idnits 2.17.1 draft-irtf-cfrg-gcmsiv-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (May 21, 2017) is 2530 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Gueron 3 Internet-Draft University of Haifa and Amazon Web Services 4 Intended status: Informational A. Langley 5 Expires: November 22, 2017 Google 6 Y. Lindell 7 Bar Ilan University 8 May 21, 2017 10 AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption 11 draft-irtf-cfrg-gcmsiv-05 13 Abstract 15 This memo specifies two authenticated encryption algorithms that are 16 nonce misuse-resistant - that is that they do not fail 17 catastrophically if a nonce is repeated. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on November 22, 2017. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 55 3. POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 5. Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 6. AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 7. Field operation examples . . . . . . . . . . . . . . . . . . 7 60 8. Worked example . . . . . . . . . . . . . . . . . . . . . . . 7 61 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 62 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 63 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 64 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 66 12.2. Informative References . . . . . . . . . . . . . . . . . 10 67 Appendix A. The relationship between POLYVAL and GHASH . . . . . 10 68 Appendix B. Additional comparisons with AES-GCM . . . . . . . . 12 69 Appendix C. Test vectors . . . . . . . . . . . . . . . . . . . . 12 70 C.1. AEAD_AES_128_GCM_SIV . . . . . . . . . . . . . . . . . . 12 71 C.2. AEAD_AES_256_GCM_SIV . . . . . . . . . . . . . . . . . . 19 72 C.3. Counter wrap tests . . . . . . . . . . . . . . . . . . . 27 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 75 1. Introduction 77 The concept of "Authenticated encryption with additional data" (AEAD 78 [RFC5116]) couples confidentiality and integrity in a single 79 operation that is easier for practitioners to use correctly. The 80 most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its 81 attractive performance. 83 However, most AEADs suffer catastrophic failures of confidentiality 84 and/or integrity when two distinct messages are encrypted with the 85 same nonce. While the requirements for AEADs specify that the pair 86 of (key, nonce) shall only ever be used once, and thus prohibit this, 87 in practice this is a worry. 89 Nonce misuse-resistant AEADs do not suffer from this problem. For 90 this class of AEADs, encrypting two messages with the same nonce only 91 discloses whether the messages were equal or not. This is the 92 minimum amount of information that a deterministic algorithm can leak 93 in this situation. 95 This memo specifies two nonce misuse-resistant AEADs: 96 "AEAD_AES_128_GCM_SIV" and "AEAD_AES_256_GCM_SIV". These AEADs are 97 designed to be able to take advantage of existing hardware support 98 for AES-GCM and can decrypt within 5% of the speed of AES-GCM (for 99 multi-kilobyte messages). Encryption is, perforce, slower than AES- 100 GCM because two passes are required. However, measurements suggest 101 that it can still run at 2/3rds of the speed of AES-GCM. 103 We suggest that these AEADs be considered in any situation where 104 there is the slightest doubt about nonce uniqueness. 106 2. Requirements Language 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 110 document are to be interpreted as described in RFC 2119 [RFC2119]. 112 3. POLYVAL 114 The GCM-SIV construction is similar to GCM: the block cipher is used 115 in counter mode to encrypt the plaintext and a polynomial 116 authenticator is used to provide integrity. The authenticator in 117 GCM-SIV is called POLYVAL. 119 POLYVAL, like GHASH, operates in a binary field of size 2^128. The 120 field is defined by the irreducible polynomial x^128 + x^127 + x^126 121 + x^121 + 1. The sum of any two elements in the field is the result 122 of XORing them. The product of any two elements is calculated using 123 standard (binary) polynomial multiplication followed by reduction 124 modulo the irreducible polynomial. 126 We define another binary operation on elements of the field: dot(a, 127 b), where dot(a, b) = a * b * x^-128. The value of the field element 128 x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1. The result, 129 dot(a, b), of this multiplication is another field element. 131 Polynomials in this field are converted to and from 128-bit strings 132 by taking the least-significant bit of the first byte to be the 133 coefficient of x^0, the most-significant bit of the first byte to the 134 coefficient of x^7 and so on, until the most-significant bit of the 135 last byte is the coefficient of x^127. 137 POLYVAL takes a field element, H, and a series of field elements X_1, 138 ..., X_s. Its result is S_s, where S is defined by the iteration S_0 139 = 0; S_j = dot(S_{j-1} + X_j, H), for j = 0..s 141 We note that POLYVAL(H, X_1, X_2, ...) is equal to 142 ByteReverse(GHASH(ByteReverse(H) * x, ByteReverse(X_1), 143 ByteReverse(X_2), ...)), where ByteReverse is a function that 144 reverses the order of 16 bytes. See Appendix A for a more detailed 145 explanation. 147 4. Encryption 149 AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a 150 96-bit nonce, and arbitrary-length plaintext & additional data byte- 151 strings. It outputs an authenticated ciphertext that will be 16 152 bytes longer than the plaintext. 154 If the key-generating key is 16 bytes long then AES-128 is used 155 throughout. Otherwise AES-256 is used throughout. 157 The first step of encryption is to generate per-nonce, record- 158 authentication and record-encryption keys. The record-authentication 159 key is 128-bit and the record-encryption key is either 128- (for AES- 160 128) or 256-bit (for AES-256). 162 These keys are generated by encrypting a series of plaintext blocks 163 that contain a 32-bit, little-endian counter followed by the nonce, 164 and then discarding the second half of the resulting ciphertext. In 165 the AES-128 case, 128 + 128 = 256 bits of key material need to be 166 generated and, since encrypting each block yields 64 bits after 167 discarding half, four blocks need to be encrypted. The counter 168 values for these blocks are 0, 1, 2 and 3. For AES-256, six blocks 169 are needed in total, with counter values 0 through 5 (inclusive). 171 In pseudocode form, where ++ indicates concatenation and x[:8] 172 indicates taking only the first eight bytes from x: 174 if bytelen(key-generating-key) == 16 { 175 record-authentication-key = 176 AES128(key = key-generating-key, 177 input = "00000000" ++ nonce)[:8] ++ 178 AES128(key = key-generating-key, 179 input = "01000000" ++ nonce)[:8] 180 record-encryption-key = 181 AES128(key = key-generating-key, 182 input = "02000000" ++ nonce)[:8] ++ 183 AES128(key = key-generating-key, 184 input = "03000000" ++ nonce)[:8] 185 } else if bytelen(key-generating-key) == 32 { 186 record-authentication-key = 187 AES256(key = key-generating-key, 188 input = "00000000" ++ nonce)[:8] ++ 189 AES256(key = key-generating-key, 190 input = "01000000" ++ nonce)[:8] 191 record-encryption-key = 192 AES256(key = key-generating-key, 193 input = "02000000" ++ nonce)[:8] ++ 194 AES256(key = key-generating-key, 195 input = "03000000" ++ nonce)[:8] ++ 196 AES256(key = key-generating-key, 197 input = "04000000" ++ nonce)[:8] ++ 198 AES256(key = key-generating-key, 199 input = "05000000" ++ nonce)[:8] 200 } 202 Define the _length block_ as a 16-byte value that is the 203 concatenation of the 64-bit, little-endian encodings of 204 bytelen(additional_length) * 8 and bytelen(plaintext) * 8. Pad the 205 plaintext and additional data with zeros until they are each a 206 multiple of 16 bytes, the AES block size. Then X_1, X_2, ... (the 207 series of field elements that are inputs to POLYVAL) are the 208 concatenation of the padded additional data, the padded plaintext and 209 the length block. 211 Calculate S_s = POLYVAL(record-authentication-key, X_1, X_2, ...). 212 XOR the first twelve bytes of S_s with the nonce and clear the most- 213 significant bit of the last byte. Encrypt the result with AES using 214 the record-encryption key to produce the tag. 216 The ciphertext is produced by using AES, with the record-encryption 217 key, in counter mode on the unpadded plaintext. The initial counter 218 block is the tag with the most-significant bit of the last byte set 219 to one. The counter advances by incrementing the first 32 bits 220 interpreted as an unsigned, little-endian integer. The result of the 221 encryption is the resulting ciphertext (truncated to the length of 222 the plaintext) followed by the tag. 224 5. Decryption 226 Decryption takes a 16- or 32-byte key-generating key, a 96-bit nonce, 227 and arbitrary-length ciphertext & additional data byte-strings. It 228 either fails, or outputs a plaintext that is 16 bytes shorter than 229 the ciphertext. 231 Firstly, the record-encryption and record-authentication keys are 232 derived in the same manner as when encrypting. 234 If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes, 235 then fail. Otherwise split the input into the encrypted plaintext 236 and a 16-byte tag. Decrypt the encrypted plaintext with the record- 237 encryption key in counter mode, where the initial counter block is 238 the tag with the most-significant bit of the last byte set to one. 239 The counter advances in the same way as for encryption. 241 Pad the additional data and plaintext with zeros until they are each 242 a multiple of 16 bytes, the AES block size. Calculate the length 243 block and X_1, X_2, ... as above and compute S_s = POLYVAL(record- 244 authentication-key, X_1, X_2, ...). Compute the expected tag by 245 XORing S_s and the nonce, clearing the most-significant bit of the 246 last byte and encrypting with the record-encryption key. Compare the 247 provided and expected tag values in constant time. If they do not 248 match, fail. Otherwise return the plaintext. 250 6. AEADs 252 We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV: 253 AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. They differ only in 254 the size of the AES key used. 256 The key input to these AEADs becomes the key-generating key. Thus 257 AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV 258 takes a 32-byte key. 260 The parameters for AEAD_AES_128_GCM_SIV are then: K_LEN is 16, P_MAX 261 is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 12 and C_MAX is 2^36 262 + 16. 264 The parameters for AEAD_AES_256_GCM_SIV differ only in the key size: 265 K_LEN is 32, P_MAX is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 12 266 and C_MAX is 2^36 + 16. 268 7. Field operation examples 270 Polynomials in this document will be written as 16-byte values. For 271 example, the sixteen bytes 01000000000000000000000000000492 would 272 represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is 273 also the value of x^-128 in this field. 275 If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b = 276 ff000000000000000000000000000000 then a + b = 277 99e94bd4ef8a2c3b884cfa59ca342b2e, a * b = 278 37856175e9dc9df26ebc6d6171aa0ae9 and dot(a, b) = 279 ebe563401e7e91ea3ad6426b8140c394. 281 8. Worked example 283 Consider the encryption of the plaintext "Hello world" with the 284 additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c 285 using AEAD_AES_128_GCM_SIV. The random nonce that we'll use for this 286 example is 752abad3e0afb5f434dc4310. 288 In order to generate the record-authentication and record-encryption 289 keys, a counter is combined with the nonce to form four blocks. 290 These blocks are encrypted with key given above: 292 Counter | Nonce Ciphertext 293 00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e 294 01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450 295 02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b 296 03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7 298 The latter halves of the ciphertext blocks are discarded and the 299 remaining bytes are concatenated to form the per-record keys. Thus 300 the record-authentication key is 310728d9911f1f3837b24316c3fab9a0 and 301 the record-encryption key is a4c5ae6249963279c100be4d7e2c6edd. 303 The length block contains the encoding of the bit-lengths of the 304 additional data and plaintext, respectively, which are and 56 and 88. 305 Thus the length block is 38000000000000005800000000000000. 307 The input to POLYVAL is the padded additional data, padded plaintext 308 and then the length block. This is 6578616d706c650000000000000000004 309 8656c6c6f20776f726c64000000000038000000000000005800000000000000. 311 Calling POLYVAL with the record-authentication key and the input 312 above results in S_s = ad7fcf0b5169851662672f3c5f95138f. 314 Before encrypting, the nonce is XORed in and the most-significant bit 315 of the last byte is cleared. This gives 316 d85575d8b1c630e256bb6c2c5f95130f because that bit happened to be one 317 previously. Encrypting with the record-encryption key gives the tag, 318 which is 4fbcdeb7e4793f4a1d7e4faa70100af1. 320 In order to form the initial counter block, the most-significant bit 321 of the last byte of the tag is set to one. That doesn't result in a 322 change in this example. Encrypting this with the record key gives 323 the first block of the keystream: 1551f2c1787e81deac9a99f139540ab5. 325 The final ciphertext is the result of XORing the plaintext with the 326 keystream and appending the tag. That gives 327 5d349ead175ef6b1def6fd4fbcdeb7e4793f4a1d7e4faa70100af1. 329 9. Security Considerations 331 A detailed analysis of these schemes appears in [AES-GCM-SIV] and the 332 remainder of this section is a summary of that paper. 334 We recommend a limit of 2^50 plaintexts encrypted with a given key. 335 Past this point, AES-GCM-SIV may be distinguishable from an ideal 336 AEAD. (This is based on standard assumptions about AES.) 338 The AEADs defined in this document calculate fresh AES keys for each 339 nonce. This allows a larger number of plaintexts to be encrypted 340 under a given key. Without this step, each SIV encryption would be 341 like a standard GCM encryption with a random nonce. Since the nonce 342 size for GCM is only 12 bytes, NIST set a limit [GCM] of 2^32 343 encryptions before the probability of duplicate nonces becomes too 344 high. 346 The authors felt that, while large, 2^32 wasn't so large that this 347 limit could be safely ignored. For example, consider encrypting the 348 contents of a hard disk where the AEAD record size is 512 bytes, to 349 match the traditional size of a disk sector. This process would have 350 encrypted 2^32 records after processing 2TB, yet hard drives of 351 multiple terabytes are now common. 353 Deriving fresh AES keys for each nonce alleviates this problem. 355 If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a 356 random nonce, with the caveat that identical plaintexts will produce 357 identical ciphertexts. However, we feel that the 2^32 limit for AES- 358 GCM is too risky in a multi-key setting. Thus with AES-GCM-SIV we 359 recommend that, for a specific key, a nonce not be repeated more than 360 2^8 times. (And, ideally, not be repeated at all.) See theorem six 361 and figure four from the paper for detailed bounds. 363 Suzuki et al [multibirthday] show that even if nonces are selected 364 uniformly at random, the probability that one or more values would be 365 repeated 256 or more times is negligible until the number of nonces 366 reaches 2^102. (Specifically the probability is 1/((2^96)^(255)) * 367 Binomial(q, 256), where q is the number of nonces.) Since 2^102 is 368 vastly greater than the limit on the number of plaintexts per key 369 given above, we don't feel that this limit on the number of repeated 370 nonces will be a problem. This also means that selecting nonces at 371 random is a safe practice with AES-GCM-SIV. 373 In addition to calculating fresh AES keys for each nonce, these AEADs 374 also calculate fresh POLYVAL keys. Previous versions of GCM-SIV did 375 not do this and, instead, used part of the AEAD's key as the POLYVAL 376 key. Bleichenbacher pointed out that this allowed an attacker who 377 controlled the AEAD key to force the POLYVAL key to be zero. If a 378 user of this AEAD authenticated messages with a secret additional- 379 data value then this would be insecure as the attacker could 380 calculate a valid authenticator without knowing the input. This does 381 not violate the standard properties of an AEAD as the additional data 382 is not assumed to be confidential. However, we want these AEADs to 383 be robust to plausible misuse and also to be drop-in replacements for 384 AES-GCM and so derive nonce-specific POLYVAL keys to avoid this 385 issue. 387 A security analysis of a similar scheme appears in [GCM-SIV]. 389 10. IANA Considerations 391 IANA is requested to add two entries to the registry of AEAD 392 algorithms: AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV, both 393 referencing this document as their specification. 395 11. Acknowledgements 397 The authors would like to thank Uri Blumenthal, Ondrej Mosnacek, 398 Daniel Bleichenbacher, Kenny Paterson, Bart Preneel, John Mattsson 399 and Deb Cooley's team at NSA Information Assurance for their helpful 400 suggestions. 402 12. References 404 12.1. Normative References 406 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 407 Requirement Levels", BCP 14, RFC 2119, 408 DOI 10.17487/RFC2119, March 1997, 409 . 411 12.2. Informative References 413 [AES-GCM-SIV] 414 Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: 415 specification and analysis", 2017, 416 . 418 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 419 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP- 420 800-38D, November 2007, 421 . 424 [GCM-SIV] Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse- 425 Resistant Authenticated Encryption at Under One Cycle Per 426 Byte", Proceedings of the 22nd ACM SIGSAC Conference on 427 Computer and Communications Security , 2015, 428 . 430 [multibirthday] 431 Kazuhiro, S., Dongvu, T., Kaoru, K., and T. Koji, 432 "Birthday Paradox for Multi-collisions", ICISC 2006: 9th 433 International Conference, Busan, Korea, November 30 - 434 December 1, 2006. Proceedings , 2006, 435 . 437 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 438 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 439 . 441 Appendix A. The relationship between POLYVAL and GHASH 443 GHASH and POLYVAL both operate in GF(2^128), although with different 444 irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + 445 x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note 446 that these irreducible polynomials are the "reverse" of each other. 448 GHASH also has a different mapping between 128-bit strings and field 449 elements. Where as POLYVAL takes the least-significant to most- 450 significant bits of the first byte to be the coefficients of x^0 to 451 x^7, GHASH takes them to be the coefficients of x^7 to x^0. This 452 continues until, for the last byte, POLYVAL takes the least- 453 significant to most-significant bits to be the coefficients of x^120 454 to x^127 while GHASH takes them to be the coefficients of x^127 to 455 x^120. 457 The combination of these facts means that it's possible to "convert" 458 values between the two by reversing the order of the bytes in a 459 16-byte string. The differing interpretations of bit order takes 460 care of reversing the bits within each byte and then reversing the 461 bytes does the rest. This may have a practical benefit for 462 implementations that wish to implement both GHASH and POLYVAL. 464 In order to be clear which field a given operation is performed in, 465 let mulX_GHASH be a function that takes a 16-byte string, converts it 466 to an element of GHASH's field using GHASH's convention, multiplies 467 it by x and converts back to a string. Likewise, let mulX_POLYVAL be 468 a function that converts a 16-byte string to an element of POLYVAL's 469 field using POLYVAL's convention, multiplies it by x and converts 470 back. 472 Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH 473 of that string is 00800000000000000000000000000000 and mulX_POLYVAL 474 of that string is 02000000000000000000000000000000. As a more 475 general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH 476 of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL 477 of it is 3931819bf271fada0503eb52574ca5f2. 479 Lastly, let ByteReverse be the function that takes a 16-byte string 480 and returns a copy where the order of the bytes has been reversed. 482 Now GHASH and POLYVAL can be defined in terms of one another: 484 POLYVAL(H, X_1, ..., X_n) = 485 ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ..., 486 ByteReverse(X_n))) 488 GHASH(H, X_1, ..., X_n) = 489 ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1), 490 ..., ByteReverse(X_n))) 492 As a worked example, let H = 25629347589242761d31f826ba4b757b, X_1 = 493 4f4f95668c83dfb6401762bb2d01a262 and X_2 = 494 d1a24ddd2721d006bbe45f20d3c9f362. POLYVAL(H, X_1, X_2) = 495 f7a3b47b846119fae5b7866cf5e5b77e. If we wished to calculate this 496 given only an implementation of GHASH then the key for GHASH would be 497 mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112. Then 498 ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2))) = 499 f7a3b47b846119fae5b7866cf5e5b77e, as required. 501 In the other direction, GHASH(H, X_1, X_2) = 502 bd9b3997046731fb96251b91f9c99d7a. If we wished to calculate this 503 given only an implementation of POLYVAL then we would first calculate 504 the key for POLYVAL, mulX_POLYVAL(ByteReverse(H)), which is 505 f6ea96744df0633aec8424b18e26c54a. Then ByteReverse(POLYVAL(f6ea..., 506 ByteReverse(X_1), ByteReverse(X_2))) = 507 bd9b3997046731fb96251b91f9c99d7a. 509 Appendix B. Additional comparisons with AES-GCM 511 Some, non-security, properties also differ between AES-GCM and AES- 512 GCM-SIV that are worth noting: 514 AES-GCM allows plaintexts to be encrypted in a streaming fashion, 515 i.e. the beginning of the plaintext can be encrypted and transmitted 516 before the entire message has been processed. AES-GCM-SIV requires 517 two passes for encryption and so cannot do this. 519 AES-GCM allows a constant additional-data input to be precomputed in 520 order to save per-record computation. AES-GCM-SIV varies the 521 authenticator key based on the nonce and so does not permit this. 523 The performance for AES-GCM vs AES-GCM-SIV on small machines can be 524 roughly characterised by the number of AES operations and the number 525 of GF(2^128) multiplications needed to process a message. Let a = 526 (bytelen(additional-data) + 15) / 16 and p = (bytelen(plaintext) + 527 15) / 16. Then AES-GCM requires p + 1 AES operations and p + a + 1 528 field multiplications. 530 Defined similarly, AES-GCM-SIV with AES-128 requires p + 5 AES 531 operations and p + a + 1 field multiplications. With AES-256 that 532 becomes p + 7 AES operations. 534 With large machines, the available parallelism becomes far more 535 important and such simple performance analysis is no longer 536 representative. For such machines, we find that decryption of AES- 537 GCM-SIV is only about 5% slower then AES-GCM, as long as the message 538 is at least a couple of kilobytes. Encryption tends to be about 539 2/3's the speed because of the additional pass required. 541 Appendix C. Test vectors 543 C.1. AEAD_AES_128_GCM_SIV 545 Plaintext (0 bytes) = 546 AAD (0 bytes) = 547 Key = 01000000000000000000000000000000 548 Nonce = 030000000000000000000000 549 Record authentication key = d9b360279694941ac5dbc6987ada7377 550 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 551 POLYVAL input = 00000000000000000000000000000000 552 POLYVAL result = 00000000000000000000000000000000 553 POLYVAL result XOR nonce = 03000000000000000000000000000000 554 ... and masked = 03000000000000000000000000000000 555 Tag = dc20e2d83f25705bb49e439eca56de25 556 Initial counter = dc20e2d83f25705bb49e439eca56dea5 557 Result (16 bytes) = dc20e2d83f25705bb49e439eca56de25 559 Plaintext (8 bytes) = 0100000000000000 560 AAD (0 bytes) = 561 Key = 01000000000000000000000000000000 562 Nonce = 030000000000000000000000 563 Record authentication key = d9b360279694941ac5dbc6987ada7377 564 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 565 POLYVAL input = 01000000000000000000000000000000 566 00000000000000004000000000000000 567 POLYVAL result = eb93b7740962c5e49d2a90a7dc5cec74 568 POLYVAL result XOR nonce = e893b7740962c5e49d2a90a7dc5cec74 569 ... and masked = e893b7740962c5e49d2a90a7dc5cec74 570 Tag = 578782fff6013b815b287c22493a364c 571 Initial counter = 578782fff6013b815b287c22493a36cc 572 Result (24 bytes) = b5d839330ac7b786578782fff6013b81 573 5b287c22493a364c 575 Plaintext (12 bytes) = 010000000000000000000000 576 AAD (0 bytes) = 577 Key = 01000000000000000000000000000000 578 Nonce = 030000000000000000000000 579 Record authentication key = d9b360279694941ac5dbc6987ada7377 580 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 581 POLYVAL input = 01000000000000000000000000000000 582 00000000000000006000000000000000 583 POLYVAL result = 48eb6c6c5a2dbe4a1dde508fee06361b 584 POLYVAL result XOR nonce = 4beb6c6c5a2dbe4a1dde508fee06361b 585 ... and masked = 4beb6c6c5a2dbe4a1dde508fee06361b 586 Tag = a4978db357391a0bc4fdec8b0d106639 587 Initial counter = a4978db357391a0bc4fdec8b0d1066b9 588 Result (28 bytes) = 7323ea61d05932260047d942a4978db3 589 57391a0bc4fdec8b0d106639 591 Plaintext (16 bytes) = 01000000000000000000000000000000 592 AAD (0 bytes) = 593 Key = 01000000000000000000000000000000 594 Nonce = 030000000000000000000000 595 Record authentication key = d9b360279694941ac5dbc6987ada7377 596 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 597 POLYVAL input = 01000000000000000000000000000000 598 00000000000000008000000000000000 600 POLYVAL result = 20806c26e3c1de019e111255708031d6 601 POLYVAL result XOR nonce = 23806c26e3c1de019e111255708031d6 602 ... and masked = 23806c26e3c1de019e11125570803156 603 Tag = 303aaf90f6fe21199c6068577437a0c4 604 Initial counter = 303aaf90f6fe21199c6068577437a0c4 605 Result (32 bytes) = 743f7c8077ab25f8624e2e948579cf77 606 303aaf90f6fe21199c6068577437a0c4 608 Plaintext (32 bytes) = 01000000000000000000000000000000 609 02000000000000000000000000000000 610 AAD (0 bytes) = 611 Key = 01000000000000000000000000000000 612 Nonce = 030000000000000000000000 613 Record authentication key = d9b360279694941ac5dbc6987ada7377 614 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 615 POLYVAL input = 01000000000000000000000000000000 616 02000000000000000000000000000000 617 00000000000000000001000000000000 618 POLYVAL result = ce6edc9a50b36d9a98986bbf6a261c3b 619 POLYVAL result XOR nonce = cd6edc9a50b36d9a98986bbf6a261c3b 620 ... and masked = cd6edc9a50b36d9a98986bbf6a261c3b 621 Tag = 1a8e45dcd4578c667cd86847bf6155ff 622 Initial counter = 1a8e45dcd4578c667cd86847bf6155ff 623 Result (48 bytes) = 84e07e62ba83a6585417245d7ec413a9 624 fe427d6315c09b57ce45f2e3936a9445 625 1a8e45dcd4578c667cd86847bf6155ff 627 Plaintext (48 bytes) = 01000000000000000000000000000000 628 02000000000000000000000000000000 629 03000000000000000000000000000000 630 AAD (0 bytes) = 631 Key = 01000000000000000000000000000000 632 Nonce = 030000000000000000000000 633 Record authentication key = d9b360279694941ac5dbc6987ada7377 634 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 635 POLYVAL input = 01000000000000000000000000000000 636 02000000000000000000000000000000 637 03000000000000000000000000000000 638 00000000000000008001000000000000 639 POLYVAL result = 81388746bc22d26b2abc3dcb15754222 640 POLYVAL result XOR nonce = 82388746bc22d26b2abc3dcb15754222 641 ... and masked = 82388746bc22d26b2abc3dcb15754222 642 Tag = 5e6e311dbf395d35b0fe39c2714388f8 643 Initial counter = 5e6e311dbf395d35b0fe39c2714388f8 644 Result (64 bytes) = 3fd24ce1f5a67b75bf2351f181a475c7 645 b800a5b4d3dcf70106b1eea82fa1d64d 646 f42bf7226122fa92e17a40eeaac1201b 647 5e6e311dbf395d35b0fe39c2714388f8 649 Plaintext (64 bytes) = 01000000000000000000000000000000 650 02000000000000000000000000000000 651 03000000000000000000000000000000 652 04000000000000000000000000000000 653 AAD (0 bytes) = 654 Key = 01000000000000000000000000000000 655 Nonce = 030000000000000000000000 656 Record authentication key = d9b360279694941ac5dbc6987ada7377 657 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 658 POLYVAL input = 01000000000000000000000000000000 659 02000000000000000000000000000000 660 03000000000000000000000000000000 661 04000000000000000000000000000000 662 00000000000000000002000000000000 663 POLYVAL result = 1e39b6d3344d348f6044f89935d1cf78 664 POLYVAL result XOR nonce = 1d39b6d3344d348f6044f89935d1cf78 665 ... and masked = 1d39b6d3344d348f6044f89935d1cf78 666 Tag = 8a263dd317aa88d56bdf3936dba75bb8 667 Initial counter = 8a263dd317aa88d56bdf3936dba75bb8 668 Result (80 bytes) = 2433668f1058190f6d43e360f4f35cd8 669 e475127cfca7028ea8ab5c20f7ab2af0 670 2516a2bdcbc08d521be37ff28c152bba 671 36697f25b4cd169c6590d1dd39566d3f 672 8a263dd317aa88d56bdf3936dba75bb8 674 Plaintext (8 bytes) = 0200000000000000 675 AAD (1 bytes) = 01 676 Key = 01000000000000000000000000000000 677 Nonce = 030000000000000000000000 678 Record authentication key = d9b360279694941ac5dbc6987ada7377 679 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 680 POLYVAL input = 01000000000000000000000000000000 681 02000000000000000000000000000000 682 08000000000000004000000000000000 683 POLYVAL result = b26781e7e2c1376f96bec195f3709b2a 684 POLYVAL result XOR nonce = b16781e7e2c1376f96bec195f3709b2a 685 ... and masked = b16781e7e2c1376f96bec195f3709b2a 686 Tag = 3b0a1a2560969cdf790d99759abd1508 687 Initial counter = 3b0a1a2560969cdf790d99759abd1588 688 Result (24 bytes) = 1e6daba35669f4273b0a1a2560969cdf 689 790d99759abd1508 691 Plaintext (12 bytes) = 020000000000000000000000 692 AAD (1 bytes) = 01 693 Key = 01000000000000000000000000000000 694 Nonce = 030000000000000000000000 695 Record authentication key = d9b360279694941ac5dbc6987ada7377 696 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 697 POLYVAL input = 01000000000000000000000000000000 698 02000000000000000000000000000000 699 08000000000000006000000000000000 700 POLYVAL result = 111f5affb18e4cc1164a01bdc12a4145 701 POLYVAL result XOR nonce = 121f5affb18e4cc1164a01bdc12a4145 702 ... and masked = 121f5affb18e4cc1164a01bdc12a4145 703 Tag = 08299c5102745aaa3a0c469fad9e075a 704 Initial counter = 08299c5102745aaa3a0c469fad9e07da 705 Result (28 bytes) = 296c7889fd99f41917f4462008299c51 706 02745aaa3a0c469fad9e075a 708 Plaintext (16 bytes) = 02000000000000000000000000000000 709 AAD (1 bytes) = 01 710 Key = 01000000000000000000000000000000 711 Nonce = 030000000000000000000000 712 Record authentication key = d9b360279694941ac5dbc6987ada7377 713 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 714 POLYVAL input = 01000000000000000000000000000000 715 02000000000000000000000000000000 716 08000000000000008000000000000000 717 POLYVAL result = 79745ab508622c8a958543675fac4688 718 POLYVAL result XOR nonce = 7a745ab508622c8a958543675fac4688 719 ... and masked = 7a745ab508622c8a958543675fac4608 720 Tag = 8f8936ec039e4e4bb97ebd8c4457441f 721 Initial counter = 8f8936ec039e4e4bb97ebd8c4457449f 722 Result (32 bytes) = e2b0c5da79a901c1745f700525cb335b 723 8f8936ec039e4e4bb97ebd8c4457441f 725 Plaintext (32 bytes) = 02000000000000000000000000000000 726 03000000000000000000000000000000 727 AAD (1 bytes) = 01 728 Key = 01000000000000000000000000000000 729 Nonce = 030000000000000000000000 730 Record authentication key = d9b360279694941ac5dbc6987ada7377 731 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 732 POLYVAL input = 01000000000000000000000000000000 733 02000000000000000000000000000000 734 03000000000000000000000000000000 735 08000000000000000001000000000000 736 POLYVAL result = 2ce7daaf7c89490822051255b12eca6b 737 POLYVAL result XOR nonce = 2fe7daaf7c89490822051255b12eca6b 738 ... and masked = 2fe7daaf7c89490822051255b12eca6b 739 Tag = e6af6a7f87287da059a71684ed3498e1 740 Initial counter = e6af6a7f87287da059a71684ed3498e1 741 Result (48 bytes) = 620048ef3c1e73e57e02bb8562c416a3 742 19e73e4caac8e96a1ecb2933145a1d71 743 e6af6a7f87287da059a71684ed3498e1 745 Plaintext (48 bytes) = 02000000000000000000000000000000 746 03000000000000000000000000000000 747 04000000000000000000000000000000 748 AAD (1 bytes) = 01 749 Key = 01000000000000000000000000000000 750 Nonce = 030000000000000000000000 751 Record authentication key = d9b360279694941ac5dbc6987ada7377 752 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 753 POLYVAL input = 01000000000000000000000000000000 754 02000000000000000000000000000000 755 03000000000000000000000000000000 756 04000000000000000000000000000000 757 08000000000000008001000000000000 758 POLYVAL result = 9ca987715d69c1786711dfcd22f830fc 759 POLYVAL result XOR nonce = 9fa987715d69c1786711dfcd22f830fc 760 ... and masked = 9fa987715d69c1786711dfcd22f8307c 761 Tag = 6a8cc3865f76897c2e4b245cf31c51f2 762 Initial counter = 6a8cc3865f76897c2e4b245cf31c51f2 763 Result (64 bytes) = 50c8303ea93925d64090d07bd109dfd9 764 515a5a33431019c17d93465999a8b005 765 3201d723120a8562b838cdff25bf9d1e 766 6a8cc3865f76897c2e4b245cf31c51f2 768 Plaintext (64 bytes) = 02000000000000000000000000000000 769 03000000000000000000000000000000 770 04000000000000000000000000000000 771 05000000000000000000000000000000 772 AAD (1 bytes) = 01 773 Key = 01000000000000000000000000000000 774 Nonce = 030000000000000000000000 775 Record authentication key = d9b360279694941ac5dbc6987ada7377 776 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 777 POLYVAL input = 01000000000000000000000000000000 778 02000000000000000000000000000000 779 03000000000000000000000000000000 780 04000000000000000000000000000000 781 05000000000000000000000000000000 782 08000000000000000002000000000000 784 POLYVAL result = ffcd05d5770f34ad9267f0a59994b15a 785 POLYVAL result XOR nonce = fccd05d5770f34ad9267f0a59994b15a 786 ... and masked = fccd05d5770f34ad9267f0a59994b15a 787 Tag = cdc46ae475563de037001ef84ae21744 788 Initial counter = cdc46ae475563de037001ef84ae217c4 789 Result (80 bytes) = 2f5c64059db55ee0fb847ed513003746 790 aca4e61c711b5de2e7a77ffd02da42fe 791 ec601910d3467bb8b36ebbaebce5fba3 792 0d36c95f48a3e7980f0e7ac299332a80 793 cdc46ae475563de037001ef84ae21744 795 Plaintext (4 bytes) = 02000000 796 AAD (12 bytes) = 010000000000000000000000 797 Key = 01000000000000000000000000000000 798 Nonce = 030000000000000000000000 799 Record authentication key = d9b360279694941ac5dbc6987ada7377 800 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 801 POLYVAL input = 01000000000000000000000000000000 802 02000000000000000000000000000000 803 60000000000000002000000000000000 804 POLYVAL result = f6ce9d3dcd68a2fd603c7ecc18fb9918 805 POLYVAL result XOR nonce = f5ce9d3dcd68a2fd603c7ecc18fb9918 806 ... and masked = f5ce9d3dcd68a2fd603c7ecc18fb9918 807 Tag = 07eb1f84fb28f8cb73de8e99e2f48a14 808 Initial counter = 07eb1f84fb28f8cb73de8e99e2f48a94 809 Result (20 bytes) = a8fe3e8707eb1f84fb28f8cb73de8e99 810 e2f48a14 812 Plaintext (20 bytes) = 03000000000000000000000000000000 813 04000000 814 AAD (18 bytes) = 01000000000000000000000000000000 815 0200 816 Key = 01000000000000000000000000000000 817 Nonce = 030000000000000000000000 818 Record authentication key = d9b360279694941ac5dbc6987ada7377 819 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 820 POLYVAL input = 01000000000000000000000000000000 821 02000000000000000000000000000000 822 03000000000000000000000000000000 823 04000000000000000000000000000000 824 9000000000000000a000000000000000 825 POLYVAL result = 4781d492cb8f926c504caa36f61008fe 826 POLYVAL result XOR nonce = 4481d492cb8f926c504caa36f61008fe 827 ... and masked = 4481d492cb8f926c504caa36f610087e 828 Tag = 24afc9805e976f451e6d87f6fe106514 829 Initial counter = 24afc9805e976f451e6d87f6fe106594 830 Result (36 bytes) = 6bb0fecf5ded9b77f902c7d5da236a43 831 91dd029724afc9805e976f451e6d87f6 832 fe106514 834 Plaintext (18 bytes) = 03000000000000000000000000000000 835 0400 836 AAD (20 bytes) = 01000000000000000000000000000000 837 02000000 838 Key = 01000000000000000000000000000000 839 Nonce = 030000000000000000000000 840 Record authentication key = d9b360279694941ac5dbc6987ada7377 841 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c 842 POLYVAL input = 01000000000000000000000000000000 843 02000000000000000000000000000000 844 03000000000000000000000000000000 845 04000000000000000000000000000000 846 a0000000000000009000000000000000 847 POLYVAL result = 75cbc23a1a10e348aeb8e384b5cc79fd 848 POLYVAL result XOR nonce = 76cbc23a1a10e348aeb8e384b5cc79fd 849 ... and masked = 76cbc23a1a10e348aeb8e384b5cc797d 850 Tag = bff9b2ef00fb47920cc72a0c0f13b9fd 851 Initial counter = bff9b2ef00fb47920cc72a0c0f13b9fd 852 Result (34 bytes) = 44d0aaf6fb2f1f34add5e8064e83e12a 853 2adabff9b2ef00fb47920cc72a0c0f13 854 b9fd 856 C.2. AEAD_AES_256_GCM_SIV 858 Plaintext (0 bytes) = 859 AAD (0 bytes) = 860 Key = 01000000000000000000000000000000 861 00000000000000000000000000000000 862 Nonce = 030000000000000000000000 863 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 864 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 865 456e3c6c05ecc157cdbf0700fedad222 866 POLYVAL input = 00000000000000000000000000000000 867 POLYVAL result = 00000000000000000000000000000000 868 POLYVAL result XOR nonce = 03000000000000000000000000000000 869 ... and masked = 03000000000000000000000000000000 870 Tag = 07f5f4169bbf55a8400cd47ea6fd400f 871 Initial counter = 07f5f4169bbf55a8400cd47ea6fd408f 872 Result (16 bytes) = 07f5f4169bbf55a8400cd47ea6fd400f 874 Plaintext (8 bytes) = 0100000000000000 875 AAD (0 bytes) = 876 Key = 01000000000000000000000000000000 877 00000000000000000000000000000000 878 Nonce = 030000000000000000000000 879 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 880 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 881 456e3c6c05ecc157cdbf0700fedad222 882 POLYVAL input = 01000000000000000000000000000000 883 00000000000000004000000000000000 884 POLYVAL result = 05230f62f0eac8aa14fe4d646b59cd41 885 POLYVAL result XOR nonce = 06230f62f0eac8aa14fe4d646b59cd41 886 ... and masked = 06230f62f0eac8aa14fe4d646b59cd41 887 Tag = 843122130f7364b761e0b97427e3df28 888 Initial counter = 843122130f7364b761e0b97427e3dfa8 889 Result (24 bytes) = c2ef328e5c71c83b843122130f7364b7 890 61e0b97427e3df28 892 Plaintext (12 bytes) = 010000000000000000000000 893 AAD (0 bytes) = 894 Key = 01000000000000000000000000000000 895 00000000000000000000000000000000 896 Nonce = 030000000000000000000000 897 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 898 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 899 456e3c6c05ecc157cdbf0700fedad222 900 POLYVAL input = 01000000000000000000000000000000 901 00000000000000006000000000000000 902 POLYVAL result = 6d81a24732fd6d03ae5af544720a1c13 903 POLYVAL result XOR nonce = 6e81a24732fd6d03ae5af544720a1c13 904 ... and masked = 6e81a24732fd6d03ae5af544720a1c13 905 Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e 906 Initial counter = 8ca50da9ae6559e48fd10f6e5c9ca1fe 907 Result (28 bytes) = 9aab2aeb3faa0a34aea8e2b18ca50da9 908 ae6559e48fd10f6e5c9ca17e 910 Plaintext (16 bytes) = 01000000000000000000000000000000 911 AAD (0 bytes) = 912 Key = 01000000000000000000000000000000 913 00000000000000000000000000000000 914 Nonce = 030000000000000000000000 915 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 916 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 917 456e3c6c05ecc157cdbf0700fedad222 918 POLYVAL input = 01000000000000000000000000000000 919 00000000000000008000000000000000 920 POLYVAL result = 74eee2bf7c9a165f8b25dea73db32a6d 921 POLYVAL result XOR nonce = 77eee2bf7c9a165f8b25dea73db32a6d 922 ... and masked = 77eee2bf7c9a165f8b25dea73db32a6d 923 Tag = c9eac6fa700942702e90862383c6c366 924 Initial counter = c9eac6fa700942702e90862383c6c3e6 925 Result (32 bytes) = 85a01b63025ba19b7fd3ddfc033b3e76 926 c9eac6fa700942702e90862383c6c366 928 Plaintext (32 bytes) = 01000000000000000000000000000000 929 02000000000000000000000000000000 930 AAD (0 bytes) = 931 Key = 01000000000000000000000000000000 932 00000000000000000000000000000000 933 Nonce = 030000000000000000000000 934 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 935 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 936 456e3c6c05ecc157cdbf0700fedad222 937 POLYVAL input = 01000000000000000000000000000000 938 02000000000000000000000000000000 939 00000000000000000001000000000000 940 POLYVAL result = 899b6381b3d46f0def7aa0517ba188f5 941 POLYVAL result XOR nonce = 8a9b6381b3d46f0def7aa0517ba188f5 942 ... and masked = 8a9b6381b3d46f0def7aa0517ba18875 943 Tag = e819e63abcd020b006a976397632eb5d 944 Initial counter = e819e63abcd020b006a976397632ebdd 945 Result (48 bytes) = 4a6a9db4c8c6549201b9edb53006cba8 946 21ec9cf850948a7c86c68ac7539d027f 947 e819e63abcd020b006a976397632eb5d 949 Plaintext (48 bytes) = 01000000000000000000000000000000 950 02000000000000000000000000000000 951 03000000000000000000000000000000 952 AAD (0 bytes) = 953 Key = 01000000000000000000000000000000 954 00000000000000000000000000000000 955 Nonce = 030000000000000000000000 956 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 957 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 958 456e3c6c05ecc157cdbf0700fedad222 959 POLYVAL input = 01000000000000000000000000000000 960 02000000000000000000000000000000 961 03000000000000000000000000000000 962 00000000000000008001000000000000 963 POLYVAL result = c1f8593d8fc29b0c290cae1992f71f51 964 POLYVAL result XOR nonce = c2f8593d8fc29b0c290cae1992f71f51 965 ... and masked = c2f8593d8fc29b0c290cae1992f71f51 966 Tag = 790bc96880a99ba804bd12c0e6a22cc4 967 Initial counter = 790bc96880a99ba804bd12c0e6a22cc4 968 Result (64 bytes) = c00d121893a9fa603f48ccc1ca3c57ce 969 7499245ea0046db16c53c7c66fe717e3 970 9cf6c748837b61f6ee3adcee17534ed5 971 790bc96880a99ba804bd12c0e6a22cc4 973 Plaintext (64 bytes) = 01000000000000000000000000000000 974 02000000000000000000000000000000 975 03000000000000000000000000000000 976 04000000000000000000000000000000 977 AAD (0 bytes) = 978 Key = 01000000000000000000000000000000 979 00000000000000000000000000000000 980 Nonce = 030000000000000000000000 981 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 982 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 983 456e3c6c05ecc157cdbf0700fedad222 984 POLYVAL input = 01000000000000000000000000000000 985 02000000000000000000000000000000 986 03000000000000000000000000000000 987 04000000000000000000000000000000 988 00000000000000000002000000000000 989 POLYVAL result = 6ef38b06046c7c0e225efaef8e2ec4c4 990 POLYVAL result XOR nonce = 6df38b06046c7c0e225efaef8e2ec4c4 991 ... and masked = 6df38b06046c7c0e225efaef8e2ec444 992 Tag = 112864c269fc0d9d88c61fa47e39aa08 993 Initial counter = 112864c269fc0d9d88c61fa47e39aa88 994 Result (80 bytes) = c2d5160a1f8683834910acdafc41fbb1 995 632d4a353e8b905ec9a5499ac34f96c7 996 e1049eb080883891a4db8caaa1f99dd0 997 04d80487540735234e3744512c6f90ce 998 112864c269fc0d9d88c61fa47e39aa08 1000 Plaintext (8 bytes) = 0200000000000000 1001 AAD (1 bytes) = 01 1002 Key = 01000000000000000000000000000000 1003 00000000000000000000000000000000 1004 Nonce = 030000000000000000000000 1005 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1006 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1007 456e3c6c05ecc157cdbf0700fedad222 1008 POLYVAL input = 01000000000000000000000000000000 1009 02000000000000000000000000000000 1010 08000000000000004000000000000000 1011 POLYVAL result = 34e57bafe011b9b36fc6821b7ffb3354 1012 POLYVAL result XOR nonce = 37e57bafe011b9b36fc6821b7ffb3354 1013 ... and masked = 37e57bafe011b9b36fc6821b7ffb3354 1014 Tag = 91213f267e3b452f02d01ae33e4ec854 1015 Initial counter = 91213f267e3b452f02d01ae33e4ec8d4 1016 Result (24 bytes) = 1de22967237a813291213f267e3b452f 1017 02d01ae33e4ec854 1019 Plaintext (12 bytes) = 020000000000000000000000 1020 AAD (1 bytes) = 01 1021 Key = 01000000000000000000000000000000 1022 00000000000000000000000000000000 1023 Nonce = 030000000000000000000000 1024 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1025 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1026 456e3c6c05ecc157cdbf0700fedad222 1027 POLYVAL input = 01000000000000000000000000000000 1028 02000000000000000000000000000000 1029 08000000000000006000000000000000 1030 POLYVAL result = 5c47d68a22061c1ad5623a3b66a8e206 1031 POLYVAL result XOR nonce = 5f47d68a22061c1ad5623a3b66a8e206 1032 ... and masked = 5f47d68a22061c1ad5623a3b66a8e206 1033 Tag = c1a4a19ae800941ccdc57cc8413c277f 1034 Initial counter = c1a4a19ae800941ccdc57cc8413c27ff 1035 Result (28 bytes) = 163d6f9cc1b346cd453a2e4cc1a4a19a 1036 e800941ccdc57cc8413c277f 1038 Plaintext (16 bytes) = 02000000000000000000000000000000 1039 AAD (1 bytes) = 01 1040 Key = 01000000000000000000000000000000 1041 00000000000000000000000000000000 1042 Nonce = 030000000000000000000000 1043 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1044 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1045 456e3c6c05ecc157cdbf0700fedad222 1046 POLYVAL input = 01000000000000000000000000000000 1047 02000000000000000000000000000000 1048 08000000000000008000000000000000 1049 POLYVAL result = 452896726c616746f01d11d82911d478 1050 POLYVAL result XOR nonce = 462896726c616746f01d11d82911d478 1051 ... and masked = 462896726c616746f01d11d82911d478 1052 Tag = b292d28ff61189e8e49f3875ef91aff7 1053 Initial counter = b292d28ff61189e8e49f3875ef91aff7 1054 Result (32 bytes) = c91545823cc24f17dbb0e9e807d5ec17 1055 b292d28ff61189e8e49f3875ef91aff7 1057 Plaintext (32 bytes) = 02000000000000000000000000000000 1058 03000000000000000000000000000000 1060 AAD (1 bytes) = 01 1061 Key = 01000000000000000000000000000000 1062 00000000000000000000000000000000 1063 Nonce = 030000000000000000000000 1064 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1065 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1066 456e3c6c05ecc157cdbf0700fedad222 1067 POLYVAL input = 01000000000000000000000000000000 1068 02000000000000000000000000000000 1069 03000000000000000000000000000000 1070 08000000000000000001000000000000 1071 POLYVAL result = 4e58c1e341c9bb0ae34eda9509dfc90c 1072 POLYVAL result XOR nonce = 4d58c1e341c9bb0ae34eda9509dfc90c 1073 ... and masked = 4d58c1e341c9bb0ae34eda9509dfc90c 1074 Tag = aea1bad12702e1965604374aab96dbbc 1075 Initial counter = aea1bad12702e1965604374aab96dbbc 1076 Result (48 bytes) = 07dad364bfc2b9da89116d7bef6daaaf 1077 6f255510aa654f920ac81b94e8bad365 1078 aea1bad12702e1965604374aab96dbbc 1080 Plaintext (48 bytes) = 02000000000000000000000000000000 1081 03000000000000000000000000000000 1082 04000000000000000000000000000000 1083 AAD (1 bytes) = 01 1084 Key = 01000000000000000000000000000000 1085 00000000000000000000000000000000 1086 Nonce = 030000000000000000000000 1087 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1088 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1089 456e3c6c05ecc157cdbf0700fedad222 1090 POLYVAL input = 01000000000000000000000000000000 1091 02000000000000000000000000000000 1092 03000000000000000000000000000000 1093 04000000000000000000000000000000 1094 08000000000000008001000000000000 1095 POLYVAL result = 2566a4aff9a525df9772c16d4eaf8d2a 1096 POLYVAL result XOR nonce = 2666a4aff9a525df9772c16d4eaf8d2a 1097 ... and masked = 2666a4aff9a525df9772c16d4eaf8d2a 1098 Tag = 03332742b228c647173616cfd44c54eb 1099 Initial counter = 03332742b228c647173616cfd44c54eb 1100 Result (64 bytes) = c67a1f0f567a5198aa1fcc8e3f213143 1101 36f7f51ca8b1af61feac35a86416fa47 1102 fbca3b5f749cdf564527f2314f42fe25 1103 03332742b228c647173616cfd44c54eb 1105 Plaintext (64 bytes) = 02000000000000000000000000000000 1106 03000000000000000000000000000000 1107 04000000000000000000000000000000 1108 05000000000000000000000000000000 1109 AAD (1 bytes) = 01 1110 Key = 01000000000000000000000000000000 1111 00000000000000000000000000000000 1112 Nonce = 030000000000000000000000 1113 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1114 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1115 456e3c6c05ecc157cdbf0700fedad222 1116 POLYVAL input = 01000000000000000000000000000000 1117 02000000000000000000000000000000 1118 03000000000000000000000000000000 1119 04000000000000000000000000000000 1120 05000000000000000000000000000000 1121 08000000000000000002000000000000 1122 POLYVAL result = da58d2f61b0a9d343b2f37fb0c519733 1123 POLYVAL result XOR nonce = d958d2f61b0a9d343b2f37fb0c519733 1124 ... and masked = d958d2f61b0a9d343b2f37fb0c519733 1125 Tag = 5bde0285037c5de81e5b570a049b62a0 1126 Initial counter = 5bde0285037c5de81e5b570a049b62a0 1127 Result (80 bytes) = 67fd45e126bfb9a79930c43aad2d3696 1128 7d3f0e4d217c1e551f59727870beefc9 1129 8cb933a8fce9de887b1e40799988db1f 1130 c3f91880ed405b2dd298318858467c89 1131 5bde0285037c5de81e5b570a049b62a0 1133 Plaintext (4 bytes) = 02000000 1134 AAD (12 bytes) = 010000000000000000000000 1135 Key = 01000000000000000000000000000000 1136 00000000000000000000000000000000 1137 Nonce = 030000000000000000000000 1138 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1139 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1140 456e3c6c05ecc157cdbf0700fedad222 1141 POLYVAL input = 01000000000000000000000000000000 1142 02000000000000000000000000000000 1143 60000000000000002000000000000000 1144 POLYVAL result = 6dc76ae84b88916e073a303aafde05cf 1145 POLYVAL result XOR nonce = 6ec76ae84b88916e073a303aafde05cf 1146 ... and masked = 6ec76ae84b88916e073a303aafde054f 1147 Tag = 1835e517741dfddccfa07fa4661b74cf 1148 Initial counter = 1835e517741dfddccfa07fa4661b74cf 1149 Result (20 bytes) = 22b3f4cd1835e517741dfddccfa07fa4 1150 661b74cf 1152 Plaintext (20 bytes) = 03000000000000000000000000000000 1153 04000000 1154 AAD (18 bytes) = 01000000000000000000000000000000 1155 0200 1156 Key = 01000000000000000000000000000000 1157 00000000000000000000000000000000 1158 Nonce = 030000000000000000000000 1159 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1160 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1161 456e3c6c05ecc157cdbf0700fedad222 1162 POLYVAL input = 01000000000000000000000000000000 1163 02000000000000000000000000000000 1164 03000000000000000000000000000000 1165 04000000000000000000000000000000 1166 9000000000000000a000000000000000 1167 POLYVAL result = 973ef4fd04bd31d193816ab26f8655ca 1168 POLYVAL result XOR nonce = 943ef4fd04bd31d193816ab26f8655ca 1169 ... and masked = 943ef4fd04bd31d193816ab26f86554a 1170 Tag = b879ad976d8242acc188ab59cabfe307 1171 Initial counter = b879ad976d8242acc188ab59cabfe387 1172 Result (36 bytes) = 43dd0163cdb48f9fe3212bf61b201976 1173 067f342bb879ad976d8242acc188ab59 1174 cabfe307 1176 Plaintext (18 bytes) = 03000000000000000000000000000000 1177 0400 1178 AAD (20 bytes) = 01000000000000000000000000000000 1179 02000000 1180 Key = 01000000000000000000000000000000 1181 00000000000000000000000000000000 1182 Nonce = 030000000000000000000000 1183 Record authentication key = b5d3c529dfafac43136d2d11be284d7f 1184 Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 1185 456e3c6c05ecc157cdbf0700fedad222 1186 POLYVAL input = 01000000000000000000000000000000 1187 02000000000000000000000000000000 1188 03000000000000000000000000000000 1189 04000000000000000000000000000000 1190 a0000000000000009000000000000000 1191 POLYVAL result = 2cbb6b7ab2dbffefb797f825f826870c 1192 POLYVAL result XOR nonce = 2fbb6b7ab2dbffefb797f825f826870c 1193 ... and masked = 2fbb6b7ab2dbffefb797f825f826870c 1194 Tag = cfcdf5042112aa29685c912fc2056543 1195 Initial counter = cfcdf5042112aa29685c912fc20565c3 1196 Result (34 bytes) = 462401724b5ce6588d5a54aae5375513 1197 a075cfcdf5042112aa29685c912fc205 1198 6543 1200 C.3. Counter wrap tests 1202 The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to 1203 test correct wrapping of the block counter. 1205 Plaintext (32 bytes) = 00000000000000000000000000000000 1206 4db923dc793ee6497c76dcc03a98e108 1207 AAD (0 bytes) = 1208 Key = 00000000000000000000000000000000 1209 00000000000000000000000000000000 1210 Nonce = 000000000000000000000000 1211 Record authentication key = dc95c078a24089895275f3d86b4fb868 1212 Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3 1213 75d11b0e3a68c422845c7d4690fa594f 1214 POLYVAL input = 00000000000000000000000000000000 1215 4db923dc793ee6497c76dcc03a98e108 1216 00000000000000000001000000000000 1217 POLYVAL result = 7367cdb411b730128dd56e8edc0eff56 1218 POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56 1219 ... and masked = 7367cdb411b730128dd56e8edc0eff56 1220 Tag = ffffffff000000000000000000000000 1221 Initial counter = ffffffff000000000000000000000080 1222 Result (48 bytes) = f3f80f2cf0cb2dd9c5984fcda908456c 1223 c537703b5ba70324a6793a7bf218d3ea 1224 ffffffff000000000000000000000000 1226 Plaintext (24 bytes) = eb3640277c7ffd1303c7a542d02d3e4c 1227 0000000000000000 1228 AAD (0 bytes) = 1229 Key = 00000000000000000000000000000000 1230 00000000000000000000000000000000 1231 Nonce = 000000000000000000000000 1232 Record authentication key = dc95c078a24089895275f3d86b4fb868 1233 Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3 1234 75d11b0e3a68c422845c7d4690fa594f 1235 POLYVAL input = eb3640277c7ffd1303c7a542d02d3e4c 1236 00000000000000000000000000000000 1237 0000000000000000c000000000000000 1238 POLYVAL result = 7367cdb411b730128dd56e8edc0eff56 1239 POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56 1240 ... and masked = 7367cdb411b730128dd56e8edc0eff56 1241 Tag = ffffffff000000000000000000000000 1242 Initial counter = ffffffff000000000000000000000080 1243 Result (40 bytes) = 18ce4f0b8cb4d0cac65fea8f79257b20 1244 888e53e72299e56dffffffff00000000 1245 0000000000000000 1247 Authors' Addresses 1249 Shay Gueron 1250 University of Haifa and Amazon Web Services 1251 Abba Khoushy Ave 199 1252 Haifa 3498838 1253 Israel 1255 Email: shay@math.haifa.ac.il 1257 Adam Langley 1258 Google 1259 345 Spear St 1260 San Francisco, CA 94105 1261 US 1263 Email: agl@google.com 1265 Yehuda Lindell 1266 Bar Ilan University 1267 Ramat Gan 1268 5290002 1269 Israel 1271 Email: Yehuda.Lindell@biu.ac.il