idnits 2.17.1 draft-irtf-cfrg-gcmsiv-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (February 23, 2017) is 2613 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Gueron 3 Internet-Draft University of Haifa and Intel Corporation 4 Intended status: Informational A. Langley 5 Expires: August 27, 2017 Google 6 Y. Lindell 7 Bar Ilan University 8 February 23, 2017 10 AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption 11 draft-irtf-cfrg-gcmsiv-04 13 Abstract 15 This memo specifies two authenticated encryption algorithms that are 16 nonce misuse-resistant - that is that they do not fail 17 catastrophically if a nonce is repeated. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on August 27, 2017. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 55 3. POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 5. Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 6. AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 7. Field operation examples . . . . . . . . . . . . . . . . . . 7 60 8. Worked example . . . . . . . . . . . . . . . . . . . . . . . 7 61 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 62 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 63 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 64 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 66 12.2. Informative References . . . . . . . . . . . . . . . . . 10 67 Appendix A. The relationship between POLYVAL and GHASH . . . . . 10 68 Appendix B. Additional comparisons with AES-GCM . . . . . . . . 12 69 Appendix C. Test vectors . . . . . . . . . . . . . . . . . . . . 12 70 C.1. AEAD_AES_128_GCM_SIV . . . . . . . . . . . . . . . . . . 12 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46 73 1. Introduction 75 The concept of "Authenticated encryption with additional data" (AEAD 76 [RFC5116]) couples confidentiality and integrity in a single 77 operation that is easier for practitioners to use correctly. The 78 most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its 79 attractive performance. 81 However, most AEADs suffer catastrophic failures of confidentiality 82 and/or integrity when two distinct messages are encrypted with the 83 same nonce. While the requirements for AEADs specify that the pair 84 of (key, nonce) shall only ever be used once, and thus prohibit this, 85 in practice this is a worry. 87 Nonce misuse-resistant AEADs do not suffer from this problem. For 88 this class of AEADs, encrypting two messages with the same nonce only 89 discloses whether the messages were equal or not. This is the 90 minimum amount of information that a deterministic algorithm can leak 91 in this situation. 93 This memo specifies two nonce misuse-resistant AEADs: 94 "AEAD_AES_128_GCM_SIV" and "AEAD_AES_256_GCM_SIV". These AEADs are 95 designed to be able to take advantage of existing hardware support 96 for AES-GCM and can decrypt within 5% of the speed of AES-GCM (for 97 multi-kilobyte messages). Encryption is, perforce, slower than AES- 98 GCM because two passes are required. However, measurements suggest 99 that it can still run at 2/3rds of the speed of AES-GCM. 101 We suggest that these AEADs be considered in any situation where 102 there is the slightest doubt about nonce uniqueness. 104 2. Requirements Language 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 108 document are to be interpreted as described in RFC 2119 [RFC2119]. 110 3. POLYVAL 112 The GCM-SIV construction is similar to GCM: the block cipher is used 113 in counter mode to encrypt the plaintext and a polynomial 114 authenticator is used to provide integrity. The authenticator in 115 GCM-SIV is called POLYVAL. 117 POLYVAL, like GHASH, operates in a binary field of size 2^128. The 118 field is defined by the irreducible polynomial x^128 + x^127 + x^126 119 + x^121 + 1. The sum of any two elements in the field is the result 120 of XORing them. The product of any two elements is calculated using 121 standard (binary) polynomial multiplication followed by reduction 122 modulo the irreducible polynomial. 124 We define another binary operation on elements of the field: dot(a, 125 b), where dot(a, b) = a * b * x^-128. The value of the field element 126 x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1. The result, 127 dot(a, b), of this multiplication is another field element. 129 Polynomials in this field are converted to and from 128-bit strings 130 by taking the least-significant bit of the first byte to be the 131 coefficient of x^0, the most-significant bit of the first byte to the 132 coefficient of x^7 and so on, until the most-significant bit of the 133 last byte is the coefficient of x^127. 135 POLYVAL takes a field element, H, and a series of field elements X_1, 136 ..., X_s. Its result is S_s, where S is defined by the iteration S_0 137 = 0; S_j = dot(S_{j-1} + X_j, H), for j = 0..s 139 We note that POLYVAL(H, X_1, X_2, ...) is equal to 140 ByteReverse(GHASH(ByteReverse(H) * x, ByteReverse(X_1), 141 ByteReverse(X_2), ...)), where ByteReverse is a function that 142 reverses the order of 16 bytes. See Appendix A for a more detailed 143 explanation. 145 4. Encryption 147 AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a 148 96-bit nonce, and arbitrary-length plaintext & additional data byte- 149 strings. It outputs an authenticated ciphertext that will be 16 150 bytes longer than the plaintext. 152 If the key-generating key is 16 bytes long then AES-128 is used 153 throughout. Otherwise AES-256 is used throughout. 155 The first step of encryption is to generate per-nonce, record- 156 authentication and record-encryption keys. The record-authentication 157 key is 128-bit and the record-encryption key is either 128- (for AES- 158 128) or 256-bit (for AES-256). 160 These keys are generated by encrypting a series of plaintext blocks 161 that contain a 32-bit, little-endian counter followed by the nonce, 162 and then discarding the second half of the resulting ciphertext. In 163 the AES-128 case, 128 + 128 = 256 bits of key material need to be 164 generated and, since encrypting each block yields 64 bits after 165 discarding half, four blocks need to be encrypted. The counter 166 values for these blocks are 0, 1, 2 and 3. For AES-256, six blocks 167 are needed in total, with counter values 0 through 5 (inclusive). 169 In pseudocode form, where ++ indicates concatenation and x[:8] 170 indicates taking only the first eight bytes from x: 172 if bytelen(key-generating-key) == 16 { 173 record-authentication-key = 174 AES128(key = key-generating-key, 175 input = "00000000" ++ nonce)[:8] ++ 176 AES128(key = key-generating-key, 177 input = "01000000" ++ nonce)[:8] 178 record-encryption-key = 179 AES128(key = key-generating-key, 180 input = "02000000" ++ nonce)[:8] ++ 181 AES128(key = key-generating-key, 182 input = "03000000" ++ nonce)[:8] 183 } else if bytelen(key-generating-key) == 32 { 184 record-authentication-key = 185 AES256(key = key-generating-key, 186 input = "00000000" ++ nonce)[:8] ++ 187 AES256(key = key-generating-key, 188 input = "01000000" ++ nonce)[:8] 189 record-encryption-key = 190 AES256(key = key-generating-key, 191 input = "02000000" ++ nonce)[:8] ++ 192 AES256(key = key-generating-key, 193 input = "03000000" ++ nonce)[:8] ++ 194 AES256(key = key-generating-key, 195 input = "04000000" ++ nonce)[:8] ++ 196 AES256(key = key-generating-key, 197 input = "05000000" ++ nonce)[:8] 198 } 200 Define the _length block_ as a 16-byte value that is the 201 concatenation of the 64-bit, little-endian encodings of 202 bytelen(additional_length) * 8 and bytelen(plaintext) * 8. Pad the 203 plaintext and additional data with zeros until they are each a 204 multiple of 16 bytes, the AES block size. Then X_1, X_2, ... (the 205 series of field elements that are inputs to POLYVAL) are the 206 concatenation of the padded additional data, the padded plaintext and 207 the length block. 209 Calculate S_s = POLYVAL(record-authentication-key, X_1, X_2, ...). 210 XOR the first twelve bytes of S_s with the nonce and clear the most- 211 significant bit of the last byte. Encrypt the result with AES using 212 the record-encryption key to produce the tag. 214 The ciphertext is produced by using AES, with the record-encryption 215 key, in counter mode on the unpadded plaintext. The initial counter 216 block is the tag with the most-significant bit of the last byte set 217 to one. The counter advances by incrementing the first 32 bits 218 interpreted as an unsigned, little-endian integer. The result of the 219 encryption is the resulting ciphertext (truncated to the length of 220 the plaintext) followed by the tag. 222 5. Decryption 224 Decryption takes a 16- or 32-byte key-generating key, a 96-bit nonce, 225 and arbitrary-length ciphertext & additional data byte-strings. It 226 either fails, or outputs a plaintext that is 16 bytes shorter than 227 the ciphertext. 229 Firstly, the record-encryption and record-authentication keys are 230 derived in the same manner as when encrypting. 232 If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes, 233 then fail. Otherwise split the input into the encrypted plaintext 234 and a 16-byte tag. Decrypt the encrypted plaintext with the record- 235 encryption key in counter mode, where the initial counter block is 236 the tag with the most-significant bit of the last byte set to one. 237 The counter advances in the same way as for encryption. 239 Pad the additional data and plaintext with zeros until they are each 240 a multiple of 16 bytes, the AES block size. Calculate the length 241 block and X_1, X_2, ... as above and compute S_s = POLYVAL(record- 242 authentication-key, X_1, X_2, ...). Compute the expected tag by 243 XORing S_s and the nonce, clearing the most-significant bit of the 244 last byte and encrypting with the record-encryption key. Compare the 245 provided and expected tag values in constant time. If they do not 246 match, fail. Otherwise return the plaintext. 248 6. AEADs 250 We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV: 251 AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. They differ only in 252 the size of the AES key used. 254 The key input to these AEADs becomes the key-generating key. Thus 255 AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV 256 takes a 32-byte key. 258 The parameters for AEAD_AES_128_GCM_SIV are then: K_LEN is 16, P_MAX 259 is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 12 and C_MAX is 2^36 260 + 16. 262 The parameters for AEAD_AES_256_GCM_SIV differ only in the key size: 263 K_LEN is 32, P_MAX is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 12 264 and C_MAX is 2^36 + 16. 266 7. Field operation examples 268 Polynomials in this document will be written as 16-byte values. For 269 example, the sixteen bytes 01000000000000000000000000000492 would 270 represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is 271 also the value of x^-128 in this field. 273 If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b = 274 ff000000000000000000000000000000 then a + b = 275 99e94bd4ef8a2c3b884cfa59ca342b2e, a * b = 276 37856175e9dc9df26ebc6d6171aa0ae9 and dot(a, b) = 277 ebe563401e7e91ea3ad6426b8140c394. 279 8. Worked example 281 Consider the encryption of the plaintext "Hello world" with the 282 additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c 283 using AEAD_AES_128_GCM_SIV. The random nonce that we'll use for this 284 example is 752abad3e0afb5f434dc4310. 286 In order to generate the record-authentication and record-encryption 287 keys, a counter is combined with the nonce to form four blocks. 288 These blocks are encrypted with key given above: 290 Counter | Nonce Ciphertext 291 00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e 292 01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450 293 02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b 294 03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7 296 The latter halves of the ciphertext blocks are discarded and the 297 remaining bytes are concatenated to form the per-record keys. Thus 298 the record-authentication key is 310728d9911f1f3837b24316c3fab9a0 and 299 the record-encryption key is a4c5ae6249963279c100be4d7e2c6edd. 301 The length block contains the encoding of the bit-lengths of the 302 additional data and plaintext, respectively, which are and 56 and 88. 303 Thus the length block is 38000000000000005800000000000000. 305 The input to POLYVAL is the padded additional data, padded plaintext 306 and then the length block. This is 6578616d706c650000000000000000004 307 8656c6c6f20776f726c64000000000038000000000000005800000000000000. 309 Calling POLYVAL with the record-authentication key and the input 310 above results in S_s = ad7fcf0b5169851662672f3c5f95138f. 312 Before encrypting, the nonce is XORed in and the most-significant bit 313 of the last byte is cleared. This gives 314 d85575d8b1c630e256bb6c2c5f95130f because that bit happened to be one 315 previously. Encrypting with the record-encryption key gives the tag, 316 which is 4fbcdeb7e4793f4a1d7e4faa70100af1. 318 In order to form the initial counter block, the most-significant bit 319 of the last byte of the tag is set to one. That doesn't result in a 320 change in this example. Encrypting this with the record key gives 321 the first block of the keystream: 1551f2c1787e81deac9a99f139540ab5. 323 The final ciphertext is the result of XORing the plaintext with the 324 keystream and appending the tag. That gives 325 5d349ead175ef6b1def6fd4fbcdeb7e4793f4a1d7e4faa70100af1. 327 9. Security Considerations 329 A detailed analysis of these schemes appears in [AES-GCM-SIV] and the 330 remainder of this section is a summary of that paper. 332 We recommend a limit of 2^50 plaintexts encrypted with a given key. 333 Past this point, AES-GCM-SIV may be distinguishable from an ideal 334 AEAD. (This is based on standard assumptions about AES.) 336 The AEADs defined in this document calculate fresh AES keys for each 337 nonce. This allows a larger number of plaintexts to be encrypted 338 under a given key. Without this step, each SIV encryption would be 339 like a standard GCM encryption with a random nonce. Since the nonce 340 size for GCM is only 12 bytes, NIST set a limit [GCM] of 2^32 341 encryptions before the probability of duplicate nonces becomes too 342 high. 344 The authors felt that, while large, 2^32 wasn't so large that this 345 limit could be safely ignored. For example, consider encrypting the 346 contents of a hard disk where the AEAD record size is 512 bytes, to 347 match the traditional size of a disk sector. This process would have 348 encrypted 2^32 records after processing 2TB, yet hard drives of 349 multiple terabytes are now common. 351 Deriving fresh AES keys for each nonce alleviates this problem. 353 If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a 354 random nonce, with the caveat that identical plaintexts will produce 355 identical ciphertexts. However, we feel that the 2^32 limit for AES- 356 GCM is too risky in a multi-key setting. Thus with AES-GCM-SIV we 357 recommend that, for a specific key, a nonce not be repeated more than 358 2^8 times. (And, ideally, not be repeated at all.) See theorem six 359 and figure four from the paper for detailed bounds. 361 Suzuki et al [multibirthday] show that even if nonces are selected 362 uniformly at random, the probability that one or more values would be 363 repeated 256 or more times is negligible until the number of nonces 364 reaches 2^102. (Specifically the probability is 1/((2^96)^(255)) * 365 Binomial(q, 256), where q is the number of nonces.) Since 2^102 is 366 vastly greater than the limit on the number of plaintexts per key 367 given above, we don't feel that this limit on the number of repeated 368 nonces will be a problem. This also means that selecting nonces at 369 random is a safe practice with AES-GCM-SIV. 371 In addition to calculating fresh AES keys for each nonce, these AEADs 372 also calculate fresh POLYVAL keys. Previous versions of GCM-SIV did 373 not do this and, instead, used part of the AEAD's key as the POLYVAL 374 key. Bleichenbacher pointed out that this allowed an attacker who 375 controlled the AEAD key to force the POLYVAL key to be zero. If a 376 user of this AEAD authenticated messages with a secret additional- 377 data value then this would be insecure as the attacker could 378 calculate a valid authenticator without knowing the input. This does 379 not violate the standard properties of an AEAD as the additional data 380 is not assumed to be confidential. However, we want these AEADs to 381 be robust to plausible misuse and also to be drop-in replacements for 382 AES-GCM and so derive nonce-specific POLYVAL keys to avoid this 383 issue. 385 A security analysis of a similar scheme appears in [GCM-SIV]. 387 10. IANA Considerations 389 This document has no actions for IANA. 391 11. Acknowledgements 393 The authors would like to thank Uri Blumenthal, Ondrej Mosnaček, 394 Daniel Bleichenbacher, Kenny Paterson, Bart Preneel, John Mattsson 395 and Deb Cooley's team at NSA Information Assurance for their helpful 396 suggestions. 398 12. References 400 12.1. Normative References 402 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 403 Requirement Levels", BCP 14, RFC 2119, 404 DOI 10.17487/RFC2119, March 1997, 405 . 407 12.2. Informative References 409 [AES-GCM-SIV] 410 Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: 411 specification and analysis", 2017, 412 . 414 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 415 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP- 416 800-38D, November 2007, 417 . 420 [GCM-SIV] Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse- 421 Resistant Authenticated Encryption at Under One Cycle Per 422 Byte", Proceedings of the 22nd ACM SIGSAC Conference on 423 Computer and Communications Security , 2015, 424 . 426 [multibirthday] 427 Kazuhiro, S., Dongvu, T., Kaoru, K., and T. Koji, 428 "Birthday Paradox for Multi-collisions", ICISC 2006: 9th 429 International Conference, Busan, Korea, November 30 - 430 December 1, 2006. Proceedings , 2006, 431 . 433 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 434 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 435 . 437 Appendix A. The relationship between POLYVAL and GHASH 439 GHASH and POLYVAL both operate in GF(2^128), although with different 440 irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + 441 x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note 442 that these irreducible polynomials are the "reverse" of each other. 444 GHASH also has a different mapping between 128-bit strings and field 445 elements. Where as POLYVAL takes the least-significant to most- 446 significant bits of the first byte to be the coefficients of x^0 to 447 x^7, GHASH takes them to be the coefficients of x^7 to x^0. This 448 continues until, for the last byte, POLYVAL takes the least- 449 significant to most-significant bits to be the coefficients of x^120 450 to x^127 while GHASH takes them to be the coefficients of x^127 to 451 x^120. 453 The combination of these facts means that it's possible to "convert" 454 values between the two by reversing the order of the bytes in a 455 16-byte string. The differing interpretations of bit order takes 456 care of reversing the bits within each byte and then reversing the 457 bytes does the rest. This may have a practical benefit for 458 implementations that wish to implement both GHASH and POLYVAL. 460 In order to be clear which field a given operation is performed in, 461 let mulX_GHASH be a function that takes a 16-byte string, converts it 462 to an element of GHASH's field using GHASH's convention, multiplies 463 it by x and converts back to a string. Likewise, let mulX_POLYVAL be 464 a function that converts a 16-byte string to an element of POLYVAL's 465 field using POLYVAL's convention, multiplies it by x and converts 466 back. 468 Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH 469 of that string is 00800000000000000000000000000000 and mulX_POLYVAL 470 of that string is 02000000000000000000000000000000. As a more 471 general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH 472 of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL 473 of it is 3931819bf271fada0503eb52574ca5f2. 475 Lastly, let ByteReverse be the function that takes a 16-byte string 476 and returns a copy where the order of the bytes has been reversed. 478 Now GHASH and POLYVAL can be defined in terms of one another: 480 POLYVAL(H, X_1, ..., X_n) = 481 ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ..., 482 ByteReverse(X_n))) 484 GHASH(H, X_1, ..., X_n) = 485 ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1), 486 ..., ByteReverse(X_n))) 488 As a worked example, let H = 25629347589242761d31f826ba4b757b, X_1 = 489 4f4f95668c83dfb6401762bb2d01a262 and X_2 = 490 d1a24ddd2721d006bbe45f20d3c9f362. POLYVAL(H, X_1, X_2) = 491 f7a3b47b846119fae5b7866cf5e5b77e. If we wished to calculate this 492 given only an implementation of GHASH then the key for GHASH would be 493 mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112. Then 494 ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2))) = 495 f7a3b47b846119fae5b7866cf5e5b77e, as required. 497 In the other direction, GHASH(H, X_1, X_2) = 498 bd9b3997046731fb96251b91f9c99d7a. If we wished to calculate this 499 given only an implementation of POLYVAL then we would first calculate 500 the key for POLYVAL, mulX_POLYVAL(ByteReverse(H)), which is 501 f6ea96744df0633aec8424b18e26c54a. Then ByteReverse(POLYVAL(f6ea..., 502 ByteReverse(X_1), ByteReverse(X_2))) = 503 bd9b3997046731fb96251b91f9c99d7a. 505 Appendix B. Additional comparisons with AES-GCM 507 Some, non-security, properties also differ between AES-GCM and AES- 508 GCM-SIV that are worth noting: 510 AES-GCM allows plaintexts to be encrypted in a streaming fashion, 511 i.e. the beginning of the plaintext can be encrypted and transmitted 512 before the entire message has been processed. AES-GCM-SIV requires 513 two passes for encryption and so cannot do this. 515 AES-GCM allows a constant additional-data input to be precomputed in 516 order to save per-record computation. AES-GCM-SIV varies the 517 authenticator key based on the nonce and so does not permit this. 519 The performance for AES-GCM vs AES-GCM-SIV on small machines can be 520 roughly characterised by the number of AES operations and the number 521 of GF(2^128) multiplications needed to process a message. Let a = 522 (bytelen(additional-data) + 15) / 16 and p = (bytelen(plaintext) + 523 15) / 16. Then AES-GCM requires p + 1 AES operations and p + a + 1 524 field multiplications. 526 Defined similarly, AES-GCM-SIV with AES-128 requires p + 5 AES 527 operations and p + a + 1 field multiplications. With AES-256 that 528 becomes p + 7 AES operations. 530 With large machines, the available parallelism becomes far more 531 important and such simple performance analysis is no longer 532 representative. For such machines, we find that decryption of AES- 533 GCM-SIV is only about 5% slower then AES-GCM, as long as the message 534 is at least a couple of kilobytes. Encryption tends to be about 535 2/3's the speed because of the additional pass required. 537 Appendix C. Test vectors 539 C.1. AEAD_AES_128_GCM_SIV 541 AEAD_AES_128_GCM_SIV: 543 AAD_len = 0 bytes 544 MSG_len = 0 bytes 545 BYTES ORDER 546 LSB--------------------------MSB 547 00010203040506070809101112131415 548 -------------------------------- 550 K = 01000000000000000000000000000000 551 NONCE = 03000000000000000000000000000000 553 AAD = 555 MSG = 557 PADDED_AAD = 559 PADDED_MSG = 561 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 563 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 565 LENBLK = 00000000000000000000000000000000 567 POLYVAL xor N = d9b360279694941a2010be790ff81954 569 TAG = dc20e2d83f25705bb49e439eca56de25 571 CTRBLK = dc20e2d83f25705bb49e439eca56dea5 573 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 575 TAG' = dc20e2d83f25705bb49e439eca56de25 577 AAD = 579 CIPHERTEXT = 581 Decrypted MSG = 582 SIV_GCM_2_KEYS Passed 584 ***************************** 585 Performing SIV_GCM - Two Keys: 586 ***************************** 588 AAD_len = 0 bytes 589 MSG_len = 8 bytes 590 BYTES ORDER 591 LSB--------------------------MSB 592 00010203040506070809101112131415 593 -------------------------------- 595 K = 01000000000000000000000000000000 596 NONCE = 03000000000000000000000000000000 597 AAD = 599 MSG = 0100000000000000 601 PADDED_AAD = 603 PADDED_MSG = 01000000000000000000000000000000 605 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 607 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 609 LENBLK = 00000000000000004000000000000000 611 POLYVAL xor N = d9b360279694941a2010be790ff81954 613 TAG = 578782fff6013b815b287c22493a364c 615 CTRBLK = 578782fff6013b815b287c22493a36cc 617 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 619 TAG' = 578782fff6013b815b287c22493a364c 621 AAD = 623 CIPHERTEXT = b5d839330ac7b786 625 Decrypted MSG = 0100000000000000 626 SIV_GCM_2_KEYS Passed 628 ***************************** 629 Performing SIV_GCM - Two Keys: 630 ***************************** 632 AAD_len = 0 bytes 633 MSG_len = 12 bytes 634 BYTES ORDER 635 LSB--------------------------MSB 636 00010203040506070809101112131415 637 -------------------------------- 639 K = 01000000000000000000000000000000 640 NONCE = 03000000000000000000000000000000 642 AAD = 644 MSG = 010000000000000000000000 645 PADDED_AAD = 647 PADDED_MSG = 01000000000000000000000000000000 649 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 651 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 653 LENBLK = 00000000000000006000000000000000 655 POLYVAL xor N = d9b360279694941a2010be790ff81954 657 TAG = a4978db357391a0bc4fdec8b0d106639 659 CTRBLK = a4978db357391a0bc4fdec8b0d1066b9 661 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 663 TAG' = a4978db357391a0bc4fdec8b0d106639 665 AAD = 667 CIPHERTEXT = 7323ea61d05932260047d942 669 Decrypted MSG = 010000000000000000000000 670 SIV_GCM_2_KEYS Passed 672 ***************************** 673 Performing SIV_GCM - Two Keys: 674 ***************************** 676 AAD_len = 0 bytes 677 MSG_len = 16 bytes 678 BYTES ORDER 679 LSB--------------------------MSB 680 00010203040506070809101112131415 681 -------------------------------- 683 K = 01000000000000000000000000000000 684 NONCE = 03000000000000000000000000000000 686 AAD = 688 MSG = 01000000000000000000000000000000 690 PADDED_AAD = 692 PADDED_MSG = 01000000000000000000000000000000 693 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 695 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 697 LENBLK = 00000000000000008000000000000000 699 POLYVAL xor N = d9b360279694941a2010be790ff81954 701 TAG = 303aaf90f6fe21199c6068577437a0c4 703 CTRBLK = 303aaf90f6fe21199c6068577437a0c4 705 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 707 TAG' = 303aaf90f6fe21199c6068577437a0c4 709 AAD = 711 CIPHERTEXT = 743f7c8077ab25f8624e2e948579cf77 713 Decrypted MSG = 01000000000000000000000000000000 714 SIV_GCM_2_KEYS Passed 716 ***************************** 717 Performing SIV_GCM - Two Keys: 718 ***************************** 720 AAD_len = 0 bytes 721 MSG_len = 32 bytes 722 BYTES ORDER 723 LSB--------------------------MSB 724 00010203040506070809101112131415 725 -------------------------------- 727 K = 01000000000000000000000000000000 728 NONCE = 03000000000000000000000000000000 730 AAD = 732 MSG = 01000000000000000000000000000000 733 02000000000000000000000000000000 735 PADDED_AAD = 737 PADDED_MSG = 01000000000000000000000000000000 738 02000000000000000000000000000000 740 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 741 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 743 LENBLK = 00000000000000000001000000000000 745 POLYVAL xor N = d9b360279694941a2010be790ff81954 747 TAG = 1a8e45dcd4578c667cd86847bf6155ff 749 CTRBLK = 1a8e45dcd4578c667cd86847bf6155ff 751 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 753 TAG' = 1a8e45dcd4578c667cd86847bf6155ff 755 AAD = 757 CIPHERTEXT = 84e07e62ba83a6585417245d7ec413a9 758 fe427d6315c09b57ce45f2e3936a9445 760 Decrypted MSG = 01000000000000000000000000000000 761 02000000000000000000000000000000 762 SIV_GCM_2_KEYS Passed 764 ***************************** 765 Performing SIV_GCM - Two Keys: 766 ***************************** 768 AAD_len = 0 bytes 769 MSG_len = 48 bytes 770 BYTES ORDER 771 LSB--------------------------MSB 772 00010203040506070809101112131415 773 -------------------------------- 775 K = 01000000000000000000000000000000 776 NONCE = 03000000000000000000000000000000 778 AAD = 780 MSG = 01000000000000000000000000000000 781 02000000000000000000000000000000 782 03000000000000000000000000000000 784 PADDED_AAD = 786 PADDED_MSG = 01000000000000000000000000000000 787 02000000000000000000000000000000 788 03000000000000000000000000000000 790 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 792 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 794 LENBLK = 00000000000000008001000000000000 796 POLYVAL xor N = d9b360279694941a2010be790ff81954 798 TAG = 5e6e311dbf395d35b0fe39c2714388f8 800 CTRBLK = 5e6e311dbf395d35b0fe39c2714388f8 802 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 804 TAG' = 5e6e311dbf395d35b0fe39c2714388f8 806 AAD = 808 CIPHERTEXT = 3fd24ce1f5a67b75bf2351f181a475c7 809 b800a5b4d3dcf70106b1eea82fa1d64d 810 f42bf7226122fa92e17a40eeaac1201b 812 Decrypted MSG = 01000000000000000000000000000000 813 02000000000000000000000000000000 814 03000000000000000000000000000000 815 SIV_GCM_2_KEYS Passed 817 ***************************** 818 Performing SIV_GCM - Two Keys: 819 ***************************** 821 AAD_len = 0 bytes 822 MSG_len = 64 bytes 823 BYTES ORDER 824 LSB--------------------------MSB 825 00010203040506070809101112131415 826 -------------------------------- 828 K = 01000000000000000000000000000000 829 NONCE = 03000000000000000000000000000000 831 AAD = 833 MSG = 01000000000000000000000000000000 834 02000000000000000000000000000000 835 03000000000000000000000000000000 836 04000000000000000000000000000000 838 PADDED_AAD = 840 PADDED_MSG = 01000000000000000000000000000000 841 02000000000000000000000000000000 842 03000000000000000000000000000000 843 04000000000000000000000000000000 845 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 847 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 849 LENBLK = 00000000000000000002000000000000 851 POLYVAL xor N = d9b360279694941a2010be790ff81954 853 TAG = 8a263dd317aa88d56bdf3936dba75bb8 855 CTRBLK = 8a263dd317aa88d56bdf3936dba75bb8 857 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 859 TAG' = 8a263dd317aa88d56bdf3936dba75bb8 861 AAD = 863 CIPHERTEXT = 2433668f1058190f6d43e360f4f35cd8 864 e475127cfca7028ea8ab5c20f7ab2af0 865 2516a2bdcbc08d521be37ff28c152bba 866 36697f25b4cd169c6590d1dd39566d3f 868 Decrypted MSG = 01000000000000000000000000000000 869 02000000000000000000000000000000 870 03000000000000000000000000000000 871 04000000000000000000000000000000 872 SIV_GCM_2_KEYS Passed 874 ***************************** 875 Performing SIV_GCM - Two Keys: 876 ***************************** 878 AAD_len = 1 bytes 879 MSG_len = 8 bytes 880 BYTES ORDER 881 LSB--------------------------MSB 882 00010203040506070809101112131415 883 -------------------------------- 885 K = 01000000000000000000000000000000 886 NONCE = 03000000000000000000000000000000 888 AAD = 01 890 MSG = 0200000000000000 892 PADDED_AAD = 01000000000000000000000000000000 894 PADDED_MSG = 02000000000000000000000000000000 896 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 898 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 900 LENBLK = 08000000000000004000000000000000 902 POLYVAL xor N = d9b360279694941a2010be790ff81954 904 TAG = 3b0a1a2560969cdf790d99759abd1508 906 CTRBLK = 3b0a1a2560969cdf790d99759abd1588 908 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 910 TAG' = 3b0a1a2560969cdf790d99759abd1508 912 AAD = 01 914 CIPHERTEXT = 1e6daba35669f427 916 Decrypted MSG = 0200000000000000 917 SIV_GCM_2_KEYS Passed 919 ***************************** 920 Performing SIV_GCM - Two Keys: 921 ***************************** 923 AAD_len = 1 bytes 924 MSG_len = 12 bytes 925 BYTES ORDER 926 LSB--------------------------MSB 927 00010203040506070809101112131415 928 -------------------------------- 930 K = 01000000000000000000000000000000 931 NONCE = 03000000000000000000000000000000 933 AAD = 01 934 MSG = 020000000000000000000000 936 PADDED_AAD = 01000000000000000000000000000000 938 PADDED_MSG = 02000000000000000000000000000000 940 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 942 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 944 LENBLK = 08000000000000006000000000000000 946 POLYVAL xor N = d9b360279694941a2010be790ff81954 948 TAG = 08299c5102745aaa3a0c469fad9e075a 950 CTRBLK = 08299c5102745aaa3a0c469fad9e07da 952 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 954 TAG' = 08299c5102745aaa3a0c469fad9e075a 956 AAD = 01 958 CIPHERTEXT = 296c7889fd99f41917f44620 960 Decrypted MSG = 020000000000000000000000 961 SIV_GCM_2_KEYS Passed 963 ***************************** 964 Performing SIV_GCM - Two Keys: 965 ***************************** 967 AAD_len = 1 bytes 968 MSG_len = 16 bytes 969 BYTES ORDER 970 LSB--------------------------MSB 971 00010203040506070809101112131415 972 -------------------------------- 974 K = 01000000000000000000000000000000 975 NONCE = 03000000000000000000000000000000 977 AAD = 01 979 MSG = 02000000000000000000000000000000 981 PADDED_AAD = 01000000000000000000000000000000 982 PADDED_MSG = 02000000000000000000000000000000 984 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 986 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 988 LENBLK = 08000000000000008000000000000000 990 POLYVAL xor N = d9b360279694941a2010be790ff81954 992 TAG = 8f8936ec039e4e4bb97ebd8c4457441f 994 CTRBLK = 8f8936ec039e4e4bb97ebd8c4457449f 996 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 998 TAG' = 8f8936ec039e4e4bb97ebd8c4457441f 1000 AAD = 01 1002 CIPHERTEXT = e2b0c5da79a901c1745f700525cb335b 1004 Decrypted MSG = 02000000000000000000000000000000 1005 SIV_GCM_2_KEYS Passed 1007 ***************************** 1008 Performing SIV_GCM - Two Keys: 1009 ***************************** 1011 AAD_len = 1 bytes 1012 MSG_len = 32 bytes 1013 BYTES ORDER 1014 LSB--------------------------MSB 1015 00010203040506070809101112131415 1016 -------------------------------- 1018 K = 01000000000000000000000000000000 1019 NONCE = 03000000000000000000000000000000 1021 AAD = 01 1023 MSG = 02000000000000000000000000000000 1024 03000000000000000000000000000000 1026 PADDED_AAD = 01000000000000000000000000000000 1028 PADDED_MSG = 02000000000000000000000000000000 1029 03000000000000000000000000000000 1031 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1033 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1035 LENBLK = 08000000000000000001000000000000 1037 POLYVAL xor N = d9b360279694941a2010be790ff81954 1039 TAG = e6af6a7f87287da059a71684ed3498e1 1041 CTRBLK = e6af6a7f87287da059a71684ed3498e1 1043 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1045 TAG' = e6af6a7f87287da059a71684ed3498e1 1047 AAD = 01 1049 CIPHERTEXT = 620048ef3c1e73e57e02bb8562c416a3 1050 19e73e4caac8e96a1ecb2933145a1d71 1052 Decrypted MSG = 02000000000000000000000000000000 1053 03000000000000000000000000000000 1054 SIV_GCM_2_KEYS Passed 1056 ***************************** 1057 Performing SIV_GCM - Two Keys: 1058 ***************************** 1060 AAD_len = 1 bytes 1061 MSG_len = 48 bytes 1062 BYTES ORDER 1063 LSB--------------------------MSB 1064 00010203040506070809101112131415 1065 -------------------------------- 1067 K = 01000000000000000000000000000000 1068 NONCE = 03000000000000000000000000000000 1070 AAD = 01 1072 MSG = 02000000000000000000000000000000 1073 03000000000000000000000000000000 1074 04000000000000000000000000000000 1076 PADDED_AAD = 01000000000000000000000000000000 1078 PADDED_MSG = 02000000000000000000000000000000 1079 03000000000000000000000000000000 1080 04000000000000000000000000000000 1082 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1084 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1086 LENBLK = 08000000000000008001000000000000 1088 POLYVAL xor N = d9b360279694941a2010be790ff81954 1090 TAG = 6a8cc3865f76897c2e4b245cf31c51f2 1092 CTRBLK = 6a8cc3865f76897c2e4b245cf31c51f2 1094 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1096 TAG' = 6a8cc3865f76897c2e4b245cf31c51f2 1098 AAD = 01 1100 CIPHERTEXT = 50c8303ea93925d64090d07bd109dfd9 1101 515a5a33431019c17d93465999a8b005 1102 3201d723120a8562b838cdff25bf9d1e 1104 Decrypted MSG = 02000000000000000000000000000000 1105 03000000000000000000000000000000 1106 04000000000000000000000000000000 1107 SIV_GCM_2_KEYS Passed 1109 ***************************** 1110 Performing SIV_GCM - Two Keys: 1111 ***************************** 1113 AAD_len = 1 bytes 1114 MSG_len = 64 bytes 1115 BYTES ORDER 1116 LSB--------------------------MSB 1117 00010203040506070809101112131415 1118 -------------------------------- 1120 K = 01000000000000000000000000000000 1121 NONCE = 03000000000000000000000000000000 1123 AAD = 01 1125 MSG = 02000000000000000000000000000000 1126 03000000000000000000000000000000 1127 04000000000000000000000000000000 1128 05000000000000000000000000000000 1130 PADDED_AAD = 01000000000000000000000000000000 1132 PADDED_MSG = 02000000000000000000000000000000 1133 03000000000000000000000000000000 1134 04000000000000000000000000000000 1135 05000000000000000000000000000000 1137 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1139 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1141 LENBLK = 08000000000000000002000000000000 1143 POLYVAL xor N = d9b360279694941a2010be790ff81954 1145 TAG = cdc46ae475563de037001ef84ae21744 1147 CTRBLK = cdc46ae475563de037001ef84ae217c4 1149 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1151 TAG' = cdc46ae475563de037001ef84ae21744 1153 AAD = 01 1155 CIPHERTEXT = 2f5c64059db55ee0fb847ed513003746 1156 aca4e61c711b5de2e7a77ffd02da42fe 1157 ec601910d3467bb8b36ebbaebce5fba3 1158 0d36c95f48a3e7980f0e7ac299332a80 1160 Decrypted MSG = 02000000000000000000000000000000 1161 03000000000000000000000000000000 1162 04000000000000000000000000000000 1163 05000000000000000000000000000000 1164 SIV_GCM_2_KEYS Passed 1166 ***************************** 1167 Performing SIV_GCM - Two Keys: 1168 ***************************** 1170 AAD_len = 12 bytes 1171 MSG_len = 4 bytes 1172 BYTES ORDER 1173 LSB--------------------------MSB 1174 00010203040506070809101112131415 1175 -------------------------------- 1177 K = 01000000000000000000000000000000 1178 NONCE = 03000000000000000000000000000000 1180 AAD = 010000000000000000000000 1182 MSG = 02000000 1184 PADDED_AAD = 01000000000000000000000000000000 1186 PADDED_MSG = 02000000000000000000000000000000 1188 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1190 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1192 LENBLK = 60000000000000002000000000000000 1194 POLYVAL xor N = d9b360279694941a2010be790ff81954 1196 TAG = 07eb1f84fb28f8cb73de8e99e2f48a14 1198 CTRBLK = 07eb1f84fb28f8cb73de8e99e2f48a94 1200 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1202 TAG' = 07eb1f84fb28f8cb73de8e99e2f48a14 1204 AAD = 010000000000000000000000 1206 CIPHERTEXT = a8fe3e87 1208 Decrypted MSG = 02000000 1209 SIV_GCM_2_KEYS Passed 1211 ***************************** 1212 Performing SIV_GCM - Two Keys: 1213 ***************************** 1215 AAD_len = 18 bytes 1216 MSG_len = 20 bytes 1217 BYTES ORDER 1218 LSB--------------------------MSB 1219 00010203040506070809101112131415 1220 -------------------------------- 1222 K = 01000000000000000000000000000000 1223 NONCE = 03000000000000000000000000000000 1225 AAD = 01000000000000000000000000000000 1226 0200 1228 MSG = 03000000000000000000000000000000 1229 04000000 1231 PADDED_AAD = 01000000000000000000000000000000 1232 02000000000000000000000000000000 1234 PADDED_MSG = 03000000000000000000000000000000 1235 04000000000000000000000000000000 1237 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1239 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1241 LENBLK = 9000000000000000a000000000000000 1243 POLYVAL xor N = d9b360279694941a2010be790ff81954 1245 TAG = 24afc9805e976f451e6d87f6fe106514 1247 CTRBLK = 24afc9805e976f451e6d87f6fe106594 1249 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1251 TAG' = 24afc9805e976f451e6d87f6fe106514 1253 AAD = 01000000000000000000000000000000 1254 0200 1256 CIPHERTEXT = 6bb0fecf5ded9b77f902c7d5da236a43 1257 91dd0297 1259 Decrypted MSG = 03000000000000000000000000000000 1260 04000000 1261 SIV_GCM_2_KEYS Passed 1263 ***************************** 1264 Performing SIV_GCM - Two Keys: 1265 ***************************** 1267 AAD_len = 20 bytes 1268 MSG_len = 18 bytes 1269 BYTES ORDER 1270 LSB--------------------------MSB 1271 00010203040506070809101112131415 1272 -------------------------------- 1274 K = 01000000000000000000000000000000 1275 NONCE = 03000000000000000000000000000000 1277 AAD = 01000000000000000000000000000000 1278 02000000 1280 MSG = 03000000000000000000000000000000 1281 0400 1283 PADDED_AAD = 01000000000000000000000000000000 1284 02000000000000000000000000000000 1286 PADDED_MSG = 03000000000000000000000000000000 1287 04000000000000000000000000000000 1289 Record_Hash_Key = d9b360279694941ac5dbc6987ada7377 1291 Record_Enc_Key = 4004a0dcd862f2a57360219d2d44ef6c 1293 LENBLK = a0000000000000009000000000000000 1295 POLYVAL xor N = d9b360279694941a2010be790ff81954 1297 TAG = bff9b2ef00fb47920cc72a0c0f13b9fd 1299 CTRBLK = bff9b2ef00fb47920cc72a0c0f13b9fd 1301 Encryption_Key = 4004a0dcd862f2a57360219d2d44ef6c 1303 TAG' = bff9b2ef00fb47920cc72a0c0f13b9fd 1305 AAD = 01000000000000000000000000000000 1306 02000000 1308 CIPHERTEXT = 44d0aaf6fb2f1f34add5e8064e83e12a 1309 2ada 1311 Decrypted MSG = 03000000000000000000000000000000 1312 0400 1313 SIV_GCM_2_KEYS Passed 1315 AEAD_AES_256_GCM_SIV: 1317 AAD_len = 0 bytes 1318 MSG_len = 0 bytes 1319 BYTES ORDER 1320 LSB--------------------------MSB 1321 00010203040506070809101112131415 1322 -------------------------------- 1324 K = 01000000000000000000000000000000 1325 00000000000000000000000000000000 1326 NONCE = 03000000000000000000000000000000 1328 AAD = 1330 MSG = 1332 PADDED_AAD = 1334 PADDED_MSG = 1336 LENBLK = 00000000000000000000000000000000 1338 POLYVAL xor N = 03000000000000000000000000000000 1340 with_MSbit_cleared = 03000000000000000000000000000000 1342 TAG = 07f5f4169bbf55a8400cd47ea6fd400f 1344 CTRBLK = 07f5f4169bbf55a8400cd47ea6fd408f 1346 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1348 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1350 456e3c6c05ecc157cdbf0700fedad222 1352 TAG' = 07f5f4169bbf55a8400cd47ea6fd400f 1354 AAD = 1356 CIPHERTEXT = 1358 Decrypted MSG = 1359 SIV_GCM_2_KEYS Passed 1361 ***************************** 1362 Performing SIV_GCM - Two Keys: 1363 ***************************** 1364 AAD_len = 0 bytes 1365 MSG_len = 8 bytes 1366 BYTES ORDER 1367 LSB--------------------------MSB 1368 00010203040506070809101112131415 1369 -------------------------------- 1371 K = 01000000000000000000000000000000 1372 00000000000000000000000000000000 1373 NONCE = 03000000000000000000000000000000 1375 AAD = 1377 MSG = 0100000000000000 1379 PADDED_AAD = 1381 PADDED_MSG = 01000000000000000000000000000000 1383 LENBLK = 00000000000000004000000000000000 1385 POLYVAL xor N = 06230f62f0eac8aa14fe4d646b59cd41 1387 with_MSbit_cleared = 06230f62f0eac8aa14fe4d646b59cd41 1389 TAG = 843122130f7364b761e0b97427e3df28 1391 CTRBLK = 843122130f7364b761e0b97427e3dfa8 1393 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1395 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1397 456e3c6c05ecc157cdbf0700fedad222 1399 TAG' = 843122130f7364b761e0b97427e3df28 1401 AAD = 1403 CIPHERTEXT = c2ef328e5c71c83b 1405 Decrypted MSG = 0100000000000000 1406 SIV_GCM_2_KEYS Passed 1408 ***************************** 1409 Performing SIV_GCM - Two Keys: 1410 ***************************** 1411 AAD_len = 0 bytes 1412 MSG_len = 12 bytes 1413 BYTES ORDER 1414 LSB--------------------------MSB 1415 00010203040506070809101112131415 1416 -------------------------------- 1418 K = 01000000000000000000000000000000 1419 00000000000000000000000000000000 1420 NONCE = 03000000000000000000000000000000 1422 AAD = 1424 MSG = 010000000000000000000000 1426 PADDED_AAD = 1428 PADDED_MSG = 01000000000000000000000000000000 1430 LENBLK = 00000000000000006000000000000000 1432 POLYVAL xor N = 6e81a24732fd6d03ae5af544720a1c13 1434 with_MSbit_cleared = 6e81a24732fd6d03ae5af544720a1c13 1436 TAG = 8ca50da9ae6559e48fd10f6e5c9ca17e 1438 CTRBLK = 8ca50da9ae6559e48fd10f6e5c9ca1fe 1440 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1442 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1444 456e3c6c05ecc157cdbf0700fedad222 1446 TAG' = 8ca50da9ae6559e48fd10f6e5c9ca17e 1448 AAD = 1450 CIPHERTEXT = 9aab2aeb3faa0a34aea8e2b1 1452 Decrypted MSG = 010000000000000000000000 1453 SIV_GCM_2_KEYS Passed 1455 ***************************** 1456 Performing SIV_GCM - Two Keys: 1457 ***************************** 1458 AAD_len = 0 bytes 1459 MSG_len = 16 bytes 1460 BYTES ORDER 1461 LSB--------------------------MSB 1462 00010203040506070809101112131415 1463 -------------------------------- 1465 K = 01000000000000000000000000000000 1466 00000000000000000000000000000000 1467 NONCE = 03000000000000000000000000000000 1469 AAD = 1471 MSG = 01000000000000000000000000000000 1473 PADDED_AAD = 1475 PADDED_MSG = 01000000000000000000000000000000 1477 LENBLK = 00000000000000008000000000000000 1479 POLYVAL xor N = 77eee2bf7c9a165f8b25dea73db32a6d 1481 with_MSbit_cleared = 77eee2bf7c9a165f8b25dea73db32a6d 1483 TAG = c9eac6fa700942702e90862383c6c366 1485 CTRBLK = c9eac6fa700942702e90862383c6c3e6 1487 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1489 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1491 456e3c6c05ecc157cdbf0700fedad222 1493 TAG' = c9eac6fa700942702e90862383c6c366 1495 AAD = 1497 CIPHERTEXT = 85a01b63025ba19b7fd3ddfc033b3e76 1499 Decrypted MSG = 01000000000000000000000000000000 1500 SIV_GCM_2_KEYS Passed 1502 ***************************** 1503 Performing SIV_GCM - Two Keys: 1504 ***************************** 1505 AAD_len = 0 bytes 1506 MSG_len = 32 bytes 1507 BYTES ORDER 1508 LSB--------------------------MSB 1509 00010203040506070809101112131415 1510 -------------------------------- 1512 K = 01000000000000000000000000000000 1513 00000000000000000000000000000000 1514 NONCE = 03000000000000000000000000000000 1516 AAD = 1518 MSG = 01000000000000000000000000000000 1519 02000000000000000000000000000000 1521 PADDED_AAD = 1523 PADDED_MSG = 01000000000000000000000000000000 1524 02000000000000000000000000000000 1526 LENBLK = 00000000000000000001000000000000 1528 POLYVAL xor N = 8a9b6381b3d46f0def7aa0517ba188f5 1530 with_MSbit_cleared = 8a9b6381b3d46f0def7aa0517ba18875 1532 TAG = e819e63abcd020b006a976397632eb5d 1534 CTRBLK = e819e63abcd020b006a976397632ebdd 1536 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1538 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1540 456e3c6c05ecc157cdbf0700fedad222 1542 TAG' = e819e63abcd020b006a976397632eb5d 1544 AAD = 1546 CIPHERTEXT = 4a6a9db4c8c6549201b9edb53006cba8 1547 21ec9cf850948a7c86c68ac7539d027f 1549 Decrypted MSG = 01000000000000000000000000000000 1550 02000000000000000000000000000000 1551 SIV_GCM_2_KEYS Passed 1552 ***************************** 1553 Performing SIV_GCM - Two Keys: 1554 ***************************** 1556 AAD_len = 0 bytes 1557 MSG_len = 48 bytes 1558 BYTES ORDER 1559 LSB--------------------------MSB 1560 00010203040506070809101112131415 1561 -------------------------------- 1563 K = 01000000000000000000000000000000 1564 00000000000000000000000000000000 1565 NONCE = 03000000000000000000000000000000 1567 AAD = 1569 MSG = 01000000000000000000000000000000 1570 02000000000000000000000000000000 1571 03000000000000000000000000000000 1573 PADDED_AAD = 1575 PADDED_MSG = 01000000000000000000000000000000 1576 02000000000000000000000000000000 1577 03000000000000000000000000000000 1579 LENBLK = 00000000000000008001000000000000 1581 POLYVAL xor N = c2f8593d8fc29b0c290cae1992f71f51 1583 with_MSbit_cleared = c2f8593d8fc29b0c290cae1992f71f51 1585 TAG = 790bc96880a99ba804bd12c0e6a22cc4 1587 CTRBLK = 790bc96880a99ba804bd12c0e6a22cc4 1589 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1591 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1593 456e3c6c05ecc157cdbf0700fedad222 1595 TAG' = 790bc96880a99ba804bd12c0e6a22cc4 1597 AAD = 1599 CIPHERTEXT = c00d121893a9fa603f48ccc1ca3c57ce 1600 7499245ea0046db16c53c7c66fe717e3 1601 9cf6c748837b61f6ee3adcee17534ed5 1603 Decrypted MSG = 01000000000000000000000000000000 1604 02000000000000000000000000000000 1605 03000000000000000000000000000000 1606 SIV_GCM_2_KEYS Passed 1608 ***************************** 1609 Performing SIV_GCM - Two Keys: 1610 ***************************** 1612 AAD_len = 0 bytes 1613 MSG_len = 64 bytes 1614 BYTES ORDER 1615 LSB--------------------------MSB 1616 00010203040506070809101112131415 1617 -------------------------------- 1619 K = 01000000000000000000000000000000 1620 00000000000000000000000000000000 1621 NONCE = 03000000000000000000000000000000 1623 AAD = 1625 MSG = 01000000000000000000000000000000 1626 02000000000000000000000000000000 1627 03000000000000000000000000000000 1628 04000000000000000000000000000000 1630 PADDED_AAD = 1632 PADDED_MSG = 01000000000000000000000000000000 1633 02000000000000000000000000000000 1634 03000000000000000000000000000000 1635 04000000000000000000000000000000 1637 LENBLK = 00000000000000000002000000000000 1639 POLYVAL xor N = 6df38b06046c7c0e225efaef8e2ec4c4 1641 with_MSbit_cleared = 6df38b06046c7c0e225efaef8e2ec444 1643 TAG = 112864c269fc0d9d88c61fa47e39aa08 1645 CTRBLK = 112864c269fc0d9d88c61fa47e39aa88 1647 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1648 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1650 456e3c6c05ecc157cdbf0700fedad222 1652 TAG' = 112864c269fc0d9d88c61fa47e39aa08 1654 AAD = 1656 CIPHERTEXT = c2d5160a1f8683834910acdafc41fbb1 1657 632d4a353e8b905ec9a5499ac34f96c7 1658 e1049eb080883891a4db8caaa1f99dd0 1659 04d80487540735234e3744512c6f90ce 1661 Decrypted MSG = 01000000000000000000000000000000 1662 02000000000000000000000000000000 1663 03000000000000000000000000000000 1664 04000000000000000000000000000000 1665 SIV_GCM_2_KEYS Passed 1667 ***************************** 1668 Performing SIV_GCM - Two Keys: 1669 ***************************** 1671 AAD_len = 1 bytes 1672 MSG_len = 8 bytes 1673 BYTES ORDER 1674 LSB--------------------------MSB 1675 00010203040506070809101112131415 1676 -------------------------------- 1678 K = 01000000000000000000000000000000 1679 00000000000000000000000000000000 1680 NONCE = 03000000000000000000000000000000 1682 AAD = 01 1684 MSG = 0200000000000000 1686 PADDED_AAD = 01000000000000000000000000000000 1688 PADDED_MSG = 02000000000000000000000000000000 1690 LENBLK = 08000000000000004000000000000000 1692 POLYVAL xor N = 37e57bafe011b9b36fc6821b7ffb3354 1694 with_MSbit_cleared = 37e57bafe011b9b36fc6821b7ffb3354 1695 TAG = 91213f267e3b452f02d01ae33e4ec854 1697 CTRBLK = 91213f267e3b452f02d01ae33e4ec8d4 1699 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1701 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1703 456e3c6c05ecc157cdbf0700fedad222 1705 TAG' = 91213f267e3b452f02d01ae33e4ec854 1707 AAD = 01 1709 CIPHERTEXT = 1de22967237a8132 1711 Decrypted MSG = 0200000000000000 1712 SIV_GCM_2_KEYS Passed 1714 ***************************** 1715 Performing SIV_GCM - Two Keys: 1716 ***************************** 1718 AAD_len = 1 bytes 1719 MSG_len = 12 bytes 1720 BYTES ORDER 1721 LSB--------------------------MSB 1722 00010203040506070809101112131415 1723 -------------------------------- 1725 K = 01000000000000000000000000000000 1726 00000000000000000000000000000000 1727 NONCE = 03000000000000000000000000000000 1729 AAD = 01 1731 MSG = 020000000000000000000000 1733 PADDED_AAD = 01000000000000000000000000000000 1735 PADDED_MSG = 02000000000000000000000000000000 1737 LENBLK = 08000000000000006000000000000000 1739 POLYVAL xor N = 5f47d68a22061c1ad5623a3b66a8e206 1741 with_MSbit_cleared = 5f47d68a22061c1ad5623a3b66a8e206 1742 TAG = c1a4a19ae800941ccdc57cc8413c277f 1744 CTRBLK = c1a4a19ae800941ccdc57cc8413c27ff 1746 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1748 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1750 456e3c6c05ecc157cdbf0700fedad222 1752 TAG' = c1a4a19ae800941ccdc57cc8413c277f 1754 AAD = 01 1756 CIPHERTEXT = 163d6f9cc1b346cd453a2e4c 1758 Decrypted MSG = 020000000000000000000000 1759 SIV_GCM_2_KEYS Passed 1761 ***************************** 1762 Performing SIV_GCM - Two Keys: 1763 ***************************** 1765 AAD_len = 1 bytes 1766 MSG_len = 16 bytes 1767 BYTES ORDER 1768 LSB--------------------------MSB 1769 00010203040506070809101112131415 1770 -------------------------------- 1772 K = 01000000000000000000000000000000 1773 00000000000000000000000000000000 1774 NONCE = 03000000000000000000000000000000 1776 AAD = 01 1778 MSG = 02000000000000000000000000000000 1780 PADDED_AAD = 01000000000000000000000000000000 1782 PADDED_MSG = 02000000000000000000000000000000 1784 LENBLK = 08000000000000008000000000000000 1786 POLYVAL xor N = 462896726c616746f01d11d82911d478 1788 with_MSbit_cleared = 462896726c616746f01d11d82911d478 1789 TAG = b292d28ff61189e8e49f3875ef91aff7 1791 CTRBLK = b292d28ff61189e8e49f3875ef91aff7 1793 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1795 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1797 456e3c6c05ecc157cdbf0700fedad222 1799 TAG' = b292d28ff61189e8e49f3875ef91aff7 1801 AAD = 01 1803 CIPHERTEXT = c91545823cc24f17dbb0e9e807d5ec17 1805 Decrypted MSG = 02000000000000000000000000000000 1806 SIV_GCM_2_KEYS Passed 1808 ***************************** 1809 Performing SIV_GCM - Two Keys: 1810 ***************************** 1812 AAD_len = 1 bytes 1813 MSG_len = 32 bytes 1814 BYTES ORDER 1815 LSB--------------------------MSB 1816 00010203040506070809101112131415 1817 -------------------------------- 1819 K = 01000000000000000000000000000000 1820 00000000000000000000000000000000 1821 NONCE = 03000000000000000000000000000000 1823 AAD = 01 1825 MSG = 02000000000000000000000000000000 1826 03000000000000000000000000000000 1828 PADDED_AAD = 01000000000000000000000000000000 1830 PADDED_MSG = 02000000000000000000000000000000 1831 03000000000000000000000000000000 1833 LENBLK = 08000000000000000001000000000000 1835 POLYVAL xor N = 4d58c1e341c9bb0ae34eda9509dfc90c 1836 with_MSbit_cleared = 4d58c1e341c9bb0ae34eda9509dfc90c 1838 TAG = aea1bad12702e1965604374aab96dbbc 1840 CTRBLK = aea1bad12702e1965604374aab96dbbc 1842 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1844 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1846 456e3c6c05ecc157cdbf0700fedad222 1848 TAG' = aea1bad12702e1965604374aab96dbbc 1850 AAD = 01 1852 CIPHERTEXT = 07dad364bfc2b9da89116d7bef6daaaf 1853 6f255510aa654f920ac81b94e8bad365 1855 Decrypted MSG = 02000000000000000000000000000000 1856 03000000000000000000000000000000 1857 SIV_GCM_2_KEYS Passed 1859 ***************************** 1860 Performing SIV_GCM - Two Keys: 1861 ***************************** 1863 AAD_len = 1 bytes 1864 MSG_len = 48 bytes 1865 BYTES ORDER 1866 LSB--------------------------MSB 1867 00010203040506070809101112131415 1868 -------------------------------- 1870 K = 01000000000000000000000000000000 1871 00000000000000000000000000000000 1872 NONCE = 03000000000000000000000000000000 1874 AAD = 01 1876 MSG = 02000000000000000000000000000000 1877 03000000000000000000000000000000 1878 04000000000000000000000000000000 1880 PADDED_AAD = 01000000000000000000000000000000 1882 PADDED_MSG = 02000000000000000000000000000000 1883 03000000000000000000000000000000 1884 04000000000000000000000000000000 1886 LENBLK = 08000000000000008001000000000000 1888 POLYVAL xor N = 2666a4aff9a525df9772c16d4eaf8d2a 1890 with_MSbit_cleared = 2666a4aff9a525df9772c16d4eaf8d2a 1892 TAG = 03332742b228c647173616cfd44c54eb 1894 CTRBLK = 03332742b228c647173616cfd44c54eb 1896 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1898 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1900 456e3c6c05ecc157cdbf0700fedad222 1902 TAG' = 03332742b228c647173616cfd44c54eb 1904 AAD = 01 1906 CIPHERTEXT = c67a1f0f567a5198aa1fcc8e3f213143 1907 36f7f51ca8b1af61feac35a86416fa47 1908 fbca3b5f749cdf564527f2314f42fe25 1910 Decrypted MSG = 02000000000000000000000000000000 1911 03000000000000000000000000000000 1912 04000000000000000000000000000000 1913 SIV_GCM_2_KEYS Passed 1915 ***************************** 1916 Performing SIV_GCM - Two Keys: 1917 ***************************** 1919 AAD_len = 1 bytes 1920 MSG_len = 64 bytes 1921 BYTES ORDER 1922 LSB--------------------------MSB 1923 00010203040506070809101112131415 1924 -------------------------------- 1926 K = 01000000000000000000000000000000 1927 00000000000000000000000000000000 1928 NONCE = 03000000000000000000000000000000 1930 AAD = 01 1931 MSG = 02000000000000000000000000000000 1932 03000000000000000000000000000000 1933 04000000000000000000000000000000 1934 05000000000000000000000000000000 1936 PADDED_AAD = 01000000000000000000000000000000 1938 PADDED_MSG = 02000000000000000000000000000000 1939 03000000000000000000000000000000 1940 04000000000000000000000000000000 1941 05000000000000000000000000000000 1943 LENBLK = 08000000000000000002000000000000 1945 POLYVAL xor N = d958d2f61b0a9d343b2f37fb0c519733 1947 with_MSbit_cleared = d958d2f61b0a9d343b2f37fb0c519733 1949 TAG = 5bde0285037c5de81e5b570a049b62a0 1951 CTRBLK = 5bde0285037c5de81e5b570a049b62a0 1953 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 1955 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 1957 456e3c6c05ecc157cdbf0700fedad222 1959 TAG' = 5bde0285037c5de81e5b570a049b62a0 1961 AAD = 01 1963 CIPHERTEXT = 67fd45e126bfb9a79930c43aad2d3696 1964 7d3f0e4d217c1e551f59727870beefc9 1965 8cb933a8fce9de887b1e40799988db1f 1966 c3f91880ed405b2dd298318858467c89 1968 Decrypted MSG = 02000000000000000000000000000000 1969 03000000000000000000000000000000 1970 04000000000000000000000000000000 1971 05000000000000000000000000000000 1972 SIV_GCM_2_KEYS Passed 1974 ***************************** 1975 Performing SIV_GCM - Two Keys: 1976 ***************************** 1978 AAD_len = 12 bytes 1979 MSG_len = 4 bytes 1980 BYTES ORDER 1981 LSB--------------------------MSB 1982 00010203040506070809101112131415 1983 -------------------------------- 1985 K = 01000000000000000000000000000000 1986 00000000000000000000000000000000 1987 NONCE = 03000000000000000000000000000000 1989 AAD = 010000000000000000000000 1991 MSG = 02000000 1993 PADDED_AAD = 01000000000000000000000000000000 1995 PADDED_MSG = 02000000000000000000000000000000 1997 LENBLK = 60000000000000002000000000000000 1999 POLYVAL xor N = 6ec76ae84b88916e073a303aafde05cf 2001 with_MSbit_cleared = 6ec76ae84b88916e073a303aafde054f 2003 TAG = 1835e517741dfddccfa07fa4661b74cf 2005 CTRBLK = 1835e517741dfddccfa07fa4661b74cf 2007 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 2009 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 2011 456e3c6c05ecc157cdbf0700fedad222 2013 TAG' = 1835e517741dfddccfa07fa4661b74cf 2015 AAD = 010000000000000000000000 2017 CIPHERTEXT = 22b3f4cd 2019 Decrypted MSG = 02000000 2020 SIV_GCM_2_KEYS Passed 2022 ***************************** 2023 Performing SIV_GCM - Two Keys: 2024 ***************************** 2026 AAD_len = 18 bytes 2027 MSG_len = 20 bytes 2028 BYTES ORDER 2029 LSB--------------------------MSB 2030 00010203040506070809101112131415 2031 -------------------------------- 2033 K = 01000000000000000000000000000000 2034 00000000000000000000000000000000 2035 NONCE = 03000000000000000000000000000000 2037 AAD = 01000000000000000000000000000000 2038 0200 2040 MSG = 03000000000000000000000000000000 2041 04000000 2043 PADDED_AAD = 01000000000000000000000000000000 2044 02000000000000000000000000000000 2046 PADDED_MSG = 03000000000000000000000000000000 2047 04000000000000000000000000000000 2049 LENBLK = 9000000000000000a000000000000000 2051 POLYVAL xor N = 943ef4fd04bd31d193816ab26f8655ca 2053 with_MSbit_cleared = 943ef4fd04bd31d193816ab26f86554a 2055 TAG = b879ad976d8242acc188ab59cabfe307 2057 CTRBLK = b879ad976d8242acc188ab59cabfe387 2059 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 2061 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 2063 456e3c6c05ecc157cdbf0700fedad222 2065 TAG' = b879ad976d8242acc188ab59cabfe307 2067 AAD = 01000000000000000000000000000000 2068 0200 2070 CIPHERTEXT = 43dd0163cdb48f9fe3212bf61b201976 2071 067f342b 2073 Decrypted MSG = 03000000000000000000000000000000 2074 04000000 2076 SIV_GCM_2_KEYS Passed 2078 ***************************** 2079 Performing SIV_GCM - Two Keys: 2080 ***************************** 2082 AAD_len = 20 bytes 2083 MSG_len = 18 bytes 2084 BYTES ORDER 2085 LSB--------------------------MSB 2086 00010203040506070809101112131415 2087 -------------------------------- 2089 K = 01000000000000000000000000000000 2090 00000000000000000000000000000000 2091 NONCE = 03000000000000000000000000000000 2093 AAD = 01000000000000000000000000000000 2094 02000000 2096 MSG = 03000000000000000000000000000000 2097 0400 2099 PADDED_AAD = 01000000000000000000000000000000 2100 02000000000000000000000000000000 2102 PADDED_MSG = 03000000000000000000000000000000 2103 04000000000000000000000000000000 2105 LENBLK = a0000000000000009000000000000000 2107 POLYVAL xor N = 2fbb6b7ab2dbffefb797f825f826870c 2109 with_MSbit_cleared = 2fbb6b7ab2dbffefb797f825f826870c 2111 TAG = cfcdf5042112aa29685c912fc2056543 2113 CTRBLK = cfcdf5042112aa29685c912fc20565c3 2115 Record_Hash_Key = b5d3c529dfafac43136d2d11be284d7f 2117 Encryption_Key = b914f4742be9e1d7a2f84addbf96dec3 2119 456e3c6c05ecc157cdbf0700fedad222 2121 TAG' = cfcdf5042112aa29685c912fc2056543 2123 AAD = 01000000000000000000000000000000 2124 02000000 2126 CIPHERTEXT = 462401724b5ce6588d5a54aae5375513 2127 a075 2129 Decrypted MSG = 03000000000000000000000000000000 2130 0400 2131 SIV_GCM_2_KEYS Passed 2133 Authors' Addresses 2135 Shay Gueron 2136 University of Haifa and Intel Corporation 2137 Abba Khoushy Ave 199 2138 Haifa 3498838 2139 Israel 2141 Email: shay@math.haifa.ac.il 2143 Adam Langley 2144 Google 2145 345 Spear St 2146 San Francisco, CA 94105 2147 US 2149 Email: agl@google.com 2151 Yehuda Lindell 2152 Bar Ilan University 2153 Bar Ilan University 2154 Ramat Gan 5290002 2155 Israel 2157 Email: Yehuda.Lindell@biu.ac.il