD_AES_128_GCM_SIV . . . . . . . . . . . . . . . . . . 11 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 72 1. Introduction 74 The concept of "Authenticated encryption with additional data" (AEAD 75 [RFC5116]) couples confidentiality and integrity in a single 76 operation that is easier for practitioners to use correctly. The 77 most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its 78 attractive performance. 80 However, most AEADs suffer catastrophic failures of confidentiality 81 and/or integrity when two distinct messages are encrypted with the 82 same nonce. While the requirements for AEADs specify that the pair 83 of (key, nonce) shall only ever be used once, and thus prohibit this, 84 in practice this is a worry. 86 Nonce misuse-resistant AEADs do not suffer from this problem. For 87 this class of AEADs, encrypting two messages with the same nonce only 88 discloses whether the messages were equal or not. This is the 89 minimum amount of information that a deterministic algorithm can leak 90 in this situation. 92 This memo specifies two nonce misuse-resistant AEADs: 93 "AEAD_AES_128_GCM_SIV" and "AEAD_AES_256_GCM_SIV". These AEADs are 94 designed to be able to take advantage of existing hardware support 95 for AES-GCM and can decrypt within 5% of the speed of AES-GCM. 97 Encryption is, perforce, slower than AES-GCM because two passes are 98 required. However, measurements suggest that it can still run at 99 2/3rds of the speed of AES-GCM. 101 We suggest that these AEADs be considered in any situation where 102 there is the slightest doubt about nonce uniqueness. 104 2. Requirements Language 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 108 document are to be interpreted as described in RFC 2119 [RFC2119]. 110 3. POLYVAL 112 The GCM-SIV construction is similar to GCM: the block cipher is used 113 in counter mode to encrypt the plaintext and a polynomial 114 authenticator is used to provide integrity. The authenticator in 115 GCM-SIV is called POLYVAL. 117 POLYVAL, like GHASH, operates in a binary field of size 2^128. The 118 field is defined by the irreducible polynomial x^128 + x^127 + x^126 119 + x^121 + 1. The sum of any two elements in the field is the result 120 of XORing them. The product of any two elements is calculated using 121 standard (binary) polynomial multiplication followed by reduction 122 modulo the irreducible polynomial. 124 We define another binary operation on elements of the field: dot(a, 125 b), where dot(a, b) = a * b * x^-128. The value of the field element 126 x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1. The result, 127 dot(a, b), of this multiplication is another field element. 129 Polynomials in this field are converted to and from 128-bit strings 130 by taking the least-significant bit of the first byte to be the 131 coefficient of x^0, the most-significant bit of the first byte to the 132 the coefficient of x^7 and so on, until the most-significant bit of 133 the last byte is the coefficient of x^127. 135 POLYVAL takes a field element, H, and a series of field elements X_1, 136 ..., X_s. Its result is S_s, where S is defined by the iteration S_0 137 = 0; S_j = dot(S_{j-1} + X_j, H), for j = 0..s 139 We note that POLYVAL(H, X_1, X_2, ...) is equal to 140 ByteReverse(GHASH(ByteReverse(H)*x, ByteReverse(X_1), 141 ByteReverse(X_2), ...)), where ByteReverse is a function that 142 reverses the order of 16 bytes. See Appendix A for a more detailed 143 explanation. 145 4. Encryption 147 AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a 148 96-bit nonce, and arbitrary-length plaintext & additional data byte- 149 strings. It outputs an authenticated ciphertext that will be 16 150 bytes longer than the plaintext. 152 If the key-generating key is 16 bytes long then AES-128 is used 153 throughout. Otherwise AES-256 is used throughout. 155 The first step of encryption is to generate per-nonce, record- 156 authentication and record-encryption keys. The record-authentication 157 key is 128-bit and the record-authentication key is either 128- (for 158 AES-128) or 256-bit (for AES-256). 160 These keys are generated by encrypting a series of plaintext blocks 161 that contain a 32-bit, little-endian counter followed by the nonce, 162 and then discarding the second half of the resulting ciphertext. In 163 the AES-128 case, 128 + 128 = 256 bits of key material need to be 164 generated and, since encrypting each block yeilds 64 bits after 165 discarding half, four blocks need to be encrypted. The counter 166 values for these blocks are 0, 1, 2 and 3. For AES-256, six blocks 167 are needed in total, with counter values 0 through 5 (inclusive). 169 In pseudocode form: 171 U32LE(x) = 172 [x & 0xff, (x >> 8) & 0xff, (x >> 16) & 0xff, (x >> 24) & 0xff] 174 record-authentication-key = AES128(key = key-generating-key, 175 input = U32LE(0) ++ nonce)[:8] ++ 176 AES128(key = key-generating-key, 177 input = U32LE(1) ++ nonce)[:8] 179 if bytelen(key-generating-key) == 16 { 180 record-encryption-key = AES128(key = key-generating-key, 181 input = U32LE(2) ++ nonce)[:8] ++ 182 AES128(key = key-generating-key, 183 input = U32LE(3) ++ nonce)[:8] 184 } else if bytelen(key-generating-key) == 32 { 185 record-encryption-key = AES128(key = key-generating-key, 186 input = U32LE(2) ++ nonce)[:8] ++ 187 AES128(key = key-generating-key, 188 input = U32LE(3) ++ nonce)[:8] ++ 189 AES128(key = key-generating-key, 190 input = U32LE(4) ++ nonce)[:8] ++ 191 AES128(key = key-generating-key, 192 input = U32LE(5) ++ nonce)[:8] 193 } 195 Define the _length block_ as a 16-byte value that is the 196 concatenation of the 64-bit, little-endian encodings of 197 bytelen(additional_length)*8 and bytelen(plaintext)*8. Pad the 198 plaintext and additional data with zeros until they are each a 199 multiple of 16 bytes, the AES block size. Then X_1, X_2, ... (the 200 series of field elements that are inputs to POLYVAL) are the 201 concatenation of the padded additional data, the padded plaintext and 202 the length block. 204 Calculate S_s = POLYVAL(record-authentication-key, X_1, X_2, ...). 205 XOR the first twelve bytes of S_s with the nonce and clear the most- 206 significant bit of the last byte. Encrypt the result with AES using 207 the record-encryption key to produce the tag. 209 The ciphertext is produced by using AES, with the record-encryption 210 key, in counter mode on the unpadded plaintext. The initial counter 211 block is the tag with the most-significant bit of the last byte set 212 to one. The counter advances by incrementing the first 32 bits 213 interpreted as an unsigned, little-endian integer. The result of the 214 encryption is the resulting ciphertext (truncated to the length of 215 the plaintext) followed by the tag. 217 5. Decryption 219 Decryption takes a 16- or 32-byte key-generating key, a 96-bit nonce, 220 and arbitrary-length ciphertext & additional data byte-strings. It 221 either fails, or outputs a plaintext that is 16 bytes shorter than 222 the ciphertext. 224 Firstly, the record-encryption and record-authentication keys are 225 derived in the same manner as when encrypting. 227 If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes, 228 then fail. Otherwise split the input into the encrypted plaintext 229 and a 16-byte tag. Decrypt the encrypted plaintext with the record- 230 encryption key in counter mode, where the initial counter block is 231 the tag with the most-significant bit of the last byte set to one. 232 The counter advances in the same way as for encryption. 234 Pad the additional data and plaintext with zeros until they are each 235 a multiple of 16 bytes, the AES block size. Calculate the length 236 block and X_1, X_2, ... as above and compute S_s = POLYVAL(record- 237 authentication-key, X_1, X_2, ...). Compute the expected tag by 238 XORing S_s and the nonce, clearing the most-significant bit of the 239 last byte and encrypting with the record-encryption key. Compare the 240 provided and expected tag values in constant time. If they do not 241 match, fail. Otherwise return the plaintext. 243 6. AEADs 245 We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV: 246 AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. They differ only in 247 the size of the AES key used. 249 The key input to these AEADs becomes the key-generating key. Thus 250 AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV 251 takes a 32-byte key. 253 The parameters for AEAD_AES_128_GCM_SIV are then: K_LEN is 16, P_MAX 254 is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 12 and C_MAX is 2^36 255 + 16. 257 The parameters for AEAD_AES_256_GCM_SIV differ only in the key size: 258 K_LEN is 32, P_MAX is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 12 259 and C_MAX is 2^36 + 16. 261 7. Field operation examples 263 Polynomials in this document will be written as 16-byte values. For 264 example, the sixteen bytes 01000000000000000000000000000492 would 265 represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is 266 also the value of x^-128 in this field. 268 If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b = 269 ff000000000000000000000000000000 then a+b = 270 99e94bd4ef8a2c3b884cfa59ca342b2e, a*b = 271 37856175e9dc9df26ebc6d6171aa0ae9 and dot(a, b) = 272 ebe563401e7e91ea3ad6426b8140c394. 274 8. Worked example 276 Consider the encryption of the plaintext "Hello world" with the 277 additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c 278 using AEAD_AES_128_GCM_SIV. The random nonce that we'll use for this 279 example is 752abad3e0afb5f434dc4310. 281 In order to generate the record-authentication and record-encryption 282 keys, a counter is combined with the nonce to form four blocks. 283 These blocks are encrypted with key given above: 285 Counter | Nonce Ciphertext 286 00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e 287 01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450 288 02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b 289 03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7 291 The latter halves of the ciphertext blocks are discarded and the 292 remainding bytes are concatenated to form the per-record keys. Thus 293 the record-authentication key is 310728d9911f1f3837b24316c3fab9a0 and 294 the record-encryption key is a4c5ae6249963279c100be4d7e2c6edd. 296 The length block contains the encoding of the bit-lengths of the 297 additional data and plaintext, respectively, which are and 56 and 88. 298 Thus the length block is 38000000000000005800000000000000. 300 The input to POLYVAL is the padded additional data, padded plaintext 301 and then the length block. This is 6578616d706c650000000000000000004 302 8656c6c6f20776f726c64000000000038000000000000005800000000000000. 304 Calling POLYVAL with the record-authentication key and the input 305 above results in S_s = ad7fcf0b5169851662672f3c5f95138f. 307 Before encrypting, the nonce is XORed in and the most-significant bit 308 of the last byte is cleared. This gives 309 d85575d8b1c630e256bb6c2c5f95130f because that bit happened to be one 310 previously. Encrypting with the record-encryption key gives the tag, 311 which is 4fbcdeb7e4793f4a1d7e4faa70100af1. 313 In order to form the initial counter block, the most-significant bit 314 of the last byte of the tag is set to one. That doesn't result in a 315 change in this example. Encrypting this with the record key gives 316 the first block of the keystream: 1551f2c1787e81deac9a99f139540ab5. 318 The final ciphertext is the result of XORing the plaintext with the 319 keystream and appending the tag. That gives 320 5d349ead175ef6b1def6fd4fbcdeb7e4793f4a1d7e4faa70100af1. 322 9. Security Considerations 324 We recommend a limit of 2^50 plaintexts encrypted with a given key. 325 Past this point, AES-GCM-SIV may be distinguishable from an ideal 326 AEAD. (This is based on standard assumptions about AES.) 328 The AEADs defined in this document calculate fresh AES keys for each 329 nonce. This allows a larger number of plaintexts to be encrypted 330 under a given key. Without this step, each SIV encryption would be 331 like a standard GCM encryption with a random nonce. Since the nonce 332 size for GCM is only 12 bytes, NIST set a limit [GCM] of 2^32 333 encryptions before the probability of duplicate nonces becomes too 334 high. 336 The authors felt that, while large, 2^32 wasn't so large that this 337 limit could be safely ignored. For example, consider encrypting the 338 contents of a hard disk where the AEAD record size is 512 bytes, to 339 match the traditional size of a disk sector. This process would have 340 encrypted 2^32 records after processing 2TB, yet hard drives of 341 multiple terabytes are now common. 343 Deriving fresh AES keys for each nonce alleviates this problem. 345 If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a 346 random nonce, with the caveat that identical plaintexts will produce 347 identical ciphertexts. However, we feel that the 2^32 limit for AES- 348 GCM is too risky in a multi-key setting. Thus with AES-GCM-SIV we 349 recommend that, for a specific key, a nonce not be repeated more than 350 2^8 times. (And, ideally, not be repeated at all.) 352 Suzuki et al [multibirthday] show that even if nonces are selected 353 uniformly at random, the probability that one or more values would be 354 repeated 256 or more times is negligible until the number of nonces 355 reaches 2^102. (Specifically the probability is 1/((2^96)^(255)) * 356 Binomial(q, 256), where q is the number of nonces.) Since 2^102 is 357 vastly greater than the limit on the number of plaintexts per key 358 given above, we don't feel that this limit on the number of repeated 359 nonces will be a problem. This also means that selecting nonces at 360 random is a safe practice with AES-GCM-SIV. 362 In addition to calculating fresh AES keys for each nonce, these AEADs 363 also calculate fresh POLYVAL keys. Previous versions of GCM-SIV did 364 not do this and, instead, used part of the AEAD's key as the POLYVAL 365 key. Bleichenbacher pointed out that this allowed an attacker who 366 controlled the AEAD key to force the POLYVAL key to be zero. If a 367 user of this AEAD authenticated messages with a secret additional- 368 data value then this would be insecure as the attacker could 369 calculate a valid authenticator without knowing the input. This does 370 not violate the standard properties of an AEAD as the additional data 371 is not assumed to be confidential. However, we want these AEADs to 372 be robust to plausible misuse and also to be drop-in replacements for 373 AES-GCM and so derive nonce-specific POLYVAL keys to avoid this 374 issue. 376 A security analysis of a similar scheme appears in [GCM-SIV]. 378 10. IANA Considerations 380 This document has no actions for IANA. 382 11. Acknowledgements 384 The authors would like to thank Uri Blumenthal, Ondrej Mosnaček, 385 Daniel Bleichenbacher, Kenny Paterson, Bart Preneel and Deb Cooley's 386 team at IAD for their helpful suggestions. 388 12. References 390 12.1. Normative References 392 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 393 Requirement Levels", BCP 14, RFC 2119, 394 DOI 10.17487/RFC2119, March 1997, 395 . 397 12.2. Informative References 399 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 400 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP- 401 800-38D, November 2007, 402 . 405 [GCM-SIV] Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse- 406 Resistant Authenticated Encryption at Under One Cycle Per 407 Byte", Proceedings of the 22nd ACM SIGSAC Conference on 408 Computer and Communications Security , 2015, 409 . 411 [multibirthday] 412 Kazuhiro, S., Dongvu, T., Kaoru, K., and T. Koji, 413 "Birthday Paradox for Multi-collisions", ICISC 2006: 9th 414 International Conference, Busan, Korea, November 30 - 415 December 1, 2006. Proceedings , 2006, 416 . 418 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 419 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 420 . 422 Appendix A. The relationship between POLYVAL and GHASH 424 GHASH and POLYVAL both operate in GF(2^128), although with different 425 irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + 426 x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note 427 that these irreducible polynomials are the "reverse" of each other. 429 GHASH also has a different mapping between 128-bit strings and field 430 elements. Where as POLYVAL takes the least-significant to most- 431 significant bits of the first byte to be the coefficients of x^0 to 432 x^7, GHASH takes them to be the coefficients of x^7 to x^0. This 433 continues until, for the last byte, POLYVAL takes the least- 434 significant to most-significant bits to be the coefficients of x^120 435 to x^127 while GHASH takes them to be the coefficients of x^127 to 436 x^120. 438 The combination of these facts means that it's possible to "convert" 439 values between the two by reversing the order of the bytes in a 440 16-byte string. The differing interpretations of bit order takes 441 care of reversing the bits within each byte and then reversing the 442 bytes does the rest. This may have a practical benefit for 443 implementations that wish to implement both GHASH and POLYVAL. 445 In order to be clear which field a given operation is performed in, 446 let mulX_GHASH be a function that takes a 16-byte string, converts it 447 to an element of GHASH's field using GHASH's convention, multiplies 448 it by x and converts back to a string. Likewise, let mulX_POLYVAL be 449 a function that converts a 16-byte string to an element of POLYVAL's 450 field using POLYVAL's convention, multiplies it by x and converts 451 back. 453 Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH 454 of that string is 00800000000000000000000000000000 and mulX_POLYVAL 455 of that string is 02000000000000000000000000000000. As a more 456 general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH 457 of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL 458 of it is 3931819bf271fada0503eb52574ca5f2. 460 Lastly, let ByteReverse be the function that takes a 16-byte string 461 and returns a copy where the order of the bytes has been reversed. 463 Now GHASH and POLYVAL can be defined in terms of one another: 465 POLYVAL(H, X_1, ..., X_n) = 466 ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ..., 467 ByteReverse(X_n))) 469 GHASH(H, X_1, ..., X_n) = 470 ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1), 471 ..., ByteReverse(X_n))) 473 As a worked example, let H = 25629347589242761d31f826ba4b757b, X_1 = 474 4f4f95668c83dfb6401762bb2d01a262 and X_2 = 475 d1a24ddd2721d006bbe45f20d3c9f362. POLYVAL(H, X_1, X_2) = 476 f7a3b47b846119fae5b7866cf5e5b77e. If we wished to calculate this 477 given only an implementation of GHASH then the key for GHASH would be 478 mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112. Then 479 ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2))) = 480 f7a3b47b846119fae5b7866cf5e5b77e, as required. 482 In the other direction, GHASH(H, X_1, X_2) = 483 bd9b3997046731fb96251b91f9c99d7a. If we wished to calculate this 484 given only an implementation of POLYVAL then we would first calculate 485 the key for POLYVAL, mulX_POLYVAL(ByteReverse(H)), which is 486 f6ea96744df0633aec8424b18e26c54a. Then ByteReverse(POLYVAL(f6ea..., 487 ByteReverse(X_1), ByteReverse(X_2))) = 488 bd9b3997046731fb96251b91f9c99d7a. 490 Appendix B. Test vectors 492 B.1. AEAD_AES_128_GCM_SIV 494 AEAD_AES_128_GCM_SIV: 496 AAD_len = 0 bytes 497 MSG_len = 0 bytes 498 BYTES ORDER 499 LSB--------------------------MSB 500 00010203040506070809101112131415 501 -------------------------------- 503 K1 = K = 01000000000000000000000000000000 504 NONCE = 03000000000000000000000000000000 506 AAD = 508 MSG = 510 PADDED_AAD = 512 PADDED_MSG = 514 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 516 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 518 LENBLK = 00000000000000000000000000000000 520 POLYVAL xor N = d9b360279694941a2010be790ff81954 522 TAG = dc20e2d83f25705bb49e439eca56de25 524 CTRBLK = dc20e2d83f25705bb49e439eca56dea5 526 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 528 TAG' = dc20e2d83f25705bb49e439eca56de25 530 AAD = 532 CIPHERTEXT = 534 Decrypted MSG = 535 SIV_GCM_2_KEYS Passed 537 ***************************** 538 Performing SIV_GCM - Two Keys: 539 ***************************** 541 AAD_len = 0 bytes 542 MSG_len = 8 bytes 543 BYTES ORDER 544 LSB--------------------------MSB 545 00010203040506070809101112131415 546 -------------------------------- 548 K1 = K = 01000000000000000000000000000000 549 NONCE = 03000000000000000000000000000000 551 AAD = 553 MSG = 0100000000000000 555 PADDED_AAD = 557 PADDED_MSG = 01000000000000000000000000000000 559 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 561 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 563 LENBLK = 00000000000000004000000000000000 565 POLYVAL xor N = d9b360279694941a2010be790ff81954 567 TAG = 578782fff6013b815b287c22493a364c 569 CTRBLK = 578782fff6013b815b287c22493a36cc 571 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 573 TAG' = 578782fff6013b815b287c22493a364c 575 AAD = 577 CIPHERTEXT = b5d839330ac7b786 579 Decrypted MSG = 0100000000000000 580 SIV_GCM_2_KEYS Passed 582 ***************************** 583 Performing SIV_GCM - Two Keys: 584 ***************************** 586 AAD_len = 0 bytes 587 MSG_len = 12 bytes 588 BYTES ORDER 589 LSB--------------------------MSB 590 00010203040506070809101112131415 591 -------------------------------- 593 K1 = K = 01000000000000000000000000000000 594 NONCE = 03000000000000000000000000000000 595 AAD = 597 MSG = 010000000000000000000000 599 PADDED_AAD = 601 PADDED_MSG = 01000000000000000000000000000000 603 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 605 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 607 LENBLK = 00000000000000006000000000000000 609 POLYVAL xor N = d9b360279694941a2010be790ff81954 611 TAG = a4978db357391a0bc4fdec8b0d106639 613 CTRBLK = a4978db357391a0bc4fdec8b0d1066b9 615 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 617 TAG' = a4978db357391a0bc4fdec8b0d106639 619 AAD = 621 CIPHERTEXT = 7323ea61d05932260047d942 623 Decrypted MSG = 010000000000000000000000 624 SIV_GCM_2_KEYS Passed 626 ***************************** 627 Performing SIV_GCM - Two Keys: 628 ***************************** 630 AAD_len = 0 bytes 631 MSG_len = 16 bytes 632 BYTES ORDER 633 LSB--------------------------MSB 634 00010203040506070809101112131415 635 -------------------------------- 637 K1 = K = 01000000000000000000000000000000 638 NONCE = 03000000000000000000000000000000 640 AAD = 642 MSG = 01000000000000000000000000000000 643 PADDED_AAD = 645 PADDED_MSG = 01000000000000000000000000000000 647 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 649 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 651 LENBLK = 00000000000000008000000000000000 653 POLYVAL xor N = d9b360279694941a2010be790ff81954 655 TAG = 303aaf90f6fe21199c6068577437a0c4 657 CTRBLK = 303aaf90f6fe21199c6068577437a0c4 659 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 661 TAG' = 303aaf90f6fe21199c6068577437a0c4 663 AAD = 665 CIPHERTEXT = 743f7c8077ab25f8624e2e948579cf77 667 Decrypted MSG = 01000000000000000000000000000000 668 SIV_GCM_2_KEYS Passed 670 ***************************** 671 Performing SIV_GCM - Two Keys: 672 ***************************** 674 AAD_len = 0 bytes 675 MSG_len = 32 bytes 676 BYTES ORDER 677 LSB--------------------------MSB 678 00010203040506070809101112131415 679 -------------------------------- 681 K1 = K = 01000000000000000000000000000000 682 NONCE = 03000000000000000000000000000000 684 AAD = 686 MSG = 01000000000000000000000000000000 687 02000000000000000000000000000000 689 PADDED_AAD = 690 PADDED_MSG = 01000000000000000000000000000000 691 02000000000000000000000000000000 693 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 695 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 697 LENBLK = 00000000000000000001000000000000 699 POLYVAL xor N = d9b360279694941a2010be790ff81954 701 TAG = 1a8e45dcd4578c667cd86847bf6155ff 703 CTRBLK = 1a8e45dcd4578c667cd86847bf6155ff 705 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 707 TAG' = 1a8e45dcd4578c667cd86847bf6155ff 709 AAD = 711 CIPHERTEXT = 84e07e62ba83a6585417245d7ec413a9 712 fe427d6315c09b57ce45f2e3936a9445 714 Decrypted MSG = 01000000000000000000000000000000 715 02000000000000000000000000000000 716 SIV_GCM_2_KEYS Passed 718 ***************************** 719 Performing SIV_GCM - Two Keys: 720 ***************************** 722 AAD_len = 0 bytes 723 MSG_len = 48 bytes 724 BYTES ORDER 725 LSB--------------------------MSB 726 00010203040506070809101112131415 727 -------------------------------- 729 K1 = K = 01000000000000000000000000000000 730 NONCE = 03000000000000000000000000000000 732 AAD = 734 MSG = 01000000000000000000000000000000 735 02000000000000000000000000000000 736 03000000000000000000000000000000 738 PADDED_AAD = 740 PADDED_MSG = 01000000000000000000000000000000 741 02000000000000000000000000000000 742 03000000000000000000000000000000 744 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 746 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 748 LENBLK = 00000000000000008001000000000000 750 POLYVAL xor N = d9b360279694941a2010be790ff81954 752 TAG = 5e6e311dbf395d35b0fe39c2714388f8 754 CTRBLK = 5e6e311dbf395d35b0fe39c2714388f8 756 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 758 TAG' = 5e6e311dbf395d35b0fe39c2714388f8 760 AAD = 762 CIPHERTEXT = 3fd24ce1f5a67b75bf2351f181a475c7 763 b800a5b4d3dcf70106b1eea82fa1d64d 764 f42bf7226122fa92e17a40eeaac1201b 766 Decrypted MSG = 01000000000000000000000000000000 767 02000000000000000000000000000000 768 03000000000000000000000000000000 769 SIV_GCM_2_KEYS Passed 771 ***************************** 772 Performing SIV_GCM - Two Keys: 773 ***************************** 775 AAD_len = 0 bytes 776 MSG_len = 64 bytes 777 BYTES ORDER 778 LSB--------------------------MSB 779 00010203040506070809101112131415 780 -------------------------------- 782 K1 = K = 01000000000000000000000000000000 783 NONCE = 03000000000000000000000000000000 785 AAD = 786 MSG = 01000000000000000000000000000000 787 02000000000000000000000000000000 788 03000000000000000000000000000000 789 04000000000000000000000000000000 791 PADDED_AAD = 793 PADDED_MSG = 01000000000000000000000000000000 794 02000000000000000000000000000000 795 03000000000000000000000000000000 796 04000000000000000000000000000000 798 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 800 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 802 LENBLK = 00000000000000000002000000000000 804 POLYVAL xor N = d9b360279694941a2010be790ff81954 806 TAG = 8a263dd317aa88d56bdf3936dba75bb8 808 CTRBLK = 8a263dd317aa88d56bdf3936dba75bb8 810 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 812 TAG' = 8a263dd317aa88d56bdf3936dba75bb8 814 AAD = 816 CIPHERTEXT = 2433668f1058190f6d43e360f4f35cd8 817 e475127cfca7028ea8ab5c20f7ab2af0 818 2516a2bdcbc08d521be37ff28c152bba 819 36697f25b4cd169c6590d1dd39566d3f 821 Decrypted MSG = 01000000000000000000000000000000 822 02000000000000000000000000000000 823 03000000000000000000000000000000 824 04000000000000000000000000000000 825 SIV_GCM_2_KEYS Passed 827 ***************************** 828 Performing SIV_GCM - Two Keys: 829 ***************************** 831 AAD_len = 1 bytes 832 MSG_len = 8 bytes 833 BYTES ORDER 835 LSB--------------------------MSB 836 00010203040506070809101112131415 837 -------------------------------- 839 K1 = K = 01000000000000000000000000000000 840 NONCE = 03000000000000000000000000000000 842 AAD = 01 844 MSG = 0200000000000000 846 PADDED_AAD = 01000000000000000000000000000000 848 PADDED_MSG = 02000000000000000000000000000000 850 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 852 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 854 LENBLK = 08000000000000004000000000000000 856 POLYVAL xor N = d9b360279694941a2010be790ff81954 858 TAG = 3b0a1a2560969cdf790d99759abd1508 860 CTRBLK = 3b0a1a2560969cdf790d99759abd1588 862 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 864 TAG' = 3b0a1a2560969cdf790d99759abd1508 866 AAD = 01 868 CIPHERTEXT = 1e6daba35669f427 870 Decrypted MSG = 0200000000000000 871 SIV_GCM_2_KEYS Passed 873 ***************************** 874 Performing SIV_GCM - Two Keys: 875 ***************************** 877 AAD_len = 1 bytes 878 MSG_len = 12 bytes 879 BYTES ORDER 880 LSB--------------------------MSB 881 00010203040506070809101112131415 882 -------------------------------- 884 K1 = K = 01000000000000000000000000000000 885 NONCE = 03000000000000000000000000000000 887 AAD = 01 889 MSG = 020000000000000000000000 891 PADDED_AAD = 01000000000000000000000000000000 893 PADDED_MSG = 02000000000000000000000000000000 895 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 897 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 899 LENBLK = 08000000000000006000000000000000 901 POLYVAL xor N = d9b360279694941a2010be790ff81954 903 TAG = 08299c5102745aaa3a0c469fad9e075a 905 CTRBLK = 08299c5102745aaa3a0c469fad9e07da 907 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 909 TAG' = 08299c5102745aaa3a0c469fad9e075a 911 AAD = 01 913 CIPHERTEXT = 296c7889fd99f41917f44620 915 Decrypted MSG = 020000000000000000000000 916 SIV_GCM_2_KEYS Passed 918 ***************************** 919 Performing SIV_GCM - Two Keys: 920 ***************************** 922 AAD_len = 1 bytes 923 MSG_len = 16 bytes 924 BYTES ORDER 925 LSB--------------------------MSB 926 00010203040506070809101112131415 927 -------------------------------- 929 K1 = K = 01000000000000000000000000000000 930 NONCE = 03000000000000000000000000000000 931 AAD = 01 933 MSG = 02000000000000000000000000000000 935 PADDED_AAD = 01000000000000000000000000000000 937 PADDED_MSG = 02000000000000000000000000000000 939 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 941 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 943 LENBLK = 08000000000000008000000000000000 945 POLYVAL xor N = d9b360279694941a2010be790ff81954 947 TAG = 8f8936ec039e4e4bb97ebd8c4457441f 949 CTRBLK = 8f8936ec039e4e4bb97ebd8c4457449f 951 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 953 TAG' = 8f8936ec039e4e4bb97ebd8c4457441f 955 AAD = 01 957 CIPHERTEXT = e2b0c5da79a901c1745f700525cb335b 959 Decrypted MSG = 02000000000000000000000000000000 960 SIV_GCM_2_KEYS Passed 962 ***************************** 963 Performing SIV_GCM - Two Keys: 964 ***************************** 966 AAD_len = 1 bytes 967 MSG_len = 32 bytes 968 BYTES ORDER 969 LSB--------------------------MSB 970 00010203040506070809101112131415 971 -------------------------------- 973 K1 = K = 01000000000000000000000000000000 974 NONCE = 03000000000000000000000000000000 976 AAD = 01 978 MSG = 02000000000000000000000000000000 979 03000000000000000000000000000000 981 PADDED_AAD = 01000000000000000000000000000000 983 PADDED_MSG = 02000000000000000000000000000000 984 03000000000000000000000000000000 986 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 988 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 990 LENBLK = 08000000000000000001000000000000 992 POLYVAL xor N = d9b360279694941a2010be790ff81954 994 TAG = e6af6a7f87287da059a71684ed3498e1 996 CTRBLK = e6af6a7f87287da059a71684ed3498e1 998 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1000 TAG' = e6af6a7f87287da059a71684ed3498e1 1002 AAD = 01 1004 CIPHERTEXT = 620048ef3c1e73e57e02bb8562c416a3 1005 19e73e4caac8e96a1ecb2933145a1d71 1007 Decrypted MSG = 02000000000000000000000000000000 1008 03000000000000000000000000000000 1009 SIV_GCM_2_KEYS Passed 1011 ***************************** 1012 Performing SIV_GCM - Two Keys: 1013 ***************************** 1015 AAD_len = 1 bytes 1016 MSG_len = 48 bytes 1017 BYTES ORDER 1018 LSB--------------------------MSB 1019 00010203040506070809101112131415 1020 -------------------------------- 1022 K1 = K = 01000000000000000000000000000000 1023 NONCE = 03000000000000000000000000000000 1025 AAD = 01 1026 MSG = 02000000000000000000000000000000 1027 03000000000000000000000000000000 1028 04000000000000000000000000000000 1030 PADDED_AAD = 01000000000000000000000000000000 1032 PADDED_MSG = 02000000000000000000000000000000 1033 03000000000000000000000000000000 1034 04000000000000000000000000000000 1036 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1038 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1040 LENBLK = 08000000000000008001000000000000 1042 POLYVAL xor N = d9b360279694941a2010be790ff81954 1044 TAG = 6a8cc3865f76897c2e4b245cf31c51f2 1046 CTRBLK = 6a8cc3865f76897c2e4b245cf31c51f2 1048 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1050 TAG' = 6a8cc3865f76897c2e4b245cf31c51f2 1052 AAD = 01 1054 CIPHERTEXT = 50c8303ea93925d64090d07bd109dfd9 1055 515a5a33431019c17d93465999a8b005 1056 3201d723120a8562b838cdff25bf9d1e 1058 Decrypted MSG = 02000000000000000000000000000000 1059 03000000000000000000000000000000 1060 04000000000000000000000000000000 1061 SIV_GCM_2_KEYS Passed 1063 ***************************** 1064 Performing SIV_GCM - Two Keys: 1065 ***************************** 1067 AAD_len = 1 bytes 1068 MSG_len = 64 bytes 1069 BYTES ORDER 1070 LSB--------------------------MSB 1071 00010203040506070809101112131415 1072 -------------------------------- 1074 K1 = K = 01000000000000000000000000000000 1075 NONCE = 03000000000000000000000000000000 1077 AAD = 01 1079 MSG = 02000000000000000000000000000000 1080 03000000000000000000000000000000 1081 04000000000000000000000000000000 1082 05000000000000000000000000000000 1084 PADDED_AAD = 01000000000000000000000000000000 1086 PADDED_MSG = 02000000000000000000000000000000 1087 03000000000000000000000000000000 1088 04000000000000000000000000000000 1089 05000000000000000000000000000000 1091 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1093 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1095 LENBLK = 08000000000000000002000000000000 1097 POLYVAL xor N = d9b360279694941a2010be790ff81954 1099 TAG = cdc46ae475563de037001ef84ae21744 1101 CTRBLK = cdc46ae475563de037001ef84ae217c4 1103 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1105 TAG' = cdc46ae475563de037001ef84ae21744 1107 AAD = 01 1109 CIPHERTEXT = 2f5c64059db55ee0fb847ed513003746 1110 aca4e61c711b5de2e7a77ffd02da42fe 1111 ec601910d3467bb8b36ebbaebce5fba3 1112 0d36c95f48a3e7980f0e7ac299332a80 1114 Decrypted MSG = 02000000000000000000000000000000 1115 03000000000000000000000000000000 1116 04000000000000000000000000000000 1117 05000000000000000000000000000000 1118 SIV_GCM_2_KEYS Passed 1120 ***************************** 1121 Performing SIV_GCM - Two Keys: 1123 ***************************** 1125 AAD_len = 12 bytes 1126 MSG_len = 4 bytes 1127 BYTES ORDER 1128 LSB--------------------------MSB 1129 00010203040506070809101112131415 1130 -------------------------------- 1132 K1 = K = 01000000000000000000000000000000 1133 NONCE = 03000000000000000000000000000000 1135 AAD = 010000000000000000000000 1137 MSG = 02000000 1139 PADDED_AAD = 01000000000000000000000000000000 1141 PADDED_MSG = 02000000000000000000000000000000 1143 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1145 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1147 LENBLK = 60000000000000002000000000000000 1149 POLYVAL xor N = d9b360279694941a2010be790ff81954 1151 TAG = 07eb1f84fb28f8cb73de8e99e2f48a14 1153 CTRBLK = 07eb1f84fb28f8cb73de8e99e2f48a94 1155 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1157 TAG' = 07eb1f84fb28f8cb73de8e99e2f48a14 1159 AAD = 010000000000000000000000 1161 CIPHERTEXT = a8fe3e87 1163 Decrypted MSG = 02000000 1164 SIV_GCM_2_KEYS Passed 1166 ***************************** 1167 Performing SIV_GCM - Two Keys: 1168 ***************************** 1170 AAD_len = 18 bytes 1171 MSG_len = 20 bytes 1172 BYTES ORDER 1173 LSB--------------------------MSB 1174 00010203040506070809101112131415 1175 -------------------------------- 1177 K1 = K = 01000000000000000000000000000000 1178 NONCE = 03000000000000000000000000000000 1180 AAD = 01000000000000000000000000000000 1181 0200 1183 MSG = 03000000000000000000000000000000 1184 04000000 1186 PADDED_AAD = 01000000000000000000000000000000 1187 02000000000000000000000000000000 1189 PADDED_MSG = 03000000000000000000000000000000 1190 04000000000000000000000000000000 1192 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1194 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1196 LENBLK = 9000000000000000a000000000000000 1198 POLYVAL xor N = d9b360279694941a2010be790ff81954 1200 TAG = 24afc9805e976f451e6d87f6fe106514 1202 CTRBLK = 24afc9805e976f451e6d87f6fe106594 1204 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1206 TAG' = 24afc9805e976f451e6d87f6fe106514 1208 AAD = 01000000000000000000000000000000 1209 0200 1211 CIPHERTEXT = 6bb0fecf5ded9b77f902c7d5da236a43 1212 91dd0297 1214 Decrypted MSG = 03000000000000000000000000000000 1215 04000000 1216 SIV_GCM_2_KEYS Passed 1218 ***************************** 1219 Performing SIV_GCM - Two Keys: 1220 ***************************** 1222 AAD_len = 20 bytes 1223 MSG_len = 18 bytes 1224 BYTES ORDER 1225 LSB--------------------------MSB 1226 00010203040506070809101112131415 1227 -------------------------------- 1229 K1 = K = 01000000000000000000000000000000 1230 NONCE = 03000000000000000000000000000000 1232 AAD = 01000000000000000000000000000000 1233 02000000 1235 MSG = 03000000000000000000000000000000 1236 0400 1238 PADDED_AAD = 01000000000000000000000000000000 1239 02000000000000000000000000000000 1241 PADDED_MSG = 03000000000000000000000000000000 1242 04000000000000000000000000000000 1244 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1246 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1248 LENBLK = a0000000000000009000000000000000 1250 POLYVAL xor N = d9b360279694941a2010be790ff81954 1252 TAG = bff9b2ef00fb47920cc72a0c0f13b9fd 1254 CTRBLK = bff9b2ef00fb47920cc72a0c0f13b9fd 1256 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1258 TAG' = bff9b2ef00fb47920cc72a0c0f13b9fd 1260 AAD = 01000000000000000000000000000000 1261 02000000 1263 CIPHERTEXT = 44d0aaf6fb2f1f34add5e8064e83e12a 1264 2ada 1266 Decrypted MSG = 03000000000000000000000000000000 1267 0400 1268 SIV_GCM_2_KEYS Passed 1270 AEAD_AES_256_GCM_SIV: 1272 AAD_len = 0 bytes 1273 MSG_len = 0 bytes 1274 BYTES ORDER 1275 LSB--------------------------MSB 1276 00010203040506070809101112131415 1277 -------------------------------- 1279 K1 = K = 01000000000000000000000000000000 1280 00000000000000000000000000000000 1281 NONCE = 03000000000000000000000000000000 1283 AAD = 1285 MSG = 1287 PADDED_AAD = 1289 PADDED_MSG = 1291 LENBLK = 00000000000000000000000000000000 1293 POLYVAL xor N = 03000000000000000000000000000000 1295 with_MSbit_cleared = 03000000000000000000000000000000 1297 TAG = 07f5f4169bbf55a8400cd47ea6fd400f 1299 CTRBLK = 07f5f4169bbf55a8400cd47ea6fd408f 1301 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1303 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1305 456e3c6c05ecc157cdbf0700fedad222 1307 TAG' = 07f5f4169bbf55a8400cd47ea6fd400f 1309 AAD = 1311 CIPHERTEXT = 1312 Decrypted MSG = 1313 SIV_GCM_2_KEYS Passed 1315 ***************************** 1316 Performing SIV_GCM - Two Keys: 1317 ***************************** 1319 AAD_len = 0 bytes 1320 MSG_len = 8 bytes 1321 BYTES ORDER 1322 LSB--------------------------MSB 1323 00010203040506070809101112131415 1324 -------------------------------- 1326 K1 = K = 01000000000000000000000000000000 1327 00000000000000000000000000000000 1328 NONCE = 03000000000000000000000000000000 1330 AAD = 1332 MSG = 0100000000000000 1334 PADDED_AAD = 1336 PADDED_MSG = 01000000000000000000000000000000 1338 LENBLK = 00000000000000004000000000000000 1340 POLYVAL xor N = 06230f62f0eac8aa14fe4d646b59cd41 1342 with_MSbit_cleared = 06230f62f0eac8aa14fe4d646b59cd41 1344 TAG = 843122130f7364b761e0b97427e3df28 1346 CTRBLK = 843122130f7364b761e0b97427e3dfa8 1348 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1350 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1352 456e3c6c05ecc157cdbf0700fedad222 1354 TAG' = 843122130f7364b761e0b97427e3df28 1356 AAD = 1358 CIPHERTEXT = c2ef328e5c71c83b 1359 Decrypted MSG = 0100000000000000 1360 SIV_GCM_2_KEYS Passed 1362 ***************************** 1363 Performing SIV_GCM - Two Keys: 1364 ***************************** 1366 AAD_len = 0 bytes 1367 MSG_len = 12 bytes 1368 BYTES ORDER 1369 LSB--------------------------MSB 1370 00010203040506070809101112131415 1371 -------------------------------- 1373 K1 = K = 01000000000000000000000000000000 1374 00000000000000000000000000000000 1375 NONCE = 03000000000000000000000000000000 1377 AAD = 1379 MSG = 010000000000000000000000 1381 PADDED_AAD = 1383 PADDED_MSG = 01000000000000000000000000000000 1385 LENBLK = 00000000000000006000000000000000 1387 POLYVAL xor N = 6e81a24732fd6d03ae5af544720a1c13 1389 with_MSbit_cleared = 6e81a24732fd6d03ae5af544720a1c13 1391 TAG = 8ca50da9ae6559e48fd10f6e5c9ca17e 1393 CTRBLK = 8ca50da9ae6559e48fd10f6e5c9ca1fe 1395 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1397 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1399 456e3c6c05ecc157cdbf0700fedad222 1401 TAG' = 8ca50da9ae6559e48fd10f6e5c9ca17e 1403 AAD = 1405 CIPHERTEXT = 9aab2aeb3faa0a34aea8e2b1 1406 Decrypted MSG = 010000000000000000000000 1407 SIV_GCM_2_KEYS Passed 1409 ***************************** 1410 Performing SIV_GCM - Two Keys: 1411 ***************************** 1413 AAD_len = 0 bytes 1414 MSG_len = 16 bytes 1415 BYTES ORDER 1416 LSB--------------------------MSB 1417 00010203040506070809101112131415 1418 -------------------------------- 1420 K1 = K = 01000000000000000000000000000000 1421 00000000000000000000000000000000 1422 NONCE = 03000000000000000000000000000000 1424 AAD = 1426 MSG = 01000000000000000000000000000000 1428 PADDED_AAD = 1430 PADDED_MSG = 01000000000000000000000000000000 1432 LENBLK = 00000000000000008000000000000000 1434 POLYVAL xor N = 77eee2bf7c9a165f8b25dea73db32a6d 1436 with_MSbit_cleared = 77eee2bf7c9a165f8b25dea73db32a6d 1438 TAG = c9eac6fa700942702e90862383c6c366 1440 CTRBLK = c9eac6fa700942702e90862383c6c3e6 1442 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1444 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1446 456e3c6c05ecc157cdbf0700fedad222 1448 TAG' = c9eac6fa700942702e90862383c6c366 1450 AAD = 1452 CIPHERTEXT = 85a01b63025ba19b7fd3ddfc033b3e76 1453 Decrypted MSG = 01000000000000000000000000000000 1454 SIV_GCM_2_KEYS Passed 1456 ***************************** 1457 Performing SIV_GCM - Two Keys: 1458 ***************************** 1460 AAD_len = 0 bytes 1461 MSG_len = 32 bytes 1462 BYTES ORDER 1463 LSB--------------------------MSB 1464 00010203040506070809101112131415 1465 -------------------------------- 1467 K1 = K = 01000000000000000000000000000000 1468 00000000000000000000000000000000 1469 NONCE = 03000000000000000000000000000000 1471 AAD = 1473 MSG = 01000000000000000000000000000000 1474 02000000000000000000000000000000 1476 PADDED_AAD = 1478 PADDED_MSG = 01000000000000000000000000000000 1479 02000000000000000000000000000000 1481 LENBLK = 00000000000000000001000000000000 1483 POLYVAL xor N = 8a9b6381b3d46f0def7aa0517ba188f5 1485 with_MSbit_cleared = 8a9b6381b3d46f0def7aa0517ba18875 1487 TAG = e819e63abcd020b006a976397632eb5d 1489 CTRBLK = e819e63abcd020b006a976397632ebdd 1491 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1493 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1495 456e3c6c05ecc157cdbf0700fedad222 1497 TAG' = e819e63abcd020b006a976397632eb5d 1499 AAD = 1500 CIPHERTEXT = 4a6a9db4c8c6549201b9edb53006cba8 1501 21ec9cf850948a7c86c68ac7539d027f 1503 Decrypted MSG = 01000000000000000000000000000000 1504 02000000000000000000000000000000 1505 SIV_GCM_2_KEYS Passed 1507 ***************************** 1508 Performing SIV_GCM - Two Keys: 1509 ***************************** 1511 AAD_len = 0 bytes 1512 MSG_len = 48 bytes 1513 BYTES ORDER 1514 LSB--------------------------MSB 1515 00010203040506070809101112131415 1516 -------------------------------- 1518 K1 = K = 01000000000000000000000000000000 1519 00000000000000000000000000000000 1520 NONCE = 03000000000000000000000000000000 1522 AAD = 1524 MSG = 01000000000000000000000000000000 1525 02000000000000000000000000000000 1526 03000000000000000000000000000000 1528 PADDED_AAD = 1530 PADDED_MSG = 01000000000000000000000000000000 1531 02000000000000000000000000000000 1532 03000000000000000000000000000000 1534 LENBLK = 00000000000000008001000000000000 1536 POLYVAL xor N = c2f8593d8fc29b0c290cae1992f71f51 1538 with_MSbit_cleared = c2f8593d8fc29b0c290cae1992f71f51 1540 TAG = 790bc96880a99ba804bd12c0e6a22cc4 1542 CTRBLK = 790bc96880a99ba804bd12c0e6a22cc4 1544 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1546 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1547 456e3c6c05ecc157cdbf0700fedad222 1549 TAG' = 790bc96880a99ba804bd12c0e6a22cc4 1551 AAD = 1553 CIPHERTEXT = c00d121893a9fa603f48ccc1ca3c57ce 1554 7499245ea0046db16c53c7c66fe717e3 1555 9cf6c748837b61f6ee3adcee17534ed5 1557 Decrypted MSG = 01000000000000000000000000000000 1558 02000000000000000000000000000000 1559 03000000000000000000000000000000 1560 SIV_GCM_2_KEYS Passed 1562 ***************************** 1563 Performing SIV_GCM - Two Keys: 1564 ***************************** 1566 AAD_len = 0 bytes 1567 MSG_len = 64 bytes 1568 BYTES ORDER 1569 LSB--------------------------MSB 1570 00010203040506070809101112131415 1571 -------------------------------- 1573 K1 = K = 01000000000000000000000000000000 1574 00000000000000000000000000000000 1575 NONCE = 03000000000000000000000000000000 1577 AAD = 1579 MSG = 01000000000000000000000000000000 1580 02000000000000000000000000000000 1581 03000000000000000000000000000000 1582 04000000000000000000000000000000 1584 PADDED_AAD = 1586 PADDED_MSG = 01000000000000000000000000000000 1587 02000000000000000000000000000000 1588 03000000000000000000000000000000 1589 04000000000000000000000000000000 1591 LENBLK = 00000000000000000002000000000000 1593 POLYVAL xor N = 6df38b06046c7c0e225efaef8e2ec4c4 1594 with_MSbit_cleared = 6df38b06046c7c0e225efaef8e2ec444 1596 TAG = 112864c269fc0d9d88c61fa47e39aa08 1598 CTRBLK = 112864c269fc0d9d88c61fa47e39aa88 1600 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1602 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1604 456e3c6c05ecc157cdbf0700fedad222 1606 TAG' = 112864c269fc0d9d88c61fa47e39aa08 1608 AAD = 1610 CIPHERTEXT = c2d5160a1f8683834910acdafc41fbb1 1611 632d4a353e8b905ec9a5499ac34f96c7 1612 e1049eb080883891a4db8caaa1f99dd0 1613 04d80487540735234e3744512c6f90ce 1615 Decrypted MSG = 01000000000000000000000000000000 1616 02000000000000000000000000000000 1617 03000000000000000000000000000000 1618 04000000000000000000000000000000 1619 SIV_GCM_2_KEYS Passed 1621 ***************************** 1622 Performing SIV_GCM - Two Keys: 1623 ***************************** 1625 AAD_len = 1 bytes 1626 MSG_len = 8 bytes 1627 BYTES ORDER 1628 LSB--------------------------MSB 1629 00010203040506070809101112131415 1630 -------------------------------- 1632 K1 = K = 01000000000000000000000000000000 1633 00000000000000000000000000000000 1634 NONCE = 03000000000000000000000000000000 1636 AAD = 01 1638 MSG = 0200000000000000 1640 PADDED_AAD = 01000000000000000000000000000000 1641 PADDED_MSG = 02000000000000000000000000000000 1643 LENBLK = 08000000000000004000000000000000 1645 POLYVAL xor N = 37e57bafe011b9b36fc6821b7ffb3354 1647 with_MSbit_cleared = 37e57bafe011b9b36fc6821b7ffb3354 1649 TAG = 91213f267e3b452f02d01ae33e4ec854 1651 CTRBLK = 91213f267e3b452f02d01ae33e4ec8d4 1653 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1655 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1657 456e3c6c05ecc157cdbf0700fedad222 1659 TAG' = 91213f267e3b452f02d01ae33e4ec854 1661 AAD = 01 1663 CIPHERTEXT = 1de22967237a8132 1665 Decrypted MSG = 0200000000000000 1666 SIV_GCM_2_KEYS Passed 1668 ***************************** 1669 Performing SIV_GCM - Two Keys: 1670 ***************************** 1672 AAD_len = 1 bytes 1673 MSG_len = 12 bytes 1674 BYTES ORDER 1675 LSB--------------------------MSB 1676 00010203040506070809101112131415 1677 -------------------------------- 1679 K1 = K = 01000000000000000000000000000000 1680 00000000000000000000000000000000 1681 NONCE = 03000000000000000000000000000000 1683 AAD = 01 1685 MSG = 020000000000000000000000 1687 PADDED_AAD = 01000000000000000000000000000000 1688 PADDED_MSG = 02000000000000000000000000000000 1690 LENBLK = 08000000000000006000000000000000 1692 POLYVAL xor N = 5f47d68a22061c1ad5623a3b66a8e206 1694 with_MSbit_cleared = 5f47d68a22061c1ad5623a3b66a8e206 1696 TAG = c1a4a19ae800941ccdc57cc8413c277f 1698 CTRBLK = c1a4a19ae800941ccdc57cc8413c27ff 1700 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1702 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1704 456e3c6c05ecc157cdbf0700fedad222 1706 TAG' = c1a4a19ae800941ccdc57cc8413c277f 1708 AAD = 01 1710 CIPHERTEXT = 163d6f9cc1b346cd453a2e4c 1712 Decrypted MSG = 020000000000000000000000 1713 SIV_GCM_2_KEYS Passed 1715 ***************************** 1716 Performing SIV_GCM - Two Keys: 1717 ***************************** 1719 AAD_len = 1 bytes 1720 MSG_len = 16 bytes 1721 BYTES ORDER 1722 LSB--------------------------MSB 1723 00010203040506070809101112131415 1724 -------------------------------- 1726 K1 = K = 01000000000000000000000000000000 1727 00000000000000000000000000000000 1728 NONCE = 03000000000000000000000000000000 1730 AAD = 01 1732 MSG = 02000000000000000000000000000000 1734 PADDED_AAD = 01000000000000000000000000000000 1735 PADDED_MSG = 02000000000000000000000000000000 1737 LENBLK = 08000000000000008000000000000000 1739 POLYVAL xor N = 462896726c616746f01d11d82911d478 1741 with_MSbit_cleared = 462896726c616746f01d11d82911d478 1743 TAG = b292d28ff61189e8e49f3875ef91aff7 1745 CTRBLK = b292d28ff61189e8e49f3875ef91aff7 1747 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1749 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1751 456e3c6c05ecc157cdbf0700fedad222 1753 TAG' = b292d28ff61189e8e49f3875ef91aff7 1755 AAD = 01 1757 CIPHERTEXT = c91545823cc24f17dbb0e9e807d5ec17 1759 Decrypted MSG = 02000000000000000000000000000000 1760 SIV_GCM_2_KEYS Passed 1762 ***************************** 1763 Performing SIV_GCM - Two Keys: 1764 ***************************** 1766 AAD_len = 1 bytes 1767 MSG_len = 32 bytes 1768 BYTES ORDER 1769 LSB--------------------------MSB 1770 00010203040506070809101112131415 1771 -------------------------------- 1773 K1 = K = 01000000000000000000000000000000 1774 00000000000000000000000000000000 1775 NONCE = 03000000000000000000000000000000 1777 AAD = 01 1779 MSG = 02000000000000000000000000000000 1780 03000000000000000000000000000000 1782 PADDED_AAD = 01000000000000000000000000000000 1783 PADDED_MSG = 02000000000000000000000000000000 1784 03000000000000000000000000000000 1786 LENBLK = 08000000000000000001000000000000 1788 POLYVAL xor N = 4d58c1e341c9bb0ae34eda9509dfc90c 1790 with_MSbit_cleared = 4d58c1e341c9bb0ae34eda9509dfc90c 1792 TAG = aea1bad12702e1965604374aab96dbbc 1794 CTRBLK = aea1bad12702e1965604374aab96dbbc 1796 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1798 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1800 456e3c6c05ecc157cdbf0700fedad222 1802 TAG' = aea1bad12702e1965604374aab96dbbc 1804 AAD = 01 1806 CIPHERTEXT = 07dad364bfc2b9da89116d7bef6daaaf 1807 6f255510aa654f920ac81b94e8bad365 1809 Decrypted MSG = 02000000000000000000000000000000 1810 03000000000000000000000000000000 1811 SIV_GCM_2_KEYS Passed 1813 ***************************** 1814 Performing SIV_GCM - Two Keys: 1815 ***************************** 1817 AAD_len = 1 bytes 1818 MSG_len = 48 bytes 1819 BYTES ORDER 1820 LSB--------------------------MSB 1821 00010203040506070809101112131415 1822 -------------------------------- 1824 K1 = K = 01000000000000000000000000000000 1825 00000000000000000000000000000000 1826 NONCE = 03000000000000000000000000000000 1828 AAD = 01 1830 MSG = 02000000000000000000000000000000 1831 03000000000000000000000000000000 1832 04000000000000000000000000000000 1834 PADDED_AAD = 01000000000000000000000000000000 1836 PADDED_MSG = 02000000000000000000000000000000 1837 03000000000000000000000000000000 1838 04000000000000000000000000000000 1840 LENBLK = 08000000000000008001000000000000 1842 POLYVAL xor N = 2666a4aff9a525df9772c16d4eaf8d2a 1844 with_MSbit_cleared = 2666a4aff9a525df9772c16d4eaf8d2a 1846 TAG = 03332742b228c647173616cfd44c54eb 1848 CTRBLK = 03332742b228c647173616cfd44c54eb 1850 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1852 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1854 456e3c6c05ecc157cdbf0700fedad222 1856 TAG' = 03332742b228c647173616cfd44c54eb 1858 AAD = 01 1860 CIPHERTEXT = c67a1f0f567a5198aa1fcc8e3f213143 1861 36f7f51ca8b1af61feac35a86416fa47 1862 fbca3b5f749cdf564527f2314f42fe25 1864 Decrypted MSG = 02000000000000000000000000000000 1865 03000000000000000000000000000000 1866 04000000000000000000000000000000 1867 SIV_GCM_2_KEYS Passed 1869 ***************************** 1870 Performing SIV_GCM - Two Keys: 1871 ***************************** 1873 AAD_len = 1 bytes 1874 MSG_len = 64 bytes 1875 BYTES ORDER 1876 LSB--------------------------MSB 1877 00010203040506070809101112131415 1878 -------------------------------- 1880 K1 = K = 01000000000000000000000000000000 1881 00000000000000000000000000000000 1882 NONCE = 03000000000000000000000000000000 1884 AAD = 01 1886 MSG = 02000000000000000000000000000000 1887 03000000000000000000000000000000 1888 04000000000000000000000000000000 1889 05000000000000000000000000000000 1891 PADDED_AAD = 01000000000000000000000000000000 1893 PADDED_MSG = 02000000000000000000000000000000 1894 03000000000000000000000000000000 1895 04000000000000000000000000000000 1896 05000000000000000000000000000000 1898 LENBLK = 08000000000000000002000000000000 1900 POLYVAL xor N = d958d2f61b0a9d343b2f37fb0c519733 1902 with_MSbit_cleared = d958d2f61b0a9d343b2f37fb0c519733 1904 TAG = 5bde0285037c5de81e5b570a049b62a0 1906 CTRBLK = 5bde0285037c5de81e5b570a049b62a0 1908 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1910 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1912 456e3c6c05ecc157cdbf0700fedad222 1914 TAG' = 5bde0285037c5de81e5b570a049b62a0 1916 AAD = 01 1918 CIPHERTEXT = 67fd45e126bfb9a79930c43aad2d3696 1919 7d3f0e4d217c1e551f59727870beefc9 1920 8cb933a8fce9de887b1e40799988db1f 1921 c3f91880ed405b2dd298318858467c89 1923 Decrypted MSG = 02000000000000000000000000000000 1924 03000000000000000000000000000000 1925 04000000000000000000000000000000 1926 05000000000000000000000000000000 1927 SIV_GCM_2_KEYS Passed 1928 ***************************** 1929 Performing SIV_GCM - Two Keys: 1930 ***************************** 1932 AAD_len = 12 bytes 1933 MSG_len = 4 bytes 1934 BYTES ORDER 1935 LSB--------------------------MSB 1936 00010203040506070809101112131415 1937 -------------------------------- 1939 K1 = K = 01000000000000000000000000000000 1940 00000000000000000000000000000000 1941 NONCE = 03000000000000000000000000000000 1943 AAD = 010000000000000000000000 1945 MSG = 02000000 1947 PADDED_AAD = 01000000000000000000000000000000 1949 PADDED_MSG = 02000000000000000000000000000000 1951 LENBLK = 60000000000000002000000000000000 1953 POLYVAL xor N = 6ec76ae84b88916e073a303aafde05cf 1955 with_MSbit_cleared = 6ec76ae84b88916e073a303aafde054f 1957 TAG = 1835e517741dfddccfa07fa4661b74cf 1959 CTRBLK = 1835e517741dfddccfa07fa4661b74cf 1961 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1963 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1965 456e3c6c05ecc157cdbf0700fedad222 1967 TAG' = 1835e517741dfddccfa07fa4661b74cf 1969 AAD = 010000000000000000000000 1971 CIPHERTEXT = 22b3f4cd 1973 Decrypted MSG = 02000000 1974 SIV_GCM_2_KEYS Passed 1975 ***************************** 1976 Performing SIV_GCM - Two Keys: 1977 ***************************** 1979 AAD_len = 18 bytes 1980 MSG_len = 20 bytes 1981 BYTES ORDER 1982 LSB--------------------------MSB 1983 00010203040506070809101112131415 1984 -------------------------------- 1986 K1 = K = 01000000000000000000000000000000 1987 00000000000000000000000000000000 1988 NONCE = 03000000000000000000000000000000 1990 AAD = 01000000000000000000000000000000 1991 0200 1993 MSG = 03000000000000000000000000000000 1994 04000000 1996 PADDED_AAD = 01000000000000000000000000000000 1997 02000000000000000000000000000000 1999 PADDED_MSG = 03000000000000000000000000000000 2000 04000000000000000000000000000000 2002 LENBLK = 9000000000000000a000000000000000 2004 POLYVAL xor N = 943ef4fd04bd31d193816ab26f8655ca 2006 with_MSbit_cleared = 943ef4fd04bd31d193816ab26f86554a 2008 TAG = b879ad976d8242acc188ab59cabfe307 2010 CTRBLK = b879ad976d8242acc188ab59cabfe387 2012 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 2014 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 2016 456e3c6c05ecc157cdbf0700fedad222 2018 TAG' = b879ad976d8242acc188ab59cabfe307 2020 AAD = 01000000000000000000000000000000 2021 0200 2023 CIPHERTEXT = 43dd0163cdb48f9fe3212bf61b201976 2024 067f342b 2026 Decrypted MSG = 03000000000000000000000000000000 2027 04000000 2028 SIV_GCM_2_KEYS Passed 2030 ***************************** 2031 Performing SIV_GCM - Two Keys: 2032 ***************************** 2034 AAD_len = 20 bytes 2035 MSG_len = 18 bytes 2036 BYTES ORDER 2037 LSB--------------------------MSB 2038 00010203040506070809101112131415 2039 -------------------------------- 2041 K1 = K = 01000000000000000000000000000000 2042 00000000000000000000000000000000 2043 NONCE = 03000000000000000000000000000000 2045 AAD = 01000000000000000000000000000000 2046 02000000 2048 MSG = 03000000000000000000000000000000 2049 0400 2051 PADDED_AAD = 01000000000000000000000000000000 2052 02000000000000000000000000000000 2054 PADDED_MSG = 03000000000000000000000000000000 2055 04000000000000000000000000000000 2057 LENBLK = a0000000000000009000000000000000 2059 POLYVAL xor N = 2fbb6b7ab2dbffefb797f825f826870c 2061 with_MSbit_cleared = 2fbb6b7ab2dbffefb797f825f826870c 2063 TAG = cfcdf5042112aa29685c912fc2056543 2065 CTRBLK = cfcdf5042112aa29685c912fc20565c3 2067 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 2069 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 2070 456e3c6c05ecc157cdbf0700fedad222 2072 TAG' = cfcdf5042112aa29685c912fc2056543 2074 AAD = 01000000000000000000000000000000 2075 02000000 2077 CIPHERTEXT = 462401724b5ce6588d5a54aae5375513 2078 a075 2080 Decrypted MSG = 03000000000000000000000000000000 2081 0400 2082 SIV_GCM_2_KEYS Passed 2084 Authors' Addresses 2086 Shay Gueron 2087 University of Haifa and Intel Corporation 2088 Abba Khoushy Ave 199 2089 Haifa 3498838 2090 Israel 2092 Email: shay@math.haifa.ac.il 2094 Adam Langley 2095 Google 2096 345 Spear St 2097 San Francisco, CA 94105 2098 US 2100 Email: agl@google.com 2102 Yehuda Lindell 2103 Bar Ilan University 2104 Bar Ilan University 2105 Ramat Gan 5290002 2106 Israel 2108 Email: Yehuda.Lindell@biu.ac.il