summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8452.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc8452.txt')
-rw-r--r--doc/rfc/rfc8452.txt2355
1 files changed, 2355 insertions, 0 deletions
diff --git a/doc/rfc/rfc8452.txt b/doc/rfc/rfc8452.txt
new file mode 100644
index 0000000..694817f
--- /dev/null
+++ b/doc/rfc/rfc8452.txt
@@ -0,0 +1,2355 @@
+
+
+
+
+
+
+Internet Research Task Force (IRTF) S. Gueron
+Request for Comments: 8452 University of Haifa and Amazon
+Category: Informational A. Langley
+ISSN: 2070-1721 Google LLC
+ Y. Lindell
+ Bar-Ilan University and Unbound Tech
+ April 2019
+
+
+ AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
+
+Abstract
+
+ This memo specifies two authenticated encryption algorithms that are
+ nonce misuse resistant -- that is, they do not fail catastrophically
+ if a nonce is repeated.
+
+ This document is the product of the Crypto Forum Research Group.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Research Task Force
+ (IRTF). The IRTF publishes the results of Internet-related research
+ and development activities. These results might not be suitable for
+ deployment. This RFC represents the consensus of the Crypto Forum
+ Research Group of the Internet Research Task Force (IRTF). Documents
+ approved for publication by the IRSG are not candidates for any level
+ of Internet Standard; see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8452.
+
+Copyright Notice
+
+ Copyright (c) 2019 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+
+
+
+Gueron, et al. Informational [Page 1]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
+ 3. POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 4. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 5. Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 6. AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 7. Field Operation Examples . . . . . . . . . . . . . . . . . . 10
+ 8. Worked Example . . . . . . . . . . . . . . . . . . . . . . . 10
+ 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11
+ 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
+ 11.2. Informative References . . . . . . . . . . . . . . . . . 15
+ Appendix A. The Relationship between POLYVAL and GHASH . . . . . 17
+ Appendix B. Additional Comparisons with AES-GCM . . . . . . . . 19
+ Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 20
+ C.1. AEAD_AES_128_GCM_SIV . . . . . . . . . . . . . . . . . . 20
+ C.2. AEAD_AES_256_GCM_SIV . . . . . . . . . . . . . . . . . . 30
+ C.3. Counter Wrap Tests . . . . . . . . . . . . . . . . . . . 41
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 42
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
+
+1. Introduction
+
+ The concept of Authenticated Encryption with Additional Data (AEAD)
+ [RFC5116] couples confidentiality and integrity in a single
+ operation, avoiding the risks of the previously common practice of
+ using ad hoc constructions of block-cipher and hash primitives. The
+ most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its
+ attractive performance.
+
+ However, some AEADs (including AES-GCM) suffer catastrophic failures
+ of confidentiality and/or integrity when two distinct messages are
+ encrypted with the same key and nonce. While the requirements for
+ AEADs specify that the pair of (key, nonce) shall only ever be used
+ once, and thus prohibit this, this is a worry in practice.
+
+ Nonce misuse-resistant AEADs do not suffer from this problem. For
+ this class of AEADs, encrypting two messages with the same nonce only
+ discloses whether the messages were equal or not. This is the
+ minimum amount of information that a deterministic algorithm can leak
+ in this situation.
+
+ This memo specifies two nonce misuse-resistant AEADs:
+ AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. These AEADs are
+ designed to be able to take advantage of existing hardware support
+
+
+
+Gueron, et al. Informational [Page 2]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ for AES-GCM and can decrypt within 5% of the speed of AES-GCM (for
+ multikilobyte messages). Encryption is, perforce, slower than
+ AES-GCM, because two passes are required in order to achieve that
+ nonce misuse-resistance property. However, measurements suggest that
+ it can still run at two-thirds of the speed of AES-GCM.
+
+ We suggest that these AEADs be considered in any situation where
+ nonce uniqueness cannot be guaranteed. This includes situations
+ where there is no stateful counter or where such state cannot be
+ guaranteed, as when multiple encryptors use the same key. As
+ discussed in Section 9, it is RECOMMENDED to use this scheme with
+ randomly chosen nonces.
+
+ This document represents the consensus of the Crypto Forum Research
+ Group (CFRG).
+
+2. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+3. POLYVAL
+
+ The GCM-SIV construction is similar to GCM: the block cipher is used
+ in counter mode to encrypt the plaintext, and a polynomial
+ authenticator is used to provide integrity. The authenticator in
+ GCM-SIV is called POLYVAL.
+
+ POLYVAL, like GHASH (the authenticator in AES-GCM; see [GCM],
+ Section 6.4), operates in a binary field of size 2^128. The field is
+ defined by the irreducible polynomial x^128 + x^127 + x^126 + x^121 +
+ 1. The sum of any two elements in the field is the result of XORing
+ them. The product of any two elements is calculated using standard
+ (binary) polynomial multiplication followed by reduction modulo the
+ irreducible polynomial.
+
+ We define another binary operation on elements of the field:
+ dot(a, b), where dot(a, b) = a * b * x^-128. The value of the field
+ element x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1. The
+ result of this multiplication, dot(a, b), is another field element.
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 3]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Polynomials in this field are converted to and from 128-bit strings
+ by taking the least significant bit of the first byte to be the
+ coefficient of x^0, the most significant bit of the first byte to be
+ the coefficient of x^7, and so on, until the most significant bit of
+ the last byte is the coefficient of x^127.
+
+ POLYVAL takes a field element, H, and a series of field elements
+ X_1, ..., X_s. Its result is S_s, where S is defined by the
+ iteration S_0 = 0; S_j = dot(S_{j-1} + X_j, H), for j = 1..s.
+
+ We note that POLYVAL(H, X_1, X_2, ...) is equal to
+ ByteReverse(GHASH(ByteReverse(H) * x, ByteReverse(X_1),
+ ByteReverse(X_2), ...)), where ByteReverse is a function that
+ reverses the order of 16 bytes. See Appendix A for a more detailed
+ explanation.
+
+4. Encryption
+
+ AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a
+ 96-bit nonce, and plaintext and additional data byte strings of
+ variable length. It outputs an authenticated ciphertext that will be
+ 16 bytes longer than the plaintext. Both encryption and decryption
+ are only defined on inputs that are a whole number of bytes.
+
+ If the key-generating key is 16 bytes long, then AES-128 is used
+ throughout. Otherwise, AES-256 is used throughout.
+
+ The first step of encryption is to generate per-nonce, message-
+ authentication and message-encryption keys. The message-
+ authentication key is 128 bit, and the message-encryption key is
+ either 128 (for AES-128) or 256 bit (for AES-256).
+
+ These keys are generated by encrypting a series of plaintext blocks
+ that contain a 32-bit, little-endian counter followed by the nonce,
+ and then discarding the second half of the resulting ciphertext. In
+ the AES-128 case, 128 + 128 = 256 bits of key material need to be
+ generated, and, since encrypting each block yields 64 bits after
+ discarding half, four blocks need to be encrypted. The counter
+ values for these blocks are 0, 1, 2, and 3. For AES-256, six blocks
+ are needed in total, with counter values 0 through 5 (inclusive).
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 4]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ In pseudocode form, where "++" indicates concatenation and "x[:8]"
+ indicates taking only the first eight bytes from x:
+
+ func derive_keys(key_generating_key, nonce) {
+ message_authentication_key =
+ AES(key = key_generating_key,
+ block = little_endian_uint32(0) ++ nonce)[:8] ++
+ AES(key = key_generating_key,
+ block = little_endian_uint32(1) ++ nonce)[:8]
+ message_encryption_key =
+ AES(key = key_generating_key,
+ block = little_endian_uint32(2) ++ nonce)[:8] ++
+ AES(key = key_generating_key,
+ block = little_endian_uint32(3) ++ nonce)[:8]
+
+ if bytelen(key_generating_key) == 32 {
+ message_encryption_key ++=
+ AES(key = key_generating_key,
+ block = little_endian_uint32(4) ++ nonce)[:8] ++
+ AES(key = key_generating_key,
+ block = little_endian_uint32(5) ++ nonce)[:8]
+ }
+
+ return message_authentication_key, message_encryption_key
+ }
+
+ Define the "length block" as a 16-byte value that is the
+ concatenation of the 64-bit, little-endian encodings of
+ bytelen(additional_data) * 8 and bytelen(plaintext) * 8. Pad the
+ plaintext and additional data with zeros until they are each a
+ multiple of 16 bytes, the AES block size. Then X_1, X_2, ... (the
+ series of field elements that are inputs to POLYVAL) are the
+ concatenation of the padded additional data, the padded plaintext,
+ and the length block.
+
+ Calculate S_s = POLYVAL(message-authentication-key, X_1, X_2, ...).
+ XOR the first twelve bytes of S_s with the nonce and clear the most
+ significant bit of the last byte. Encrypt the result with AES using
+ the message-encryption key to produce the tag.
+
+ (It's worth highlighting a contrast with AES-GCM here: AES-GCM
+ authenticates the encoded additional data and ciphertext, while
+ AES-GCM-SIV authenticates the encoded additional data and plaintext.)
+
+ The encrypted plaintext is produced by using AES, with the message-
+ encryption key, in counter mode (see [SP800-38A], Section 6.5) on the
+ unpadded plaintext. The initial counter block is the tag with the
+ most significant bit of the last byte set to one. The counter
+
+
+
+Gueron, et al. Informational [Page 5]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ advances by incrementing the first 32 bits interpreted as an
+ unsigned, little-endian integer, wrapping at 2^32. The result of the
+ encryption is the encrypted plaintext (truncated to the length of the
+ plaintext), followed by the tag.
+
+ In pseudocode form, the encryption process can be expressed as:
+
+ func right_pad_to_multiple_of_16_bytes(input) {
+ while (bytelen(input) % 16 != 0) {
+ input = input ++ "\x00"
+ }
+ return input
+ }
+
+ func AES_CTR(key, initial_counter_block, in) {
+ block = initial_counter_block
+
+ output = ""
+ while bytelen(in) > 0 {
+ keystream_block = AES(key = key, block = block)
+ block[0:4] = little_endian_uint32(
+ read_little_endian_uint32(block[0:4]) + 1)
+
+ todo = min(bytelen(in), bytelen(keystream_block)
+ for j = 0; j < todo; j++ {
+ output = output ++ (keystream_block[j] ^ in[j])
+ }
+
+ in = in[todo:]
+ }
+
+ return output
+ }
+
+ func encrypt(key_generating_key,
+ nonce,
+ plaintext,
+ additional_data) {
+ if bytelen(plaintext) > 2^36 {
+ fail()
+ }
+ if bytelen(additional_data) > 2^36 {
+ fail()
+ }
+
+ message_encryption_key, message_authentication_key =
+ derive_keys(key_generating_key, nonce)
+
+
+
+
+Gueron, et al. Informational [Page 6]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ length_block =
+ little_endian_uint64(bytelen(additional_data) * 8) ++
+ little_endian_uint64(bytelen(plaintext) * 8)
+ padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext)
+ padded_ad = right_pad_to_multiple_of_16_bytes(additional_data)
+ S_s = POLYVAL(key = message_authentication_key,
+ input = padded_ad ++ padded_plaintext ++
+ length_block)
+ for i = 0; i < 12; i++ {
+ S_s[i] ^= nonce[i]
+ }
+ S_s[15] &= 0x7f
+ tag = AES(key = message_encryption_key, block = S_s)
+
+ counter_block = tag
+ counter_block[15] |= 0x80
+ return AES_CTR(key = message_encryption_key,
+ initial_counter_block = counter_block,
+ in = plaintext) ++
+ tag
+ }
+
+5. Decryption
+
+ Decryption takes a 16- or 32-byte key-generating key, a 96-bit nonce,
+ and ciphertext and additional data byte strings of variable length.
+ It either fails or outputs a plaintext that is 16 bytes shorter than
+ the ciphertext.
+
+ To decrypt an AES-GCM-SIV ciphertext, first derive the message-
+ encryption and message-authentication keys in the same manner as when
+ encrypting.
+
+ If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes,
+ then fail. Otherwise, split the input into the encrypted plaintext
+ and a 16-byte tag. Decrypt the encrypted plaintext with the message-
+ encryption key in counter mode, where the initial counter block is
+ the tag with the most significant bit of the last byte set to one.
+ Advance the counter for each block in the same way as when
+ encrypting. At this point, the plaintext is unauthenticated and MUST
+ NOT be output until the following tag confirmation is complete:
+
+ Pad the additional data and plaintext with zeros until they are each
+ a multiple of 16 bytes, the AES block size. Calculate the length
+ block and X_1, X_2, ... as above and compute
+ S_s = POLYVAL(message-authentication-key, X_1, X_2, ...)
+
+
+
+
+
+Gueron, et al. Informational [Page 7]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Compute the expected tag by XORing S_s and the nonce, clearing the
+ most significant bit of the last byte and encrypting with the
+ message-encryption key. Compare the provided and expected tag values
+ in constant time. Fail the decryption if they do not match (and do
+ not release the plaintext); otherwise, return the plaintext.
+
+ In pseudocode form, the decryption process can be expressed as:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 8]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ func decrypt(key_generating_key,
+ nonce,
+ ciphertext,
+ additional_data) {
+ if bytelen(ciphertext) < 16 || bytelen(ciphertext) > 2^36 + 16 {
+ fail()
+ }
+ if bytelen(additional_data) > 2^36 {
+ fail()
+ }
+
+ message_encryption_key, message_authentication_key =
+ derive_keys(key_generating_key, nonce)
+
+ tag = ciphertext[bytelen(ciphertext)-16:]
+
+ counter_block = tag
+ counter_block[15] |= 0x80
+ plaintext = AES_CTR(key = message_encryption_key,
+ initial_counter_block = counter_block,
+ in = ciphertext[:bytelen(ciphertext)-16])
+
+ length_block =
+ little_endian_uint64(bytelen(additional_data) * 8) ++
+ little_endian_uint64(bytelen(plaintext) * 8)
+ padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext)
+ padded_ad = right_pad_to_multiple_of_16_bytes(additional_data)
+ S_s = POLYVAL(key = message_authentication_key,
+ input = padded_ad ++ padded_plaintext ++
+ length_block)
+ for i = 0; i < 12; i++ {
+ S_s[i] ^= nonce[i]
+ }
+ S_s[15] &= 0x7f
+ expected_tag = AES(key = message_encryption_key, block = S_s)
+
+ xor_sum = 0
+ for i := 0; i < bytelen(expected_tag); i++ {
+ xor_sum |= expected_tag[i] ^ tag[i]
+ }
+
+ if xor_sum != 0 {
+ fail()
+ }
+
+ return plaintext
+ }
+
+
+
+
+Gueron, et al. Informational [Page 9]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+6. AEADs
+
+ We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV:
+ AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. They differ only in
+ the size of the AES key used.
+
+ The key input to these AEADs becomes the key-generating key. Thus,
+ AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV
+ takes a 32-byte key.
+
+ The parameters for AEAD_AES_128_GCM_SIV are then as follows:
+ K_LEN is 16, P_MAX is 2^36, A_MAX is 2^36, N_MIN and N_MAX are 12,
+ and C_MAX is 2^36 + 16.
+
+ The parameters for AEAD_AES_256_GCM_SIV differ only in the key size:
+ K_LEN is 32, P_MAX is 2^36, A_MAX is 2^36, N_MIN and N_MAX are 12,
+ and C_MAX is 2^36 + 16.
+
+7. Field Operation Examples
+
+ Polynomials in this document will be written as 16-byte values. For
+ example, the sixteen bytes 01000000000000000000000000000492 would
+ represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is
+ also the value of x^-128 in this field.
+
+ If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and
+ b = ff000000000000000000000000000000,
+ then a + b = 99e94bd4ef8a2c3b884cfa59ca342b2e,
+ a * b = 37856175e9dc9df26ebc6d6171aa0ae9, and
+ dot(a, b) = ebe563401e7e91ea3ad6426b8140c394.
+
+8. Worked Example
+
+ Consider the encryption of the plaintext "Hello world" with the
+ additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c
+ using AEAD_AES_128_GCM_SIV. The random nonce that we'll use for this
+ example is 752abad3e0afb5f434dc4310.
+
+ In order to generate the message-authentication and message-
+ encryption keys, a counter is combined with the nonce to form four
+ blocks. These blocks are encrypted with the key given above:
+
+ Counter | Nonce Ciphertext
+ 00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e
+ 01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450
+ 02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b
+ 03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7
+
+
+
+
+Gueron, et al. Informational [Page 10]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ The latter halves of the ciphertext blocks are discarded and the
+ remaining bytes are concatenated to form the per-message keys. Thus,
+ the message-authentication key is 310728d9911f1f3837b24316c3fab9a0,
+ and the message-encryption key is a4c5ae6249963279c100be4d7e2c6edd.
+
+ The length block contains the encoding of the bit lengths of the
+ additional data and plaintext, respectively. The string "example" is
+ seven characters, thus 56 bits (or 0x38 in hex). The string "Hello
+ world" is 11 characters, or 88 = 0x58 bits. Thus, the length block
+ is 38000000000000005800000000000000.
+
+ The input to POLYVAL is the padded additional data, padded plaintext,
+ and then the length block. This is 6578616d706c650000000000000000004
+ 8656c6c6f20776f726c64000000000038000000000000005800000000000000,
+ based on the ASCII encoding of "example" (6578616d706c65) and "Hello
+ world" (48656c6c6f20776f726c64).
+
+ Calling POLYVAL with the message-authentication key and the input
+ above results in S_s = ad7fcf0b5169851662672f3c5f95138f.
+
+ Before encrypting, the nonce is XORed in and the most significant bit
+ of the last byte is cleared. This gives
+ d85575d8b1c630e256bb6c2c5f95130f, because that bit happened to be one
+ previously. Encrypting with the message-encryption key (using
+ AES-128) gives the tag, which is 4fbcdeb7e4793f4a1d7e4faa70100af1.
+
+ In order to form the initial counter block, the most significant bit
+ of the last byte of the tag is set to one. That doesn't result in a
+ change in this example. Encrypting this with the message key (using
+ AES-128) gives the first block of the keystream:
+ 1551f2c1787e81deac9a99f139540ab5.
+
+ The final ciphertext is the result of XORing the plaintext with the
+ keystream and appending the tag. That gives
+ 5d349ead175ef6b1def6fd4fbcdeb7e4793f4a1d7e4faa70100af1.
+
+9. Security Considerations
+
+ AES-GCM-SIV decryption involves first producing an unauthenticated
+ plaintext. This plaintext is vulnerable to manipulation by an
+ attacker; thus, if an implementation released some or all of the
+ plaintext before authenticating it, other parts of a system may
+ process malicious data as if it were authentic. AES-GCM might be
+ less likely to lead implementations to do this because there the
+ ciphertext is generally authenticated before, or concurrently with,
+ the plaintext calculation. Therefore, this text requires that
+ implementations MUST NOT release unauthenticated plaintext. Thus,
+ system designers should consider memory limitations when picking the
+
+
+
+Gueron, et al. Informational [Page 11]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ size of AES-GCM-SIV plaintexts: large plaintexts may not fit in the
+ available memory of some machines, tempting implementations to
+ release unverified plaintext.
+
+ A detailed cryptographic analysis of AES-GCM-SIV appears in
+ [AES-GCM-SIV], and the remainder of this section is a summary of that
+ paper.
+
+ The AEADs defined in this document calculate fresh AES keys for each
+ nonce. This allows a larger number of plaintexts to be encrypted
+ under a given key. Without this step, AES-GCM-SIV encryption would
+ be limited by the birthday bound like other standard modes (e.g.,
+ AES-GCM, AES-CCM [RFC3610], and AES-SIV [RFC5297]). This means that
+ when 2^64 blocks have been encrypted overall, a distinguishing
+ adversary who is trying to break the confidentiality of the scheme
+ has an advantage of 1/2. Thus, in order to limit the adversary's
+ advantage to 2^-32, at most 2^48 blocks can be encrypted overall. In
+ contrast, by deriving fresh keys from each nonce, it is possible to
+ encrypt a far larger number of messages and blocks with AES-GCM-SIV.
+
+ We stress that nonce misuse-resistant schemes guarantee that if a
+ nonce repeats, then the only security loss is that identical
+ plaintexts will produce identical ciphertexts. Since this can also
+ be a concern (as the fact that the same plaintext has been encrypted
+ twice is revealed), we do not recommend using a fixed nonce as a
+ policy. In addition, as we show below, better-than-birthday bounds
+ are achieved by AES-GCM-SIV when the nonce repetition rate is low.
+ Finally, as shown in [BHT18], there is a great security benefit in
+ the multiuser/multikey setting when each particular nonce is reused
+ by a small number of users only. We stress that the nonce misuse-
+ resistance property is not intended to be coupled with intentional
+ nonce reuse; rather, such schemes provide the best possible security
+ in the event of nonce reuse. Due to all of the above, it is
+ RECOMMENDED that AES-GCM-SIV nonces be randomly generated.
+
+ Some example usage bounds for AES-GCM-SIV are given below. The
+ adversary's advantage is the "AdvEnc" from [key-derive] and is
+ colloquially the ability of an attacker to distinguish ciphertexts
+ from random bit strings. The bounds below limit this advantage to
+ 2^-32. For up to 256 uses of the same nonce and key (i.e., where one
+ can assume that nonce misuse is no more than this bound), the
+ following message limits should be respected (this assumes a short
+ additional authenticated data (AAD), i.e., less than 64 bytes):
+
+ 2^29 messages, where each plaintext is at most 1 GiB
+
+ 2^35 messages, where each plaintext is at most 128 MiB
+
+
+
+
+Gueron, et al. Informational [Page 12]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ 2^49 messages, where each plaintext is at most 1 MiB
+
+ 2^61 messages, where each plaintext is at most 16 KiB
+
+ Suzuki et al. [multi-birthday] show that even if nonces are selected
+ uniformly at random, the probability that one or more values would be
+ repeated 256 or more times is negligible until the number of nonces
+ reaches 2^102. (Specifically, the probability is 1/((2^96)^(255)) *
+ Binomial(q, 256), where q is the number of nonces.) Since 2^102 is
+ vastly greater than the limit on the number of plaintexts per key
+ given above, we don't feel that this limit on the number of repeated
+ nonces will be a problem. This also means that selecting nonces at
+ random is a safe practice with AES-GCM-SIV. The bounds obtained for
+ random nonces are as follows (as above, for these bounds, the
+ adversary's advantage is at most 2^-32):
+
+ 2^32 messages, where each plaintext is at most 8 GiB
+
+ 2^48 messages, where each plaintext is at most 32 MiB
+
+ 2^64 messages, where each plaintext is at most 128 KiB
+
+ For situations where, for some reason, an even higher number of nonce
+ repeats is possible (e.g., in devices with very poor randomness), the
+ message limits need to be reconsidered. Theorem 7 in [AES-GCM-SIV]
+ contains more details, but for up to 1,024 repeats of each nonce, the
+ limits would be (again assuming a short AAD, i.e., less than 64
+ bytes):
+
+ 2^25 messages, where each plaintext is at most 1 GiB
+
+ 2^31 messages, where each plaintext is at most 128 MiB
+
+ 2^45 messages, where each plaintext is at most 1 MiB
+
+ 2^57 messages, where each plaintext is at most 16 KiB
+
+ In addition to calculating fresh AES keys for each nonce, these AEADs
+ also calculate fresh POLYVAL keys. Previous versions of GCM-SIV did
+ not do this and instead used part of the AEAD's key as the POLYVAL
+ key. Bleichenbacher pointed out [Bleichenbacher16] that this allowed
+ an attacker who controlled the AEAD key to force the POLYVAL key to
+ be zero. If a user of this AEAD authenticated messages with a secret
+ additional-data value, then this would be insecure as the attacker
+ could calculate a valid authenticator without knowing the input.
+ This does not violate the standard properties of an AEAD as the
+
+
+
+
+
+Gueron, et al. Informational [Page 13]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ additional data is not assumed to be confidential. However, we want
+ these AEADs to be robust against plausible misuse and also to be
+ drop-in replacements for AES-GCM and so derive nonce-specific POLYVAL
+ keys to avoid this issue.
+
+ We also wish to note that the probability of successful forgery
+ increases with the number of attempts that an attacker is permitted.
+ The advantage defined in [key-derive] and used above is specified in
+ terms of the ability of an attacker to distinguish ciphertexts from
+ random bit strings. It thus covers both confidentiality and
+ integrity, and Theorem 6.2 in [key-derive] shows that the advantage
+ increases with the number of decryption attempts, although much more
+ slowly than with the number of encryptions; the dependence on the
+ number of decryption queries for forgery is actually only linear, not
+ quadratic. The latter is an artifact of the bound in the paper not
+ being tight. If an attacker is permitted extremely large numbers of
+ attempts, then the tiny probability that any given attempt succeeds
+ may sum to a non-trivial chance.
+
+ A security analysis of a similar scheme without nonce-based key
+ derivation appears in [GCM-SIV], and a full analysis of the bounds
+ when applying nonce-based key derivation appears in [key-derive]. A
+ larger table of bounds and other information appears at
+ [aes-gcm-siv-homepage].
+
+ The multiuser/multikey security of AES-GCM-SIV was studied by
+ [BHT18], which showed that security is almost the same as in the
+ single-user setting, as long as nonces do not repeat many times
+ across many users. This is the case when nonces are chosen randomly.
+
+10. IANA Considerations
+
+ IANA has added two entries to the "AEAD Algorithms" registry:
+ AEAD_AES_128_GCM_SIV (Numeric ID 30) and AEAD_AES_256_GCM_SIV
+ (Numeric ID 31), both referencing this document as their
+ specification.
+
+11. References
+
+11.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+
+
+
+
+
+Gueron, et al. Informational [Page 14]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [SP800-38A]
+ Dworkin, M., "Recommendation for Block Cipher Modes of
+ Operation: Methods and Techniques", NIST SP 800-38A,
+ DOI 10.6028/NIST.SP.800-38A, December 2001,
+ <https://csrc.nist.gov/publications/detail/sp/800-38a/
+ final>.
+
+11.2. Informative References
+
+ [AES-GCM-SIV]
+ Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV:
+ Specification and Analysis", July 2017,
+ <https://eprint.iacr.org/2017/168>.
+
+ [aes-gcm-siv-homepage]
+ Gueron, S., Langley, A., and Y. Lindell, "Webpage for the
+ AES-GCM-SIV Mode of Operation",
+ <https://cyber.biu.ac.il/aes-gcm-siv/>.
+
+ [BHT18] Bose, P., Hoang, V., and S. Tessaro, "Revisiting AES-GCM-
+ SIV: Multi-user Security, Faster Key Derivation, and
+ Better Bounds", Advances in Cryptology - EUROCRYPT 2018,
+ DOI 10.1007/978-3-319-78381-9_18, May 2018,
+ <https://eprint.iacr.org/2018/136.pdf>.
+
+ [Bleichenbacher16]
+ Bleichenbacher, D., "Subject: AES-GCM-SIV security of the
+ additional data", message to the cfrg mailing list, 24
+ June 2016, <https://mailarchive.ietf.org/arch/msg/cfrg/
+ qgh-Yxmj7CC7cq2YZLpmfGA3x-o>.
+
+ [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of
+ Operation: Galois/Counter Mode (GCM) and GMAC", NIST
+ SP 800-38D, DOI 10.6028/NIST.SP.800-38D, November 2007,
+ <https://csrc.nist.gov/publications/detail/sp/800-38d/
+ final>.
+
+ [GCM-SIV] Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse-
+ Resistant Authenticated Encryption at Under One Cycle Per
+ Byte", Proceedings of the 22nd ACM SIGSAC Conference on
+ Computer and Communications Security,
+ DOI 10.1145/2810103.2813613, October 2015,
+ <http://doi.acm.org/10.1145/2810103.2813613>.
+
+
+
+
+Gueron, et al. Informational [Page 15]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ [key-derive]
+ Gueron, S. and Y. Lindell, "Better Bounds for Block Cipher
+ Modes of Operation via Nonce-Based Key Derivation",
+ Proceedings of the 2017 ACM SIGSAC Conference on Computer
+ and Communications Security, DOI 10.1145/3133956.3133992,
+ 2017, <https://doi.org/10.1145/3133956.3133992>.
+
+ [multi-birthday]
+ Suzuki, K., Tonien, D., Kurosawa, K., and K. Toyota,
+ "Birthday Paradox for Multi-collisions", Information
+ Security and Cryptology - ICISC 2006, Lecture Notes in
+ Computer Science, Volume 4296, DOI 10.1007/11927587_5,
+ 2006, <http://dx.doi.org/10.1007/11927587_5>.
+
+ [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with
+ CBC-MAC (CCM)", RFC 3610, DOI 10.17487/RFC3610, September
+ 2003, <https://www.rfc-editor.org/info/rfc3610>.
+
+ [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
+ Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
+ <https://www.rfc-editor.org/info/rfc5116>.
+
+ [RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV)
+ Authenticated Encryption Using the Advanced Encryption
+ Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October
+ 2008, <https://www.rfc-editor.org/info/rfc5297>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 16]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+Appendix A. The Relationship between POLYVAL and GHASH
+
+ GHASH and POLYVAL both operate in GF(2^128), although with different
+ irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 +
+ x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note
+ that these irreducible polynomials are the "reverse" of each other.
+
+ GHASH also has a different mapping between 128-bit strings and field
+ elements. Whereas POLYVAL takes the least significant to most
+ significant bits of the first byte to be the coefficients of x^0 to
+ x^7, GHASH takes them to be the coefficients of x^7 to x^0. This
+ continues until, for the last byte, POLYVAL takes the least
+ significant to most significant bits to be the coefficients of x^120
+ to x^127, while GHASH takes them to be the coefficients of x^127 to
+ x^120.
+
+ The combination of these facts means that it's possible to "convert"
+ values between the two by reversing the order of the bytes in a
+ 16-byte string. The differing interpretations of bit order takes
+ care of reversing the bits within each byte, and then reversing the
+ bytes does the rest. This may have a practical benefit for
+ implementations that wish to implement both GHASH and POLYVAL.
+
+ In order to be clear which field a given operation is performed in,
+ let mulX_GHASH be a function that takes a 16-byte string, converts it
+ to an element of GHASH's field using GHASH's convention, multiplies
+ it by x, and converts it back to a string. Likewise, let
+ mulX_POLYVAL be a function that converts a 16-byte string to an
+ element of POLYVAL's field using POLYVAL's convention, multiplies it
+ by x, and converts it back.
+
+ Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH
+ of that string is 00800000000000000000000000000000 and mulX_POLYVAL
+ of that string is 02000000000000000000000000000000. As a more
+ general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH
+ of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL
+ of it is 3931819bf271fada0503eb52574ca5f2.
+
+ Lastly, let ByteReverse be the function that takes a 16-byte string
+ and returns a copy where the order of the bytes has been reversed.
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 17]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Now GHASH and POLYVAL can be defined in terms of one another:
+
+ POLYVAL(H, X_1, ..., X_n) =
+ ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
+ ByteReverse(X_n)))
+
+ GHASH(H, X_1, ..., X_n) =
+ ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1),
+ ..., ByteReverse(X_n)))
+
+ As a worked example:
+ let H = 25629347589242761d31f826ba4b757b,
+ X_1 = 4f4f95668c83dfb6401762bb2d01a262, and
+ X_2 = d1a24ddd2721d006bbe45f20d3c9f362.
+ POLYVAL(H, X_1, X_2) = f7a3b47b846119fae5b7866cf5e5b77e.
+
+ If we wished to calculate this given only an implementation of GHASH,
+ then the key for GHASH would be
+
+ mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112.
+
+ Then ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2)))
+ = f7a3b47b846119fae5b7866cf5e5b77e, as required.
+
+ In the other direction, GHASH(H, X_1, X_2) =
+ bd9b3997046731fb96251b91f9c99d7a. If we wished to calculate this
+ given only an implementation of POLYVAL, then we would first
+ calculate the key for POLYVAL:
+
+ mulX_POLYVAL(ByteReverse(H)) = f6ea96744df0633aec8424b18e26c54a.
+
+ Then ByteReverse(POLYVAL(f6ea..., ByteReverse(X_1), ByteReverse(X_2)))
+ = bd9b3997046731fb96251b91f9c99d7a.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 18]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+Appendix B. Additional Comparisons with AES-GCM
+
+ Some functional properties that differ between AES-GCM and AES-GCM-
+ SIV that are also worth noting:
+
+ AES-GCM allows plaintexts to be encrypted in a streaming fashion --
+ i.e., the beginning of the plaintext can be encrypted and transmitted
+ before the entire message has been processed. AES-GCM-SIV requires
+ two passes for encryption and so cannot do this.
+
+ AES-GCM allows a constant additional-data input to be precomputed in
+ order to save per-message computation. AES-GCM-SIV varies the
+ authenticator key based on the nonce and so does not permit this.
+
+ The performance for AES-GCM versus AES-GCM-SIV on small machines can
+ be roughly characterized by the number of AES operations and the
+ number of GF(2^128) multiplications needed to process a message.
+
+ Let a = (bytelen(additional-data) + 15) / 16 and
+ p = (bytelen(plaintext) + 15) / 16.
+
+ Then AES-GCM requires p + 1 AES operations and p + a + 1 field
+ multiplications.
+
+ Defined similarly, AES-GCM-SIV with AES-128 requires p + 5 AES
+ operations and p + a + 1 field multiplications. With AES-256, that
+ becomes p + 7 AES operations.
+
+ With large machines, the available parallelism becomes far more
+ important, and such simple performance analysis is no longer
+ representative. For such machines, we find that decryption of AES-
+ GCM-SIV is only about 5% slower than AES-GCM, as long as the message
+ is at least a couple of kilobytes. Encryption tends to run about
+ two-thirds the speed because of the additional pass required.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 19]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+Appendix C. Test Vectors
+
+C.1. AEAD_AES_128_GCM_SIV
+
+ Plaintext (0 bytes) =
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 00000000000000000000000000000000
+ POLYVAL result = 00000000000000000000000000000000
+ POLYVAL result XOR nonce = 03000000000000000000000000000000
+ ... and masked = 03000000000000000000000000000000
+ Tag = dc20e2d83f25705bb49e439eca56de25
+ Initial counter = dc20e2d83f25705bb49e439eca56dea5
+ Result (16 bytes) = dc20e2d83f25705bb49e439eca56de25
+
+
+ Plaintext (8 bytes) = 0100000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 00000000000000004000000000000000
+ POLYVAL result = eb93b7740962c5e49d2a90a7dc5cec74
+ POLYVAL result XOR nonce = e893b7740962c5e49d2a90a7dc5cec74
+ ... and masked = e893b7740962c5e49d2a90a7dc5cec74
+ Tag = 578782fff6013b815b287c22493a364c
+ Initial counter = 578782fff6013b815b287c22493a36cc
+ Result (24 bytes) = b5d839330ac7b786578782fff6013b81
+ 5b287c22493a364c
+
+
+ Plaintext (12 bytes) = 010000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 00000000000000006000000000000000
+ POLYVAL result = 48eb6c6c5a2dbe4a1dde508fee06361b
+ POLYVAL result XOR nonce = 4beb6c6c5a2dbe4a1dde508fee06361b
+ ... and masked = 4beb6c6c5a2dbe4a1dde508fee06361b
+ Tag = a4978db357391a0bc4fdec8b0d106639
+
+
+
+Gueron, et al. Informational [Page 20]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Initial counter = a4978db357391a0bc4fdec8b0d1066b9
+ Result (28 bytes) = 7323ea61d05932260047d942a4978db3
+ 57391a0bc4fdec8b0d106639
+
+
+ Plaintext (16 bytes) = 01000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 00000000000000008000000000000000
+ POLYVAL result = 20806c26e3c1de019e111255708031d6
+ POLYVAL result XOR nonce = 23806c26e3c1de019e111255708031d6
+ ... and masked = 23806c26e3c1de019e11125570803156
+ Tag = 303aaf90f6fe21199c6068577437a0c4
+ Initial counter = 303aaf90f6fe21199c6068577437a0c4
+ Result (32 bytes) = 743f7c8077ab25f8624e2e948579cf77
+ 303aaf90f6fe21199c6068577437a0c4
+
+
+ Plaintext (32 bytes) = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 00000000000000000001000000000000
+ POLYVAL result = ce6edc9a50b36d9a98986bbf6a261c3b
+ POLYVAL result XOR nonce = cd6edc9a50b36d9a98986bbf6a261c3b
+ ... and masked = cd6edc9a50b36d9a98986bbf6a261c3b
+ Tag = 1a8e45dcd4578c667cd86847bf6155ff
+ Initial counter = 1a8e45dcd4578c667cd86847bf6155ff
+ Result (48 bytes) = 84e07e62ba83a6585417245d7ec413a9
+ fe427d6315c09b57ce45f2e3936a9445
+ 1a8e45dcd4578c667cd86847bf6155ff
+
+
+ Plaintext (48 bytes) = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+
+
+
+Gueron, et al. Informational [Page 21]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 00000000000000008001000000000000
+ POLYVAL result = 81388746bc22d26b2abc3dcb15754222
+ POLYVAL result XOR nonce = 82388746bc22d26b2abc3dcb15754222
+ ... and masked = 82388746bc22d26b2abc3dcb15754222
+ Tag = 5e6e311dbf395d35b0fe39c2714388f8
+ Initial counter = 5e6e311dbf395d35b0fe39c2714388f8
+ Result (64 bytes) = 3fd24ce1f5a67b75bf2351f181a475c7
+ b800a5b4d3dcf70106b1eea82fa1d64d
+ f42bf7226122fa92e17a40eeaac1201b
+ 5e6e311dbf395d35b0fe39c2714388f8
+
+
+ Plaintext (64 bytes) = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 00000000000000000002000000000000
+ POLYVAL result = 1e39b6d3344d348f6044f89935d1cf78
+ POLYVAL result XOR nonce = 1d39b6d3344d348f6044f89935d1cf78
+ ... and masked = 1d39b6d3344d348f6044f89935d1cf78
+ Tag = 8a263dd317aa88d56bdf3936dba75bb8
+ Initial counter = 8a263dd317aa88d56bdf3936dba75bb8
+ Result (80 bytes) = 2433668f1058190f6d43e360f4f35cd8
+ e475127cfca7028ea8ab5c20f7ab2af0
+ 2516a2bdcbc08d521be37ff28c152bba
+ 36697f25b4cd169c6590d1dd39566d3f
+ 8a263dd317aa88d56bdf3936dba75bb8
+
+
+ Plaintext (8 bytes) = 0200000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+
+
+
+Gueron, et al. Informational [Page 22]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 08000000000000004000000000000000
+ POLYVAL result = b26781e7e2c1376f96bec195f3709b2a
+ POLYVAL result XOR nonce = b16781e7e2c1376f96bec195f3709b2a
+ ... and masked = b16781e7e2c1376f96bec195f3709b2a
+ Tag = 3b0a1a2560969cdf790d99759abd1508
+ Initial counter = 3b0a1a2560969cdf790d99759abd1588
+ Result (24 bytes) = 1e6daba35669f4273b0a1a2560969cdf
+ 790d99759abd1508
+
+
+ Plaintext (12 bytes) = 020000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 08000000000000006000000000000000
+ POLYVAL result = 111f5affb18e4cc1164a01bdc12a4145
+ POLYVAL result XOR nonce = 121f5affb18e4cc1164a01bdc12a4145
+ ... and masked = 121f5affb18e4cc1164a01bdc12a4145
+ Tag = 08299c5102745aaa3a0c469fad9e075a
+ Initial counter = 08299c5102745aaa3a0c469fad9e07da
+ Result (28 bytes) = 296c7889fd99f41917f4462008299c51
+ 02745aaa3a0c469fad9e075a
+
+
+ Plaintext (16 bytes) = 02000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 08000000000000008000000000000000
+ POLYVAL result = 79745ab508622c8a958543675fac4688
+ POLYVAL result XOR nonce = 7a745ab508622c8a958543675fac4688
+ ... and masked = 7a745ab508622c8a958543675fac4608
+ Tag = 8f8936ec039e4e4bb97ebd8c4457441f
+ Initial counter = 8f8936ec039e4e4bb97ebd8c4457449f
+ Result (32 bytes) = e2b0c5da79a901c1745f700525cb335b
+ 8f8936ec039e4e4bb97ebd8c4457441f
+
+
+
+
+Gueron, et al. Informational [Page 23]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Plaintext (32 bytes) = 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 08000000000000000001000000000000
+ POLYVAL result = 2ce7daaf7c89490822051255b12eca6b
+ POLYVAL result XOR nonce = 2fe7daaf7c89490822051255b12eca6b
+ ... and masked = 2fe7daaf7c89490822051255b12eca6b
+ Tag = e6af6a7f87287da059a71684ed3498e1
+ Initial counter = e6af6a7f87287da059a71684ed3498e1
+ Result (48 bytes) = 620048ef3c1e73e57e02bb8562c416a3
+ 19e73e4caac8e96a1ecb2933145a1d71
+ e6af6a7f87287da059a71684ed3498e1
+
+
+ Plaintext (48 bytes) = 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 08000000000000008001000000000000
+ POLYVAL result = 9ca987715d69c1786711dfcd22f830fc
+ POLYVAL result XOR nonce = 9fa987715d69c1786711dfcd22f830fc
+ ... and masked = 9fa987715d69c1786711dfcd22f8307c
+ Tag = 6a8cc3865f76897c2e4b245cf31c51f2
+ Initial counter = 6a8cc3865f76897c2e4b245cf31c51f2
+ Result (64 bytes) = 50c8303ea93925d64090d07bd109dfd9
+ 515a5a33431019c17d93465999a8b005
+ 3201d723120a8562b838cdff25bf9d1e
+ 6a8cc3865f76897c2e4b245cf31c51f2
+
+
+ Plaintext (64 bytes) = 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+
+
+
+Gueron, et al. Informational [Page 24]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ 05000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 05000000000000000000000000000000
+ 08000000000000000002000000000000
+ POLYVAL result = ffcd05d5770f34ad9267f0a59994b15a
+ POLYVAL result XOR nonce = fccd05d5770f34ad9267f0a59994b15a
+ ... and masked = fccd05d5770f34ad9267f0a59994b15a
+ Tag = cdc46ae475563de037001ef84ae21744
+ Initial counter = cdc46ae475563de037001ef84ae217c4
+ Result (80 bytes) = 2f5c64059db55ee0fb847ed513003746
+ aca4e61c711b5de2e7a77ffd02da42fe
+ ec601910d3467bb8b36ebbaebce5fba3
+ 0d36c95f48a3e7980f0e7ac299332a80
+ cdc46ae475563de037001ef84ae21744
+
+
+ Plaintext (4 bytes) = 02000000
+ AAD (12 bytes) = 010000000000000000000000
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 60000000000000002000000000000000
+ POLYVAL result = f6ce9d3dcd68a2fd603c7ecc18fb9918
+ POLYVAL result XOR nonce = f5ce9d3dcd68a2fd603c7ecc18fb9918
+ ... and masked = f5ce9d3dcd68a2fd603c7ecc18fb9918
+ Tag = 07eb1f84fb28f8cb73de8e99e2f48a14
+ Initial counter = 07eb1f84fb28f8cb73de8e99e2f48a94
+ Result (20 bytes) = a8fe3e8707eb1f84fb28f8cb73de8e99
+ e2f48a14
+
+
+ Plaintext (20 bytes) = 03000000000000000000000000000000
+ 04000000
+ AAD (18 bytes) = 01000000000000000000000000000000
+ 0200
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+
+
+
+Gueron, et al. Informational [Page 25]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 9000000000000000a000000000000000
+ POLYVAL result = 4781d492cb8f926c504caa36f61008fe
+ POLYVAL result XOR nonce = 4481d492cb8f926c504caa36f61008fe
+ ... and masked = 4481d492cb8f926c504caa36f610087e
+ Tag = 24afc9805e976f451e6d87f6fe106514
+ Initial counter = 24afc9805e976f451e6d87f6fe106594
+ Result (36 bytes) = 6bb0fecf5ded9b77f902c7d5da236a43
+ 91dd029724afc9805e976f451e6d87f6
+ fe106514
+
+
+ Plaintext (18 bytes) = 03000000000000000000000000000000
+ 0400
+ AAD (20 bytes) = 01000000000000000000000000000000
+ 02000000
+ Key = 01000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = d9b360279694941ac5dbc6987ada7377
+ Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ a0000000000000009000000000000000
+ POLYVAL result = 75cbc23a1a10e348aeb8e384b5cc79fd
+ POLYVAL result XOR nonce = 76cbc23a1a10e348aeb8e384b5cc79fd
+ ... and masked = 76cbc23a1a10e348aeb8e384b5cc797d
+ Tag = bff9b2ef00fb47920cc72a0c0f13b9fd
+ Initial counter = bff9b2ef00fb47920cc72a0c0f13b9fd
+ Result (34 bytes) = 44d0aaf6fb2f1f34add5e8064e83e12a
+ 2adabff9b2ef00fb47920cc72a0c0f13
+ b9fd
+
+ Plaintext (0 bytes) =
+ AAD (0 bytes) =
+ Key = e66021d5eb8e4f4066d4adb9c33560e4
+ Nonce = f46e44bb3da0015c94f70887
+ Record authentication key = 036ee1fe2d7926af68898095e54e7b3c
+ Record encryption key = 5e46482396008223b5c1d25173d87539
+ POLYVAL input = 00000000000000000000000000000000
+ POLYVAL result = 00000000000000000000000000000000
+ POLYVAL result XOR nonce = f46e44bb3da0015c94f7088700000000
+
+
+
+Gueron, et al. Informational [Page 26]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ ... and masked = f46e44bb3da0015c94f7088700000000
+ Tag = a4194b79071b01a87d65f706e3949578
+ Initial counter = a4194b79071b01a87d65f706e39495f8
+ Result (16 bytes) = a4194b79071b01a87d65f706e3949578
+
+
+ Plaintext (3 bytes) = 7a806c
+ AAD (5 bytes) = 46bb91c3c5
+ Key = 36864200e0eaf5284d884a0e77d31646
+ Nonce = bae8e37fc83441b16034566b
+ Record authentication key = 3e28de1120b2981a0155795ca2812af6
+ Record encryption key = 6d4b78b31a4c9c03d8db0f42f7507fae
+ POLYVAL input = 46bb91c3c50000000000000000000000
+ 7a806c00000000000000000000000000
+ 28000000000000001800000000000000
+ POLYVAL result = 43d9a745511dcfa21b96dd606f1d5720
+ POLYVAL result XOR nonce = f931443a99298e137ba28b0b6f1d5720
+ ... and masked = f931443a99298e137ba28b0b6f1d5720
+ Tag = 711bd85bc1e4d3e0a462e074eea428a8
+ Initial counter = 711bd85bc1e4d3e0a462e074eea428a8
+ Result (19 bytes) = af60eb711bd85bc1e4d3e0a462e074ee
+ a428a8
+
+
+ Plaintext (6 bytes) = bdc66f146545
+ AAD (10 bytes) = fc880c94a95198874296
+ Key = aedb64a6c590bc84d1a5e269e4b47801
+ Nonce = afc0577e34699b9e671fdd4f
+ Record authentication key = 43b8de9cea62330d15cccfc84a33e8c8
+ Record encryption key = 8e54631607e431e095b54852868e3a27
+ POLYVAL input = fc880c94a95198874296000000000000
+ bdc66f14654500000000000000000000
+ 50000000000000003000000000000000
+ POLYVAL result = 26498e0d2b1ef004e808c458e8f2f515
+ POLYVAL result XOR nonce = 8989d9731f776b9a8f171917e8f2f515
+ ... and masked = 8989d9731f776b9a8f171917e8f2f515
+ Tag = d6a9c45545cfc11f03ad743dba20f966
+ Initial counter = d6a9c45545cfc11f03ad743dba20f9e6
+ Result (22 bytes) = bb93a3e34d3cd6a9c45545cfc11f03ad
+ 743dba20f966
+
+
+ Plaintext (9 bytes) = 1177441f195495860f
+ AAD (15 bytes) = 046787f3ea22c127aaf195d1894728
+ Key = d5cc1fd161320b6920ce07787f86743b
+ Nonce = 275d1ab32f6d1f0434d8848c
+ Record authentication key = 8a51df64d93eaf667c2c09bd454ce5c5
+ Record encryption key = 43ab276c2b4a473918ca73f2dd85109c
+
+
+
+Gueron, et al. Informational [Page 27]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ POLYVAL input = 046787f3ea22c127aaf195d189472800
+ 1177441f195495860f00000000000000
+ 78000000000000004800000000000000
+ POLYVAL result = 63a3451c0b23345ad02bba59956517cf
+ POLYVAL result XOR nonce = 44fe5faf244e2b5ee4f33ed5956517cf
+ ... and masked = 44fe5faf244e2b5ee4f33ed59565174f
+ Tag = 1d02fd0cd174c84fc5dae2f60f52fd2b
+ Initial counter = 1d02fd0cd174c84fc5dae2f60f52fdab
+ Result (25 bytes) = 4f37281f7ad12949d01d02fd0cd174c8
+ 4fc5dae2f60f52fd2b
+
+
+ Plaintext (12 bytes) = 9f572c614b4745914474e7c7
+ AAD (20 bytes) = c9882e5386fd9f92ec489c8fde2be2cf
+ 97e74e93
+ Key = b3fed1473c528b8426a582995929a149
+ Nonce = 9e9ad8780c8d63d0ab4149c0
+ Record authentication key = 22f50707a95dd416df069d670cb775e8
+ Record encryption key = f674a5584ee21fe97b4cebc468ab61e4
+ POLYVAL input = c9882e5386fd9f92ec489c8fde2be2cf
+ 97e74e93000000000000000000000000
+ 9f572c614b4745914474e7c700000000
+ a0000000000000006000000000000000
+ POLYVAL result = 0cca0423fba9d77fe7e2e6963b08cdd0
+ POLYVAL result XOR nonce = 9250dc5bf724b4af4ca3af563b08cdd0
+ ... and masked = 9250dc5bf724b4af4ca3af563b08cd50
+ Tag = c1dc2f871fb7561da1286e655e24b7b0
+ Initial counter = c1dc2f871fb7561da1286e655e24b7b0
+ Result (28 bytes) = f54673c5ddf710c745641c8bc1dc2f87
+ 1fb7561da1286e655e24b7b0
+
+
+ Plaintext (15 bytes) = 0d8c8451178082355c9e940fea2f58
+ AAD (25 bytes) = 2950a70d5a1db2316fd568378da107b5
+ 2b0da55210cc1c1b0a
+ Key = 2d4ed87da44102952ef94b02b805249b
+ Nonce = ac80e6f61455bfac8308a2d4
+ Record authentication key = 0b00a29a83e7e95b92e3a0783b29f140
+ Record encryption key = a430c27f285aed913005975c42eed5f3
+ POLYVAL input = 2950a70d5a1db2316fd568378da107b5
+ 2b0da55210cc1c1b0a00000000000000
+ 0d8c8451178082355c9e940fea2f5800
+ c8000000000000007800000000000000
+ POLYVAL result = 1086ef25247aa41009bbc40871d9b350
+ POLYVAL result XOR nonce = bc0609d3302f1bbc8ab366dc71d9b350
+ ... and masked = bc0609d3302f1bbc8ab366dc71d9b350
+ Tag = 83b3449b9f39552de99dc214a1190b0b
+ Initial counter = 83b3449b9f39552de99dc214a1190b8b
+
+
+
+Gueron, et al. Informational [Page 28]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Result (31 bytes) = c9ff545e07b88a015f05b274540aa183
+ b3449b9f39552de99dc214a1190b0b
+
+
+ Plaintext (18 bytes) = 6b3db4da3d57aa94842b9803a96e07fb
+ 6de7
+ AAD (30 bytes) = 1860f762ebfbd08284e421702de0de18
+ baa9c9596291b08466f37de21c7f
+ Key = bde3b2f204d1e9f8b06bc47f9745b3d1
+ Nonce = ae06556fb6aa7890bebc18fe
+ Record authentication key = 21c874a8bad3603d1c3e8784df5b3f9f
+ Record encryption key = d1c16d72651c3df504eae27129d818e8
+ POLYVAL input = 1860f762ebfbd08284e421702de0de18
+ baa9c9596291b08466f37de21c7f0000
+ 6b3db4da3d57aa94842b9803a96e07fb
+ 6de70000000000000000000000000000
+ f0000000000000009000000000000000
+ POLYVAL result = 55462a5afa0da8d646481e049ef9c764
+ POLYVAL result XOR nonce = fb407f354ca7d046f8f406fa9ef9c764
+ ... and masked = fb407f354ca7d046f8f406fa9ef9c764
+ Tag = 3e377094f04709f64d7b985310a4db84
+ Initial counter = 3e377094f04709f64d7b985310a4db84
+ Result (34 bytes) = 6298b296e24e8cc35dce0bed484b7f30
+ d5803e377094f04709f64d7b985310a4
+ db84
+
+
+ Plaintext (21 bytes) = e42a3c02c25b64869e146d7b233987bd
+ dfc240871d
+ AAD (35 bytes) = 7576f7028ec6eb5ea7e298342a94d4b2
+ 02b370ef9768ec6561c4fe6b7e7296fa
+ 859c21
+ Key = f901cfe8a69615a93fdf7a98cad48179
+ Nonce = 6245709fb18853f68d833640
+ Record authentication key = 3724f55f1d22ac0ab830da0b6a995d74
+ Record encryption key = 75ac87b70c05db287de779006105a344
+ POLYVAL input = 7576f7028ec6eb5ea7e298342a94d4b2
+ 02b370ef9768ec6561c4fe6b7e7296fa
+ 859c2100000000000000000000000000
+ e42a3c02c25b64869e146d7b233987bd
+ dfc240871d0000000000000000000000
+ 1801000000000000a800000000000000
+ POLYVAL result = 4cbba090f03f7d1188ea55749fa6c7bd
+ POLYVAL result XOR nonce = 2efed00f41b72ee7056963349fa6c7bd
+ ... and masked = 2efed00f41b72ee7056963349fa6c73d
+ Tag = 2d15506c84a9edd65e13e9d24a2a6e70
+ Initial counter = 2d15506c84a9edd65e13e9d24a2a6ef0
+ Result (37 bytes) = 391cc328d484a4f46406181bcd62efd9
+
+
+
+Gueron, et al. Informational [Page 29]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ b3ee197d052d15506c84a9edd65e13e9
+ d24a2a6e70
+
+C.2. AEAD_AES_256_GCM_SIV
+
+ Plaintext (0 bytes) =
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 00000000000000000000000000000000
+ POLYVAL result = 00000000000000000000000000000000
+ POLYVAL result XOR nonce = 03000000000000000000000000000000
+ ... and masked = 03000000000000000000000000000000
+ Tag = 07f5f4169bbf55a8400cd47ea6fd400f
+ Initial counter = 07f5f4169bbf55a8400cd47ea6fd408f
+ Result (16 bytes) = 07f5f4169bbf55a8400cd47ea6fd400f
+
+
+ Plaintext (8 bytes) = 0100000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 00000000000000004000000000000000
+ POLYVAL result = 05230f62f0eac8aa14fe4d646b59cd41
+ POLYVAL result XOR nonce = 06230f62f0eac8aa14fe4d646b59cd41
+ ... and masked = 06230f62f0eac8aa14fe4d646b59cd41
+ Tag = 843122130f7364b761e0b97427e3df28
+ Initial counter = 843122130f7364b761e0b97427e3dfa8
+ Result (24 bytes) = c2ef328e5c71c83b843122130f7364b7
+ 61e0b97427e3df28
+
+
+ Plaintext (12 bytes) = 010000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+
+
+
+Gueron, et al. Informational [Page 30]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 00000000000000006000000000000000
+ POLYVAL result = 6d81a24732fd6d03ae5af544720a1c13
+ POLYVAL result XOR nonce = 6e81a24732fd6d03ae5af544720a1c13
+ ... and masked = 6e81a24732fd6d03ae5af544720a1c13
+ Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e
+ Initial counter = 8ca50da9ae6559e48fd10f6e5c9ca1fe
+ Result (28 bytes) = 9aab2aeb3faa0a34aea8e2b18ca50da9
+ ae6559e48fd10f6e5c9ca17e
+
+
+ Plaintext (16 bytes) = 01000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 00000000000000008000000000000000
+ POLYVAL result = 74eee2bf7c9a165f8b25dea73db32a6d
+ POLYVAL result XOR nonce = 77eee2bf7c9a165f8b25dea73db32a6d
+ ... and masked = 77eee2bf7c9a165f8b25dea73db32a6d
+ Tag = c9eac6fa700942702e90862383c6c366
+ Initial counter = c9eac6fa700942702e90862383c6c3e6
+ Result (32 bytes) = 85a01b63025ba19b7fd3ddfc033b3e76
+ c9eac6fa700942702e90862383c6c366
+
+
+ Plaintext (32 bytes) = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 00000000000000000001000000000000
+ POLYVAL result = 899b6381b3d46f0def7aa0517ba188f5
+ POLYVAL result XOR nonce = 8a9b6381b3d46f0def7aa0517ba188f5
+ ... and masked = 8a9b6381b3d46f0def7aa0517ba18875
+ Tag = e819e63abcd020b006a976397632eb5d
+ Initial counter = e819e63abcd020b006a976397632ebdd
+
+
+
+Gueron, et al. Informational [Page 31]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Result (48 bytes) = 4a6a9db4c8c6549201b9edb53006cba8
+ 21ec9cf850948a7c86c68ac7539d027f
+ e819e63abcd020b006a976397632eb5d
+
+
+ Plaintext (48 bytes) = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 00000000000000008001000000000000
+ POLYVAL result = c1f8593d8fc29b0c290cae1992f71f51
+ POLYVAL result XOR nonce = c2f8593d8fc29b0c290cae1992f71f51
+ ... and masked = c2f8593d8fc29b0c290cae1992f71f51
+ Tag = 790bc96880a99ba804bd12c0e6a22cc4
+ Initial counter = 790bc96880a99ba804bd12c0e6a22cc4
+ Result (64 bytes) = c00d121893a9fa603f48ccc1ca3c57ce
+ 7499245ea0046db16c53c7c66fe717e3
+ 9cf6c748837b61f6ee3adcee17534ed5
+ 790bc96880a99ba804bd12c0e6a22cc4
+
+
+ Plaintext (64 bytes) = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ AAD (0 bytes) =
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 00000000000000000002000000000000
+ POLYVAL result = 6ef38b06046c7c0e225efaef8e2ec4c4
+ POLYVAL result XOR nonce = 6df38b06046c7c0e225efaef8e2ec4c4
+
+
+
+Gueron, et al. Informational [Page 32]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ ... and masked = 6df38b06046c7c0e225efaef8e2ec444
+ Tag = 112864c269fc0d9d88c61fa47e39aa08
+ Initial counter = 112864c269fc0d9d88c61fa47e39aa88
+ Result (80 bytes) = c2d5160a1f8683834910acdafc41fbb1
+ 632d4a353e8b905ec9a5499ac34f96c7
+ e1049eb080883891a4db8caaa1f99dd0
+ 04d80487540735234e3744512c6f90ce
+ 112864c269fc0d9d88c61fa47e39aa08
+
+
+ Plaintext (8 bytes) = 0200000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 08000000000000004000000000000000
+ POLYVAL result = 34e57bafe011b9b36fc6821b7ffb3354
+ POLYVAL result XOR nonce = 37e57bafe011b9b36fc6821b7ffb3354
+ ... and masked = 37e57bafe011b9b36fc6821b7ffb3354
+ Tag = 91213f267e3b452f02d01ae33e4ec854
+ Initial counter = 91213f267e3b452f02d01ae33e4ec8d4
+ Result (24 bytes) = 1de22967237a813291213f267e3b452f
+ 02d01ae33e4ec854
+
+
+ Plaintext (12 bytes) = 020000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 08000000000000006000000000000000
+ POLYVAL result = 5c47d68a22061c1ad5623a3b66a8e206
+ POLYVAL result XOR nonce = 5f47d68a22061c1ad5623a3b66a8e206
+ ... and masked = 5f47d68a22061c1ad5623a3b66a8e206
+ Tag = c1a4a19ae800941ccdc57cc8413c277f
+ Initial counter = c1a4a19ae800941ccdc57cc8413c27ff
+ Result (28 bytes) = 163d6f9cc1b346cd453a2e4cc1a4a19a
+ e800941ccdc57cc8413c277f
+
+
+
+Gueron, et al. Informational [Page 33]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Plaintext (16 bytes) = 02000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 08000000000000008000000000000000
+ POLYVAL result = 452896726c616746f01d11d82911d478
+ POLYVAL result XOR nonce = 462896726c616746f01d11d82911d478
+ ... and masked = 462896726c616746f01d11d82911d478
+ Tag = b292d28ff61189e8e49f3875ef91aff7
+ Initial counter = b292d28ff61189e8e49f3875ef91aff7
+ Result (32 bytes) = c91545823cc24f17dbb0e9e807d5ec17
+ b292d28ff61189e8e49f3875ef91aff7
+
+
+ Plaintext (32 bytes) = 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 08000000000000000001000000000000
+ POLYVAL result = 4e58c1e341c9bb0ae34eda9509dfc90c
+ POLYVAL result XOR nonce = 4d58c1e341c9bb0ae34eda9509dfc90c
+ ... and masked = 4d58c1e341c9bb0ae34eda9509dfc90c
+ Tag = aea1bad12702e1965604374aab96dbbc
+ Initial counter = aea1bad12702e1965604374aab96dbbc
+ Result (48 bytes) = 07dad364bfc2b9da89116d7bef6daaaf
+ 6f255510aa654f920ac81b94e8bad365
+ aea1bad12702e1965604374aab96dbbc
+
+
+ Plaintext (48 bytes) = 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+
+
+
+Gueron, et al. Informational [Page 34]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 08000000000000008001000000000000
+ POLYVAL result = 2566a4aff9a525df9772c16d4eaf8d2a
+ POLYVAL result XOR nonce = 2666a4aff9a525df9772c16d4eaf8d2a
+ ... and masked = 2666a4aff9a525df9772c16d4eaf8d2a
+ Tag = 03332742b228c647173616cfd44c54eb
+ Initial counter = 03332742b228c647173616cfd44c54eb
+ Result (64 bytes) = c67a1f0f567a5198aa1fcc8e3f213143
+ 36f7f51ca8b1af61feac35a86416fa47
+ fbca3b5f749cdf564527f2314f42fe25
+ 03332742b228c647173616cfd44c54eb
+
+
+ Plaintext (64 bytes) = 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 05000000000000000000000000000000
+ AAD (1 bytes) = 01
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 05000000000000000000000000000000
+ 08000000000000000002000000000000
+ POLYVAL result = da58d2f61b0a9d343b2f37fb0c519733
+ POLYVAL result XOR nonce = d958d2f61b0a9d343b2f37fb0c519733
+ ... and masked = d958d2f61b0a9d343b2f37fb0c519733
+ Tag = 5bde0285037c5de81e5b570a049b62a0
+ Initial counter = 5bde0285037c5de81e5b570a049b62a0
+ Result (80 bytes) = 67fd45e126bfb9a79930c43aad2d3696
+ 7d3f0e4d217c1e551f59727870beefc9
+ 8cb933a8fce9de887b1e40799988db1f
+ c3f91880ed405b2dd298318858467c89
+ 5bde0285037c5de81e5b570a049b62a0
+
+
+
+Gueron, et al. Informational [Page 35]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Plaintext (4 bytes) = 02000000
+ AAD (12 bytes) = 010000000000000000000000
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 60000000000000002000000000000000
+ POLYVAL result = 6dc76ae84b88916e073a303aafde05cf
+ POLYVAL result XOR nonce = 6ec76ae84b88916e073a303aafde05cf
+ ... and masked = 6ec76ae84b88916e073a303aafde054f
+ Tag = 1835e517741dfddccfa07fa4661b74cf
+ Initial counter = 1835e517741dfddccfa07fa4661b74cf
+ Result (20 bytes) = 22b3f4cd1835e517741dfddccfa07fa4
+ 661b74cf
+
+
+ Plaintext (20 bytes) = 03000000000000000000000000000000
+ 04000000
+ AAD (18 bytes) = 01000000000000000000000000000000
+ 0200
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ 9000000000000000a000000000000000
+ POLYVAL result = 973ef4fd04bd31d193816ab26f8655ca
+ POLYVAL result XOR nonce = 943ef4fd04bd31d193816ab26f8655ca
+ ... and masked = 943ef4fd04bd31d193816ab26f86554a
+ Tag = b879ad976d8242acc188ab59cabfe307
+ Initial counter = b879ad976d8242acc188ab59cabfe387
+ Result (36 bytes) = 43dd0163cdb48f9fe3212bf61b201976
+ 067f342bb879ad976d8242acc188ab59
+ cabfe307
+
+
+ Plaintext (18 bytes) = 03000000000000000000000000000000
+ 0400
+ AAD (20 bytes) = 01000000000000000000000000000000
+
+
+
+Gueron, et al. Informational [Page 36]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ 02000000
+ Key = 01000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 030000000000000000000000
+ Record authentication key = b5d3c529dfafac43136d2d11be284d7f
+ Record encryption key = b914f4742be9e1d7a2f84addbf96dec3
+ 456e3c6c05ecc157cdbf0700fedad222
+ POLYVAL input = 01000000000000000000000000000000
+ 02000000000000000000000000000000
+ 03000000000000000000000000000000
+ 04000000000000000000000000000000
+ a0000000000000009000000000000000
+ POLYVAL result = 2cbb6b7ab2dbffefb797f825f826870c
+ POLYVAL result XOR nonce = 2fbb6b7ab2dbffefb797f825f826870c
+ ... and masked = 2fbb6b7ab2dbffefb797f825f826870c
+ Tag = cfcdf5042112aa29685c912fc2056543
+ Initial counter = cfcdf5042112aa29685c912fc20565c3
+ Result (34 bytes) = 462401724b5ce6588d5a54aae5375513
+ a075cfcdf5042112aa29685c912fc205
+ 6543
+
+ Plaintext (0 bytes) =
+ AAD (0 bytes) =
+ Key = e66021d5eb8e4f4066d4adb9c33560e4
+ f46e44bb3da0015c94f7088736864200
+ Nonce = e0eaf5284d884a0e77d31646
+ Record authentication key = e40d26f82774aa27f47b047b608b9585
+ Record encryption key = 7c7c3d9a542cef53dde0e6de9b580040
+ 0f82e73ec5f7ee41b7ba8dcb9ba078c3
+ POLYVAL input = 00000000000000000000000000000000
+ POLYVAL result = 00000000000000000000000000000000
+ POLYVAL result XOR nonce = e0eaf5284d884a0e77d3164600000000
+ ... and masked = e0eaf5284d884a0e77d3164600000000
+ Tag = 169fbb2fbf389a995f6390af22228a62
+ Initial counter = 169fbb2fbf389a995f6390af22228ae2
+ Result (16 bytes) = 169fbb2fbf389a995f6390af22228a62
+
+
+ Plaintext (3 bytes) = 671fdd
+ AAD (5 bytes) = 4fbdc66f14
+ Key = bae8e37fc83441b16034566b7a806c46
+ bb91c3c5aedb64a6c590bc84d1a5e269
+ Nonce = e4b47801afc0577e34699b9e
+ Record authentication key = b546f5a850d0a90adfe39e95c2510fc6
+ Record encryption key = b9d1e239d62cbb5c49273ddac8838bdc
+ c53bca478a770f07087caa4e0a924a55
+ POLYVAL input = 4fbdc66f140000000000000000000000
+ 671fdd00000000000000000000000000
+
+
+
+Gueron, et al. Informational [Page 37]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ 28000000000000001800000000000000
+ POLYVAL result = b91f91f96b159a7c611c05035b839e92
+ POLYVAL result XOR nonce = 5dabe9f8c4d5cd0255759e9d5b839e92
+ ... and masked = 5dabe9f8c4d5cd0255759e9d5b839e12
+ Tag = 93da9bb81333aee0c785b240d319719d
+ Initial counter = 93da9bb81333aee0c785b240d319719d
+ Result (19 bytes) = 0eaccb93da9bb81333aee0c785b240d3
+ 19719d
+
+
+ Plaintext (6 bytes) = 195495860f04
+ AAD (10 bytes) = 6787f3ea22c127aaf195
+ Key = 6545fc880c94a95198874296d5cc1fd1
+ 61320b6920ce07787f86743b275d1ab3
+ Nonce = 2f6d1f0434d8848c1177441f
+ Record authentication key = e156e1f9b0b07b780cbe30f259e3c8da
+ Record encryption key = 6fc1c494519f944aae52fcd8b14e5b17
+ 1b5a9429d3b76e430d49940c0021d612
+ POLYVAL input = 6787f3ea22c127aaf195000000000000
+ 195495860f0400000000000000000000
+ 50000000000000003000000000000000
+ POLYVAL result = 2c480ed9d236b1df24c6eec109bd40c1
+ POLYVAL result XOR nonce = 032511dde6ee355335b1aade09bd40c1
+ ... and masked = 032511dde6ee355335b1aade09bd4041
+ Tag = 6b62b84dc40c84636a5ec12020ec8c2c
+ Initial counter = 6b62b84dc40c84636a5ec12020ec8cac
+ Result (22 bytes) = a254dad4f3f96b62b84dc40c84636a5e
+ c12020ec8c2c
+
+
+ Plaintext (9 bytes) = c9882e5386fd9f92ec
+ AAD (15 bytes) = 489c8fde2be2cf97e74e932d4ed87d
+ Key = d1894728b3fed1473c528b8426a58299
+ 5929a1499e9ad8780c8d63d0ab4149c0
+ Nonce = 9f572c614b4745914474e7c7
+ Record authentication key = 0533fd71f4119257361a3ff1469dd4e5
+ Record encryption key = 4feba89799be8ac3684fa2bb30ade0ea
+ 51390e6d87dcf3627d2ee44493853abe
+ POLYVAL input = 489c8fde2be2cf97e74e932d4ed87d00
+ c9882e5386fd9f92ec00000000000000
+ 78000000000000004800000000000000
+ POLYVAL result = bf160bc9ded8c63057d2c38aae552fb4
+ POLYVAL result XOR nonce = 204127a8959f83a113a6244dae552fb4
+ ... and masked = 204127a8959f83a113a6244dae552f34
+ Tag = c0fd3dc6628dfe55ebb0b9fb2295c8c2
+ Initial counter = c0fd3dc6628dfe55ebb0b9fb2295c8c2
+ Result (25 bytes) = 0df9e308678244c44bc0fd3dc6628dfe
+ 55ebb0b9fb2295c8c2
+
+
+
+Gueron, et al. Informational [Page 38]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Plaintext (12 bytes) = 1db2316fd568378da107b52b
+ AAD (20 bytes) = 0da55210cc1c1b0abde3b2f204d1e9f8
+ b06bc47f
+ Key = a44102952ef94b02b805249bac80e6f6
+ 1455bfac8308a2d40d8c845117808235
+ Nonce = 5c9e940fea2f582950a70d5a
+ Record authentication key = 64779ab10ee8a280272f14cc8851b727
+ Record encryption key = 25f40fc63f49d3b9016a8eeeb75846e0
+ d72ca36ddbd312b6f5ef38ad14bd2651
+ POLYVAL input = 0da55210cc1c1b0abde3b2f204d1e9f8
+ b06bc47f000000000000000000000000
+ 1db2316fd568378da107b52b00000000
+ a0000000000000006000000000000000
+ POLYVAL result = cc86ee22c861e1fd474c84676b42739c
+ POLYVAL result XOR nonce = 90187a2d224eb9d417eb893d6b42739c
+ ... and masked = 90187a2d224eb9d417eb893d6b42731c
+ Tag = 404099c2587f64979f21826706d497d5
+ Initial counter = 404099c2587f64979f21826706d497d5
+ Result (28 bytes) = 8dbeb9f7255bf5769dd56692404099c2
+ 587f64979f21826706d497d5
+
+
+ Plaintext (15 bytes) = 21702de0de18baa9c9596291b08466
+ AAD (25 bytes) = f37de21c7ff901cfe8a69615a93fdf7a
+ 98cad481796245709f
+ Key = 9745b3d1ae06556fb6aa7890bebc18fe
+ 6b3db4da3d57aa94842b9803a96e07fb
+ Nonce = 6de71860f762ebfbd08284e4
+ Record authentication key = 27c2959ed4daea3b1f52e849478de376
+ Record encryption key = 307a38a5a6cf231c0a9af3b527f23a62
+ e9a6ff09aff8ae669f760153e864fc93
+ POLYVAL input = f37de21c7ff901cfe8a69615a93fdf7a
+ 98cad481796245709f00000000000000
+ 21702de0de18baa9c9596291b0846600
+ c8000000000000007800000000000000
+ POLYVAL result = c4fa5e5b713853703bcf8e6424505fa5
+ POLYVAL result XOR nonce = a91d463b865ab88beb4d0a8024505fa5
+ ... and masked = a91d463b865ab88beb4d0a8024505f25
+ Tag = b3080d28f6ebb5d3648ce97bd5ba67fd
+ Initial counter = b3080d28f6ebb5d3648ce97bd5ba67fd
+ Result (31 bytes) = 793576dfa5c0f88729a7ed3c2f1bffb3
+ 080d28f6ebb5d3648ce97bd5ba67fd
+
+
+ Plaintext (18 bytes) = b202b370ef9768ec6561c4fe6b7e7296
+ fa85
+ AAD (30 bytes) = 9c2159058b1f0fe91433a5bdc20e214e
+ ab7fecef4454a10ef0657df21ac7
+
+
+
+Gueron, et al. Informational [Page 39]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+ Key = b18853f68d833640e42a3c02c25b6486
+ 9e146d7b233987bddfc240871d7576f7
+ Nonce = 028ec6eb5ea7e298342a94d4
+ Record authentication key = 670b98154076ddb59b7a9137d0dcc0f0
+ Record encryption key = 78116d78507fbe69d4a820c350f55c7c
+ b36c3c9287df0e9614b142b76a587c3f
+ POLYVAL input = 9c2159058b1f0fe91433a5bdc20e214e
+ ab7fecef4454a10ef0657df21ac70000
+ b202b370ef9768ec6561c4fe6b7e7296
+ fa850000000000000000000000000000
+ f0000000000000009000000000000000
+ POLYVAL result = 4e4108f09f41d797dc9256f8da8d58c7
+ POLYVAL result XOR nonce = 4ccfce1bc1e6350fe8b8c22cda8d58c7
+ ... and masked = 4ccfce1bc1e6350fe8b8c22cda8d5847
+ Tag = 454fc2a154fea91f8363a39fec7d0a49
+ Initial counter = 454fc2a154fea91f8363a39fec7d0ac9
+ Result (34 bytes) = 857e16a64915a787637687db4a951963
+ 5cdd454fc2a154fea91f8363a39fec7d
+ 0a49
+
+
+ Plaintext (21 bytes) = ced532ce4159b035277d4dfbb7db6296
+ 8b13cd4eec
+ AAD (35 bytes) = 734320ccc9d9bbbb19cb81b2af4ecbc3
+ e72834321f7aa0f70b7282b4f33df23f
+ 167541
+ Key = 3c535de192eaed3822a2fbbe2ca9dfc8
+ 8255e14a661b8aa82cc54236093bbc23
+ Nonce = 688089e55540db1872504e1c
+ Record authentication key = cb8c3aa3f8dbaeb4b28a3e86ff6625f8
+ Record encryption key = 02426ce1aa3ab31313b0848469a1b5fc
+ 6c9af9602600b195b04ad407026bc06d
+ POLYVAL input = 734320ccc9d9bbbb19cb81b2af4ecbc3
+ e72834321f7aa0f70b7282b4f33df23f
+ 16754100000000000000000000000000
+ ced532ce4159b035277d4dfbb7db6296
+ 8b13cd4eec0000000000000000000000
+ 1801000000000000a800000000000000
+ POLYVAL result = ffd503c7dd712eb3791b7114b17bb0cf
+ POLYVAL result XOR nonce = 97558a228831f5ab0b4b3f08b17bb0cf
+ ... and masked = 97558a228831f5ab0b4b3f08b17bb04f
+ Tag = 9d6c7029675b89eaf4ba1ded1a286594
+ Initial counter = 9d6c7029675b89eaf4ba1ded1a286594
+ Result (37 bytes) = 626660c26ea6612fb17ad91e8e767639
+ edd6c9faee9d6c7029675b89eaf4ba1d
+ ed1a286594
+
+
+
+
+
+Gueron, et al. Informational [Page 40]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+C.3. Counter Wrap Tests
+
+ The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to
+ test correct wrapping of the block counter.
+
+ Plaintext (32 bytes) = 00000000000000000000000000000000
+ 4db923dc793ee6497c76dcc03a98e108
+ AAD (0 bytes) =
+ Key = 00000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 000000000000000000000000
+ Record authentication key = dc95c078a24089895275f3d86b4fb868
+ Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3
+ 75d11b0e3a68c422845c7d4690fa594f
+ POLYVAL input = 00000000000000000000000000000000
+ 4db923dc793ee6497c76dcc03a98e108
+ 00000000000000000001000000000000
+ POLYVAL result = 7367cdb411b730128dd56e8edc0eff56
+ POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56
+ ... and masked = 7367cdb411b730128dd56e8edc0eff56
+ Tag = ffffffff000000000000000000000000
+ Initial counter = ffffffff000000000000000000000080
+ Result (48 bytes) = f3f80f2cf0cb2dd9c5984fcda908456c
+ c537703b5ba70324a6793a7bf218d3ea
+ ffffffff000000000000000000000000
+
+
+ Plaintext (24 bytes) = eb3640277c7ffd1303c7a542d02d3e4c
+ 0000000000000000
+ AAD (0 bytes) =
+ Key = 00000000000000000000000000000000
+ 00000000000000000000000000000000
+ Nonce = 000000000000000000000000
+ Record authentication key = dc95c078a24089895275f3d86b4fb868
+ Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3
+ 75d11b0e3a68c422845c7d4690fa594f
+ POLYVAL input = eb3640277c7ffd1303c7a542d02d3e4c
+ 00000000000000000000000000000000
+ 0000000000000000c000000000000000
+ POLYVAL result = 7367cdb411b730128dd56e8edc0eff56
+ POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56
+ ... and masked = 7367cdb411b730128dd56e8edc0eff56
+ Tag = ffffffff000000000000000000000000
+ Initial counter = ffffffff000000000000000000000080
+ Result (40 bytes) = 18ce4f0b8cb4d0cac65fea8f79257b20
+ 888e53e72299e56dffffffff00000000
+ 0000000000000000
+
+
+
+
+Gueron, et al. Informational [Page 41]
+
+RFC 8452 AES-GCM-SIV April 2019
+
+
+Acknowledgements
+
+ The authors would like to thank Daniel Bleichenbacher, Uri
+ Blumenthal, Deb Cooley's team at NSA Information Assurance, Scott
+ Fluhrer, Tetsu Iwata, Tibor Jager, John Mattsson, Ondrej Mosnacek,
+ Kenny Paterson, Bart Preneel, Yannick Seurin, and Bjoern Tackmann for
+ their helpful suggestions and review.
+
+Authors' Addresses
+
+ Shay Gueron
+ University of Haifa and Amazon
+ Abba Khoushy Ave 199
+ Haifa 3498838
+ Israel
+
+ Email: shay@math.haifa.ac.il
+
+
+ Adam Langley
+ Google LLC
+ 345 Spear St
+ San Francisco, CA 94105
+ United States of America
+
+ Email: agl@google.com
+
+
+ Yehuda Lindell
+ Bar-Ilan University and Unbound Tech
+ Ramat Gan
+ 5290002
+ Israel
+
+ Email: Yehuda.Lindell@biu.ac.il
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gueron, et al. Informational [Page 42]
+