Internet Research Task Force (IRTF)                            S. Gueron
Request for Comments: 8452                University of Haifa and Amazon
Category: Informational                                       A. Langley
ISSN: 2070-1721                                               Google LLC
                                                              Y. Lindell
                                    Bar-Ilan University and Unbound Tech
                                                              April 2019
        
Internet Research Task Force (IRTF)                            S. Gueron
Request for Comments: 8452                University of Haifa and Amazon
Category: Informational                                       A. Langley
ISSN: 2070-1721                                               Google LLC
                                                              Y. Lindell
                                    Bar-Ilan University and Unbound Tech
                                                              April 2019
        

AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption

AES-GCM-SIV:抗误用的认证加密

Abstract

摘要

This memo specifies two authenticated encryption algorithms that are nonce misuse resistant -- that is, they do not fail catastrophically if a nonce is repeated.

此备忘录指定了两种经过身份验证的加密算法,它们可以防止nonce误用——也就是说,如果重复使用nonce,它们不会发生灾难性的失败。

This document is the product of the Crypto Forum Research Group.

本文档是加密论坛研究组的产品。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网研究工作组(IRTF)的产品。IRTF发布互联网相关研究和开发活动的结果。这些结果可能不适合部署。本RFC代表了互联网研究工作组(IRTF)加密论坛研究小组的共识。IRSG批准发布的文件不适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8452.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8452.

Copyright Notice

版权公告

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

版权(c)2019 IETF信托基金和被确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Encryption  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Decryption  . . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   7.  Field Operation Examples  . . . . . . . . . . . . . . . . . .  10
   8.  Worked Example  . . . . . . . . . . . . . . . . . . . . . . .  10
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     11.2.  Informative References . . . . . . . . . . . . . . . . .  15
   Appendix A.  The Relationship between POLYVAL and GHASH . . . . .  17
   Appendix B.  Additional Comparisons with AES-GCM  . . . . . . . .  19
   Appendix C.  Test Vectors . . . . . . . . . . . . . . . . . . . .  20
     C.1.  AEAD_AES_128_GCM_SIV  . . . . . . . . . . . . . . . . . .  20
     C.2.  AEAD_AES_256_GCM_SIV  . . . . . . . . . . . . . . . . . .  30
     C.3.  Counter Wrap Tests  . . . . . . . . . . . . . . . . . . .  41
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  42
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  42
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Encryption  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Decryption  . . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   7.  Field Operation Examples  . . . . . . . . . . . . . . . . . .  10
   8.  Worked Example  . . . . . . . . . . . . . . . . . . . . . . .  10
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     11.2.  Informative References . . . . . . . . . . . . . . . . .  15
   Appendix A.  The Relationship between POLYVAL and GHASH . . . . .  17
   Appendix B.  Additional Comparisons with AES-GCM  . . . . . . . .  19
   Appendix C.  Test Vectors . . . . . . . . . . . . . . . . . . . .  20
     C.1.  AEAD_AES_128_GCM_SIV  . . . . . . . . . . . . . . . . . .  20
     C.2.  AEAD_AES_256_GCM_SIV  . . . . . . . . . . . . . . . . . .  30
     C.3.  Counter Wrap Tests  . . . . . . . . . . . . . . . . . . .  41
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  42
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  42
        
1. Introduction
1. 介绍

The concept of Authenticated Encryption with Additional Data (AEAD) [RFC5116] couples confidentiality and integrity in a single operation, avoiding the risks of the previously common practice of using ad hoc constructions of block-cipher and hash primitives. The most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its attractive performance.

使用附加数据进行身份验证加密(AEAD)[RFC5116]的概念将机密性和完整性结合在一次操作中,避免了以前使用分组密码和散列原语的特殊构造的常见做法的风险。最流行的AEAD,AES-GCM[GCM],由于其诱人的性能而得到广泛应用。

However, some AEADs (including AES-GCM) suffer catastrophic failures of confidentiality and/or integrity when two distinct messages are encrypted with the same key and nonce. While the requirements for AEADs specify that the pair of (key, nonce) shall only ever be used once, and thus prohibit this, this is a worry in practice.

然而,当使用相同的密钥和nonce对两条不同的消息进行加密时,一些AEAD(包括AES-GCM)会遭受灾难性的机密性和/或完整性故障。虽然AEAD的要求规定(密钥,nonce)对只能使用一次,因此禁止使用,但这在实践中是一个问题。

Nonce misuse-resistant AEADs do not suffer from this problem. For this class of AEADs, encrypting two messages with the same nonce only discloses whether the messages were equal or not. This is the minimum amount of information that a deterministic algorithm can leak in this situation.

抗暂时误用的AEAD不存在此问题。对于这类AEAD,使用相同的nonce对两条消息进行加密只会揭示消息是否相等。这是确定性算法在这种情况下可能泄漏的最小信息量。

This memo specifies two nonce misuse-resistant AEADs: AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. These AEADs are designed to be able to take advantage of existing hardware support

本备忘录规定了两种临时防误用AEAD:AEAD_AES_128_GCM_SIV和AEAD_AES_256_GCM_SIV。这些AEAD旨在利用现有的硬件支持

for AES-GCM and can decrypt within 5% of the speed of AES-GCM (for multikilobyte messages). Encryption is, perforce, slower than AES-GCM, because two passes are required in order to achieve that nonce misuse-resistance property. However, measurements suggest that it can still run at two-thirds of the speed of AES-GCM.

对于AES-GCM,可以在AES-GCM速度的5%以内解密(对于多KB消息)。加密的速度要比AES-GCM慢,因为需要两次传递才能实现抗非同步误用特性。然而,测量表明,它仍然可以以AES-GCM速度的三分之二运行。

We suggest that these AEADs be considered in any situation where nonce uniqueness cannot be guaranteed. This includes situations where there is no stateful counter or where such state cannot be guaranteed, as when multiple encryptors use the same key. As discussed in Section 9, it is RECOMMENDED to use this scheme with randomly chosen nonces.

我们建议在任何无法保证非唯一性的情况下考虑这些AEAD。这包括没有状态计数器或无法保证这种状态的情况,如多个加密机使用同一密钥时。如第9节所述,建议将此方案与随机选择的nonce一起使用。

This document represents the consensus of the Crypto Forum Research Group (CFRG).

本文件代表加密论坛研究小组(CFRG)的共识。

2. Requirements Language
2. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。

3. POLYVAL
3. 波里瓦尔

The GCM-SIV construction is similar to GCM: the block cipher is used in counter mode to encrypt the plaintext, and a polynomial authenticator is used to provide integrity. The authenticator in GCM-SIV is called POLYVAL.

GCM-SIV结构类似于GCM:分组密码在计数器模式下用于加密明文,多项式验证器用于提供完整性。GCM-SIV中的验证器称为POLYVAL。

POLYVAL, like GHASH (the authenticator in AES-GCM; see [GCM], Section 6.4), operates in a binary field of size 2^128. The field is defined by the irreducible polynomial x^128 + x^127 + x^126 + x^121 + 1. The sum of any two elements in the field is the result of XORing them. The product of any two elements is calculated using standard (binary) polynomial multiplication followed by reduction modulo the irreducible polynomial.

POLYVAL与GHASH(AES-GCM中的验证器;参见[GCM],第6.4节)一样,在大小为2^128的二进制字段中运行。该字段由不可约多项式x^128+x^127+x^126+x^121+1定义。字段中任意两个元素的总和是对它们进行XOR运算的结果。使用标准(二进制)多项式乘法,然后对不可约多项式进行约化模,计算任意两个元素的乘积。

We define another binary operation on elements of the field: dot(a, b), where dot(a, b) = a * b * x^-128. The value of the field element x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1. The result of this multiplication, dot(a, b), is another field element.

我们在字段的元素上定义了另一个二进制操作:dot(a,b),其中dot(a,b)=a*b*x^-128。字段元素x^-128的值等于x^127+x^124+x^121+x^114+1。这个乘法的结果dot(a,b)是另一个字段元素。

Polynomials in this field are converted to and from 128-bit strings by taking the least significant bit of the first byte to be the coefficient of x^0, the most significant bit of the first byte to be the coefficient of x^7, and so on, until the most significant bit of the last byte is the coefficient of x^127.

通过将第一个字节的最低有效位取为x^0的系数,将第一个字节的最高有效位取为x^7的系数,依此类推,直到最后一个字节的最高有效位为x^127的系数,此字段中的多项式可与128位字符串进行转换。

POLYVAL takes a field element, H, and a series of field elements X_1, ..., X_s. Its result is S_s, where S is defined by the iteration S_0 = 0; S_j = dot(S_{j-1} + X_j, H), for j = 1..s.

POLYVAL接受一个字段元素H和一系列字段元素X_1,…,X_s。其结果是S_S,其中S由迭代S_0=0定义;S_j=dot(S_{j-1}+X_j,H),对于j=1..S。

We note that POLYVAL(H, X_1, X_2, ...) is equal to ByteReverse(GHASH(ByteReverse(H) * x, ByteReverse(X_1), ByteReverse(X_2), ...)), where ByteReverse is a function that reverses the order of 16 bytes. See Appendix A for a more detailed explanation.

我们注意到POLYVAL(H,X_1,X_2,…)等于ByteReverse(GHASH)(ByteReverse(H)*X,ByteReverse(X_1),ByteReverse(X_2),…),其中ByteReverse是一个反转16字节顺序的函数。有关更详细的说明,请参见附录A。

4. Encryption
4. 加密

AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a 96-bit nonce, and plaintext and additional data byte strings of variable length. It outputs an authenticated ciphertext that will be 16 bytes longer than the plaintext. Both encryption and decryption are only defined on inputs that are a whole number of bytes.

AES-GCM-SIV加密采用16或32字节的密钥生成密钥、96位nonce、明文和其他可变长度的数据字节字符串。它输出一个经过验证的密文,比明文长16字节。加密和解密都只在整数字节的输入上定义。

If the key-generating key is 16 bytes long, then AES-128 is used throughout. Otherwise, AES-256 is used throughout.

如果生成密钥的密钥长度为16字节,则始终使用AES-128。否则,始终使用AES-256。

The first step of encryption is to generate per-nonce, message-authentication and message-encryption keys. The message-authentication key is 128 bit, and the message-encryption key is either 128 (for AES-128) or 256 bit (for AES-256).

加密的第一步是生成每个时隙、消息身份验证和消息加密密钥。消息身份验证密钥为128位,消息加密密钥为128位(对于AES-128)或256位(对于AES-256)。

These keys are generated by encrypting a series of plaintext blocks that contain a 32-bit, little-endian counter followed by the nonce, and then discarding the second half of the resulting ciphertext. In the AES-128 case, 128 + 128 = 256 bits of key material need to be generated, and, since encrypting each block yields 64 bits after discarding half, four blocks need to be encrypted. The counter values for these blocks are 0, 1, 2, and 3. For AES-256, six blocks are needed in total, with counter values 0 through 5 (inclusive).

这些密钥是通过加密一系列明文块生成的,这些明文块包含一个32位的小尾端计数器,后跟nonce,然后丢弃生成的密文的后半部分。在AES-128的情况下,需要生成128+128=256位的密钥材料,并且,由于在丢弃一半后加密每个块产生64位,因此需要加密四个块。这些块的计数器值为0、1、2和3。对于AES-256,总共需要六个块,计数器值为0到5(包括)。

In pseudocode form, where "++" indicates concatenation and "x[:8]" indicates taking only the first eight bytes from x:

在伪码形式中,其中“++”表示串联,“x[:8]”表示仅从x取前八个字节:

   func derive_keys(key_generating_key, nonce) {
     message_authentication_key =
         AES(key = key_generating_key,
             block = little_endian_uint32(0) ++ nonce)[:8] ++
         AES(key = key_generating_key,
             block = little_endian_uint32(1) ++ nonce)[:8]
     message_encryption_key =
         AES(key = key_generating_key,
             block = little_endian_uint32(2) ++ nonce)[:8] ++
         AES(key = key_generating_key,
             block = little_endian_uint32(3) ++ nonce)[:8]
        
   func derive_keys(key_generating_key, nonce) {
     message_authentication_key =
         AES(key = key_generating_key,
             block = little_endian_uint32(0) ++ nonce)[:8] ++
         AES(key = key_generating_key,
             block = little_endian_uint32(1) ++ nonce)[:8]
     message_encryption_key =
         AES(key = key_generating_key,
             block = little_endian_uint32(2) ++ nonce)[:8] ++
         AES(key = key_generating_key,
             block = little_endian_uint32(3) ++ nonce)[:8]
        
     if bytelen(key_generating_key) == 32 {
       message_encryption_key ++=
           AES(key = key_generating_key,
               block = little_endian_uint32(4) ++ nonce)[:8] ++
           AES(key = key_generating_key,
               block = little_endian_uint32(5) ++ nonce)[:8]
     }
        
     if bytelen(key_generating_key) == 32 {
       message_encryption_key ++=
           AES(key = key_generating_key,
               block = little_endian_uint32(4) ++ nonce)[:8] ++
           AES(key = key_generating_key,
               block = little_endian_uint32(5) ++ nonce)[:8]
     }
        

return message_authentication_key, message_encryption_key }

返回消息\u身份验证\u密钥,消息\u加密\u密钥}

Define the "length block" as a 16-byte value that is the concatenation of the 64-bit, little-endian encodings of bytelen(additional_data) * 8 and bytelen(plaintext) * 8. Pad the plaintext and additional data with zeros until they are each a multiple of 16 bytes, the AES block size. Then X_1, X_2, ... (the series of field elements that are inputs to POLYVAL) are the concatenation of the padded additional data, the padded plaintext, and the length block.

将“长度块”定义为16字节值,该值是bytelen(附加数据)*8和bytelen(明文)*8的64位小端编码的串联。用零填充明文和附加数据,直到它们都是AES块大小16字节的倍数。然后X_1,X_2。。。(作为POLYVAL输入的一系列字段元素)是填充的附加数据、填充的明文和长度块的串联。

Calculate S_s = POLYVAL(message-authentication-key, X_1, X_2, ...). XOR the first twelve bytes of S_s with the nonce and clear the most significant bit of the last byte. Encrypt the result with AES using the message-encryption key to produce the tag.

计算S_S=POLYVAL(消息身份验证密钥,X_1,X_2,…)。将S_S的前12个字节与nonce异或,并清除最后一个字节的最高有效位。使用消息加密密钥使用AES加密结果以生成标记。

(It's worth highlighting a contrast with AES-GCM here: AES-GCM authenticates the encoded additional data and ciphertext, while AES-GCM-SIV authenticates the encoded additional data and plaintext.)

(这里值得强调与AES-GCM的对比:AES-GCM认证编码的附加数据和密文,而AES-GCM-SIV认证编码的附加数据和明文。)

The encrypted plaintext is produced by using AES, with the message-encryption key, in counter mode (see [SP800-38A], Section 6.5) on the unpadded plaintext. The initial counter block is the tag with the most significant bit of the last byte set to one. The counter

在计数器模式下(参见[SP800-38A],第6.5节),在未添加的明文上使用AES和消息加密密钥生成加密的明文。初始计数器块是最后一个字节的最高有效位设置为1的标记。柜台

advances by incrementing the first 32 bits interpreted as an unsigned, little-endian integer, wrapping at 2^32. The result of the encryption is the encrypted plaintext (truncated to the length of the plaintext), followed by the tag.

通过递增解释为无符号小尾数整数的前32位,以2^32换行,从而提高性能。加密的结果是加密的明文(被截断为明文的长度),后跟标记。

In pseudocode form, the encryption process can be expressed as:

在伪码形式中,加密过程可以表示为:

   func right_pad_to_multiple_of_16_bytes(input) {
     while (bytelen(input) % 16 != 0) {
       input = input ++ "\x00"
     }
     return input
   }
        
   func right_pad_to_multiple_of_16_bytes(input) {
     while (bytelen(input) % 16 != 0) {
       input = input ++ "\x00"
     }
     return input
   }
        

func AES_CTR(key, initial_counter_block, in) { block = initial_counter_block

func AES\u CTR(键,初始计数器块,in){block=初始计数器块

     output = ""
     while bytelen(in) > 0 {
       keystream_block = AES(key = key, block = block)
       block[0:4] = little_endian_uint32(
           read_little_endian_uint32(block[0:4]) + 1)
        
     output = ""
     while bytelen(in) > 0 {
       keystream_block = AES(key = key, block = block)
       block[0:4] = little_endian_uint32(
           read_little_endian_uint32(block[0:4]) + 1)
        
       todo = min(bytelen(in), bytelen(keystream_block)
       for j = 0; j < todo; j++ {
         output = output ++ (keystream_block[j] ^ in[j])
       }
        
       todo = min(bytelen(in), bytelen(keystream_block)
       for j = 0; j < todo; j++ {
         output = output ++ (keystream_block[j] ^ in[j])
       }
        

in = in[todo:] }

in=in[todo:}

return output }

返回输出}

   func encrypt(key_generating_key,
                nonce,
                plaintext,
                additional_data) {
     if bytelen(plaintext) > 2^36 {
       fail()
     }
     if bytelen(additional_data) > 2^36 {
       fail()
     }
        
   func encrypt(key_generating_key,
                nonce,
                plaintext,
                additional_data) {
     if bytelen(plaintext) > 2^36 {
       fail()
     }
     if bytelen(additional_data) > 2^36 {
       fail()
     }
        

message_encryption_key, message_authentication_key = derive_keys(key_generating_key, nonce)

消息加密密钥,消息认证密钥=派生密钥(密钥生成密钥,nonce)

     length_block =
         little_endian_uint64(bytelen(additional_data) * 8) ++
         little_endian_uint64(bytelen(plaintext) * 8)
     padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext)
     padded_ad = right_pad_to_multiple_of_16_bytes(additional_data)
     S_s = POLYVAL(key = message_authentication_key,
                   input = padded_ad ++ padded_plaintext ++
                           length_block)
     for i = 0; i < 12; i++ {
       S_s[i] ^= nonce[i]
     }
     S_s[15] &= 0x7f
     tag = AES(key = message_encryption_key, block = S_s)
        
     length_block =
         little_endian_uint64(bytelen(additional_data) * 8) ++
         little_endian_uint64(bytelen(plaintext) * 8)
     padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext)
     padded_ad = right_pad_to_multiple_of_16_bytes(additional_data)
     S_s = POLYVAL(key = message_authentication_key,
                   input = padded_ad ++ padded_plaintext ++
                           length_block)
     for i = 0; i < 12; i++ {
       S_s[i] ^= nonce[i]
     }
     S_s[15] &= 0x7f
     tag = AES(key = message_encryption_key, block = S_s)
        
     counter_block = tag
     counter_block[15] |= 0x80
     return AES_CTR(key = message_encryption_key,
                    initial_counter_block = counter_block,
                    in = plaintext) ++
            tag
   }
        
     counter_block = tag
     counter_block[15] |= 0x80
     return AES_CTR(key = message_encryption_key,
                    initial_counter_block = counter_block,
                    in = plaintext) ++
            tag
   }
        
5. Decryption
5. 解密

Decryption takes a 16- or 32-byte key-generating key, a 96-bit nonce, and ciphertext and additional data byte strings of variable length. It either fails or outputs a plaintext that is 16 bytes shorter than the ciphertext.

解密采用16或32字节的密钥生成密钥、96位nonce、密文和其他可变长度的数据字节字符串。它要么失败,要么输出比密文短16字节的明文。

To decrypt an AES-GCM-SIV ciphertext, first derive the message-encryption and message-authentication keys in the same manner as when encrypting.

要解密AES-GCM-SIV密文,首先以加密时相同的方式导出消息加密和消息身份验证密钥。

If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes, then fail. Otherwise, split the input into the encrypted plaintext and a 16-byte tag. Decrypt the encrypted plaintext with the message-encryption key in counter mode, where the initial counter block is the tag with the most significant bit of the last byte set to one. Advance the counter for each block in the same way as when encrypting. At this point, the plaintext is unauthenticated and MUST NOT be output until the following tag confirmation is complete:

如果密文小于16字节或大于2^36+16字节,则失败。否则,将输入拆分为加密的明文和一个16字节的标记。在计数器模式下使用消息加密密钥解密加密的明文,其中初始计数器块是最后一个字节的最高有效位设置为1的标记。以加密时相同的方式推进每个块的计数器。此时,明文未经验证,在完成以下标记确认之前不得输出:

Pad the additional data and plaintext with zeros until they are each a multiple of 16 bytes, the AES block size. Calculate the length block and X_1, X_2, ... as above and compute S_s = POLYVAL(message-authentication-key, X_1, X_2, ...)

用零填充附加数据和明文,直到它们都是AES块大小16字节的倍数。计算长度块和X_1,X_2。。。如上所述,计算S_S=POLYVAL(消息身份验证密钥,X_1,X_2,…)

Compute the expected tag by XORing S_s and the nonce, clearing the most significant bit of the last byte and encrypting with the message-encryption key. Compare the provided and expected tag values in constant time. Fail the decryption if they do not match (and do not release the plaintext); otherwise, return the plaintext.

通过对S_S和nonce进行XORing,清除最后一个字节的最高有效位,并使用消息加密密钥加密,计算期望的标记。在恒定时间内比较提供的标记值和期望的标记值。如果它们不匹配,则解密失败(并且不释放明文);否则,返回纯文本。

In pseudocode form, the decryption process can be expressed as:

在伪码形式中,解密过程可以表示为:

   func decrypt(key_generating_key,
                nonce,
                ciphertext,
                additional_data) {
     if bytelen(ciphertext) < 16 || bytelen(ciphertext) > 2^36 + 16 {
       fail()
     }
     if bytelen(additional_data) > 2^36 {
       fail()
     }
        
   func decrypt(key_generating_key,
                nonce,
                ciphertext,
                additional_data) {
     if bytelen(ciphertext) < 16 || bytelen(ciphertext) > 2^36 + 16 {
       fail()
     }
     if bytelen(additional_data) > 2^36 {
       fail()
     }
        

message_encryption_key, message_authentication_key = derive_keys(key_generating_key, nonce)

消息加密密钥,消息认证密钥=派生密钥(密钥生成密钥,nonce)

     tag = ciphertext[bytelen(ciphertext)-16:]
        
     tag = ciphertext[bytelen(ciphertext)-16:]
        
     counter_block = tag
     counter_block[15] |= 0x80
     plaintext = AES_CTR(key = message_encryption_key,
                         initial_counter_block = counter_block,
                         in = ciphertext[:bytelen(ciphertext)-16])
        
     counter_block = tag
     counter_block[15] |= 0x80
     plaintext = AES_CTR(key = message_encryption_key,
                         initial_counter_block = counter_block,
                         in = ciphertext[:bytelen(ciphertext)-16])
        
     length_block =
         little_endian_uint64(bytelen(additional_data) * 8) ++
         little_endian_uint64(bytelen(plaintext) * 8)
     padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext)
     padded_ad = right_pad_to_multiple_of_16_bytes(additional_data)
     S_s = POLYVAL(key = message_authentication_key,
                   input = padded_ad ++ padded_plaintext ++
                           length_block)
     for i = 0; i < 12; i++ {
       S_s[i] ^= nonce[i]
     }
     S_s[15] &= 0x7f
     expected_tag = AES(key = message_encryption_key, block = S_s)
        
     length_block =
         little_endian_uint64(bytelen(additional_data) * 8) ++
         little_endian_uint64(bytelen(plaintext) * 8)
     padded_plaintext = right_pad_to_multiple_of_16_bytes(plaintext)
     padded_ad = right_pad_to_multiple_of_16_bytes(additional_data)
     S_s = POLYVAL(key = message_authentication_key,
                   input = padded_ad ++ padded_plaintext ++
                           length_block)
     for i = 0; i < 12; i++ {
       S_s[i] ^= nonce[i]
     }
     S_s[15] &= 0x7f
     expected_tag = AES(key = message_encryption_key, block = S_s)
        
     xor_sum = 0
     for i := 0; i < bytelen(expected_tag); i++ {
       xor_sum |= expected_tag[i] ^ tag[i]
     }
        
     xor_sum = 0
     for i := 0; i < bytelen(expected_tag); i++ {
       xor_sum |= expected_tag[i] ^ tag[i]
     }
        
     if xor_sum != 0 {
       fail()
     }
        
     if xor_sum != 0 {
       fail()
     }
        

return plaintext }

返回纯文本}

6. AEADs
6. AEADs

We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV: AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV. They differ only in the size of the AES key used.

我们以RFC 5116的格式定义了两个使用AES-GCM-SIV的AEAD:AEAD_AES_128_GCM_SIV和AEAD_AES_256_GCM_SIV。它们仅在使用的AES密钥的大小上有所不同。

The key input to these AEADs becomes the key-generating key. Thus, AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV takes a 32-byte key.

这些AEAD的密钥输入成为密钥生成密钥。因此,AEAD_AES_128_GCM_SIV采用16字节密钥,AEAD_AES_256_GCM_SIV采用32字节密钥。

The parameters for AEAD_AES_128_GCM_SIV are then as follows: K_LEN is 16, P_MAX is 2^36, A_MAX is 2^36, N_MIN and N_MAX are 12, and C_MAX is 2^36 + 16.

AEAD_AES_128_GCM_SIV的参数如下:K_LEN为16,P_MAX为2^36,A_MAX为2^36,N_MIN和N_MAX为12,C_MAX为2^36+16。

The parameters for AEAD_AES_256_GCM_SIV differ only in the key size: K_LEN is 32, P_MAX is 2^36, A_MAX is 2^36, N_MIN and N_MAX are 12, and C_MAX is 2^36 + 16.

AEAD_AES_256_GCM_SIV的参数仅在密钥大小上不同:K_LEN为32,P_MAX为2^36,A_MAX为2^36,N_MIN和N_MAX为12,C_MAX为2^36+16。

7. Field Operation Examples
7. 野外作业实例

Polynomials in this document will be written as 16-byte values. For example, the sixteen bytes 01000000000000000000000000000492 would represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is also the value of x^-128 in this field.

本文档中的多项式将被写成16字节的值。例如,16个字节01000000000000000000000492将表示多项式x^127+x^124+x^121+x^114+1,这也是该字段中x^-128的值。

If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b = ff000000000000000000000000000000, then a + b = 99e94bd4ef8a2c3b884cfa59ca342b2e, a * b = 37856175e9dc9df26ebc6d6171aa0ae9, and dot(a, b) = ebe563401e7e91ea3ad6426b8140c394.

如果a=66E94BD4EF8A2C3B884CFA59CA342B2和b=FF000000000000000000000000000000000000000000,则a+b=99E94BD4EF8A2C3B884CFA59CA342B2、a*b=37856175E9DC9DF26EBC66171AA0AE9和点(a,b)=ebe563401e7e91ea3ad6426b8140c394。

8. Worked Example
8. 工作实例

Consider the encryption of the plaintext "Hello world" with the additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c using AEAD_AES_128_GCM_SIV. The random nonce that we'll use for this example is 752abad3e0afb5f434dc4310.

考虑明文“Hello World”的加密,附加数据“示例”在密钥EE8E1ED940AE8F2BA9F50BC2F27 C下使用EAdAdAES128JGCMYSIV。我们将在本例中使用的随机nonce是752abad3e0afb5f434dc4310。

In order to generate the message-authentication and message-encryption keys, a counter is combined with the nonce to form four blocks. These blocks are encrypted with the key given above:

为了生成消息身份验证和消息加密密钥,计数器与nonce组合形成四个块。使用上述密钥对这些块进行加密:

   Counter |       Nonce                         Ciphertext
   00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e
   01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450
   02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b
   03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7
        
   Counter |       Nonce                         Ciphertext
   00000000752abad3e0afb5f434dc4310 -> 310728d9911f1f38c40e952ca83d093e
   01000000752abad3e0afb5f434dc4310 -> 37b24316c3fab9a046ae90952daa0450
   02000000752abad3e0afb5f434dc4310 -> a4c5ae624996327947920b2d2412474b
   03000000752abad3e0afb5f434dc4310 -> c100be4d7e2c6edd1efef004305ab1e7
        

The latter halves of the ciphertext blocks are discarded and the remaining bytes are concatenated to form the per-message keys. Thus, the message-authentication key is 310728d9911f1f3837b24316c3fab9a0, and the message-encryption key is a4c5ae6249963279c100be4d7e2c6edd.

密文块的后半部分被丢弃,剩余的字节被连接起来形成每消息密钥。因此,消息身份验证密钥为310728d9911f1f3837b24316c3fab9a0,消息加密密钥为a4c5ae6249963279c100be4d7e2c6edd。

The length block contains the encoding of the bit lengths of the additional data and plaintext, respectively. The string "example" is seven characters, thus 56 bits (or 0x38 in hex). The string "Hello world" is 11 characters, or 88 = 0x58 bits. Thus, the length block is 38000000000000005800000000000000.

长度块分别包含附加数据和明文的位长度编码。字符串“example”是七个字符,因此是56位(或十六进制中的0x38)。字符串“Hello world”是11个字符,或88=0x58位。因此,长度块为380000000058000000000000。

The input to POLYVAL is the padded additional data, padded plaintext, and then the length block. This is 6578616d706c650000000000000000004 8656c6c6f20776f726c64000000000038000000000000005800000000000000, based on the ASCII encoding of "example" (6578616d706c65) and "Hello world" (48656c6c6f20776f726c64).

POLYVAL的输入是填充的附加数据、填充的明文,然后是长度块。这是6578616d706c650000000000000000004 8656C6C6F20776F726C64000000000038000000000000000000058000000000000000,基于“示例”(6578616d706c65)和“你好世界”(48656c6c6f20776f726c64)的ASCII编码。

Calling POLYVAL with the message-authentication key and the input above results in S_s = ad7fcf0b5169851662672f3c5f95138f.

使用消息身份验证密钥和上述输入调用POLYVAL将导致S_S=ad7fcf0b5169851662672f3c5f95138f。

Before encrypting, the nonce is XORed in and the most significant bit of the last byte is cleared. This gives d85575d8b1c630e256bb6c2c5f95130f, because that bit happened to be one previously. Encrypting with the message-encryption key (using AES-128) gives the tag, which is 4fbcdeb7e4793f4a1d7e4faa70100af1.

在加密之前,nonce被异或输入,最后一个字节的最高有效位被清除。这给出了d85575d8b1c630e256bb6c2c5f95130f,因为该位恰好是之前的一位。使用消息加密密钥加密(使用AES-128)会得到标记,即4FBCDEB7E4793F4A1D7E4FAA7100AF1。

In order to form the initial counter block, the most significant bit of the last byte of the tag is set to one. That doesn't result in a change in this example. Encrypting this with the message key (using AES-128) gives the first block of the keystream: 1551f2c1787e81deac9a99f139540ab5.

为了形成初始计数器块,将标签最后一个字节的最高有效位设置为1。这不会导致本例中的更改。使用消息密钥(使用AES-128)对此进行加密会得到密钥流的第一个块:1551f2c1787e81deac9a99f139540ab5。

The final ciphertext is the result of XORing the plaintext with the keystream and appending the tag. That gives 5d349ead175ef6b1def6fd4fbcdeb7e4793f4a1d7e4faa70100af1.

最后一个密文是将明文与密钥流XORing并附加标记的结果。这就是5D349EAD175EF6B1DEF6FD4FBCDEB7E4793F4A1D7E4FAA7100AF1。

9. Security Considerations
9. 安全考虑

AES-GCM-SIV decryption involves first producing an unauthenticated plaintext. This plaintext is vulnerable to manipulation by an attacker; thus, if an implementation released some or all of the plaintext before authenticating it, other parts of a system may process malicious data as if it were authentic. AES-GCM might be less likely to lead implementations to do this because there the ciphertext is generally authenticated before, or concurrently with, the plaintext calculation. Therefore, this text requires that implementations MUST NOT release unauthenticated plaintext. Thus, system designers should consider memory limitations when picking the

AES-GCM-SIV解密首先涉及生成未经验证的明文。此明文易受攻击者的操纵;因此,如果一个实现在对其进行身份验证之前发布了部分或全部明文,那么系统的其他部分可能会像处理真实数据一样处理恶意数据。AES-GCM可能不太可能导致实现这样做,因为通常在明文计算之前或同时对密文进行身份验证。因此,本文要求实现不能发布未经验证的明文。因此,系统设计者在挑选时应该考虑内存限制。

size of AES-GCM-SIV plaintexts: large plaintexts may not fit in the available memory of some machines, tempting implementations to release unverified plaintext.

AES-GCM-SIV明文的大小:大型明文可能无法放入某些机器的可用内存中,这会诱使实现释放未经验证的明文。

A detailed cryptographic analysis of AES-GCM-SIV appears in [AES-GCM-SIV], and the remainder of this section is a summary of that paper.

AES-GCM-SIV的详细密码分析见[AES-GCM-SIV],本节剩余部分是该论文的总结。

The AEADs defined in this document calculate fresh AES keys for each nonce. This allows a larger number of plaintexts to be encrypted under a given key. Without this step, AES-GCM-SIV encryption would be limited by the birthday bound like other standard modes (e.g., AES-GCM, AES-CCM [RFC3610], and AES-SIV [RFC5297]). This means that when 2^64 blocks have been encrypted overall, a distinguishing adversary who is trying to break the confidentiality of the scheme has an advantage of 1/2. Thus, in order to limit the adversary's advantage to 2^-32, at most 2^48 blocks can be encrypted overall. In contrast, by deriving fresh keys from each nonce, it is possible to encrypt a far larger number of messages and blocks with AES-GCM-SIV.

本文档中定义的AEAD为每个nonce计算新的AES密钥。这允许在给定密钥下加密更多的明文。如果没有此步骤,AES-GCM-SIV加密将像其他标准模式(例如,AES-GCM、AES-CCM[RFC3610]和AES-SIV[RFC5297])一样受到生日界限的限制。这意味着,当2^64个块全部加密时,试图破坏方案机密性的明显对手具有1/2的优势。因此,为了将对手的优势限制在2^-32,总体上最多可以加密2^-48个块。相反,通过从每个nonce派生新密钥,可以使用AES-GCM-SIV加密数量多得多的消息和块。

We stress that nonce misuse-resistant schemes guarantee that if a nonce repeats, then the only security loss is that identical plaintexts will produce identical ciphertexts. Since this can also be a concern (as the fact that the same plaintext has been encrypted twice is revealed), we do not recommend using a fixed nonce as a policy. In addition, as we show below, better-than-birthday bounds are achieved by AES-GCM-SIV when the nonce repetition rate is low. Finally, as shown in [BHT18], there is a great security benefit in the multiuser/multikey setting when each particular nonce is reused by a small number of users only. We stress that the nonce misuse-resistance property is not intended to be coupled with intentional nonce reuse; rather, such schemes provide the best possible security in the event of nonce reuse. Due to all of the above, it is RECOMMENDED that AES-GCM-SIV nonces be randomly generated.

我们强调,nonce防误用方案保证,如果nonce重复,那么唯一的安全损失就是相同的明文将产生相同的密文。由于这也可能是一个问题(因为同一明文已被加密两次的事实已经暴露),我们不建议使用固定的nonce作为策略。此外,如下所示,当nonce重复率较低时,AES-GCM-SIV实现了优于生日的界限。最后,如[BHT18]所示,当每个特定的nonce仅被少数用户重用时,多用户/多密钥设置具有很大的安全优势。我们强调,nonce的抗误用特性并不打算与有意的nonce重用相结合;相反,这样的方案在非重用的情况下提供了最好的安全性。鉴于上述所有原因,建议随机生成AES-GCM-SIV非随机数。

Some example usage bounds for AES-GCM-SIV are given below. The adversary's advantage is the "AdvEnc" from [key-derive] and is colloquially the ability of an attacker to distinguish ciphertexts from random bit strings. The bounds below limit this advantage to 2^-32. For up to 256 uses of the same nonce and key (i.e., where one can assume that nonce misuse is no more than this bound), the following message limits should be respected (this assumes a short additional authenticated data (AAD), i.e., less than 64 bytes):

下面给出了AES-GCM-SIV的一些使用范围示例。对手的优势是[key derive]中的“AdvEnc”,通俗地说是攻击者能够区分密文和随机位字符串。下面的界限将这一优势限制在2^-32。对于最多256次使用相同的nonce和密钥(即,可以假设nonce误用不超过此界限),应遵守以下消息限制(这假设短的附加身份验证数据(AAD),即小于64字节):

2^29 messages, where each plaintext is at most 1 GiB

2^29条消息,其中每条明文最多为1 GiB

2^35 messages, where each plaintext is at most 128 MiB

2^35个消息,其中每个明文最多为128个MiB

2^49 messages, where each plaintext is at most 1 MiB

2^49个消息,其中每个明文最多为1个MiB

2^61 messages, where each plaintext is at most 16 KiB

2^61条消息,其中每条明文最多16 KiB

Suzuki et al. [multi-birthday] show that even if nonces are selected uniformly at random, the probability that one or more values would be repeated 256 or more times is negligible until the number of nonces reaches 2^102. (Specifically, the probability is 1/((2^96)^(255)) * Binomial(q, 256), where q is the number of nonces.) Since 2^102 is vastly greater than the limit on the number of plaintexts per key given above, we don't feel that this limit on the number of repeated nonces will be a problem. This also means that selecting nonces at random is a safe practice with AES-GCM-SIV. The bounds obtained for random nonces are as follows (as above, for these bounds, the adversary's advantage is at most 2^-32):

Suzuki等人[multi Birth]表明,即使随机均匀地选择了nonce,一个或多个值重复256次或更多次的概率可以忽略不计,直到nonce的数量达到2^102。(具体地说,概率是1/((2^96)^(255))*二项式(q,256),其中q是nonce的数量。)由于2^102远远大于上面给出的每个键的明文数量限制,我们认为重复nonce的数量限制不会有问题。这也意味着随机选择nonce是AES-GCM-SIV的安全做法。随机非随机数的界限如下(如上所述,对于这些界限,对手的优势最多为2^-32):

2^32 messages, where each plaintext is at most 8 GiB

2^32条消息,其中每条明文最多为8 GiB

2^48 messages, where each plaintext is at most 32 MiB

2^48个消息,其中每个明文最多32个MiB

2^64 messages, where each plaintext is at most 128 KiB

2^64条消息,其中每条明文最多为128 KiB

For situations where, for some reason, an even higher number of nonce repeats is possible (e.g., in devices with very poor randomness), the message limits need to be reconsidered. Theorem 7 in [AES-GCM-SIV] contains more details, but for up to 1,024 repeats of each nonce, the limits would be (again assuming a short AAD, i.e., less than 64 bytes):

对于出于某种原因可能出现更高数量的nonce重复的情况(例如,在随机性非常差的设备中),需要重新考虑消息限制。[AES-GCM-SIV]中的定理7包含更多细节,但对于每个nonce最多1024次的重复,限制为(再次假设AAD较短,即小于64字节):

2^25 messages, where each plaintext is at most 1 GiB

2^25条消息,其中每条明文最多为1 GiB

2^31 messages, where each plaintext is at most 128 MiB

2^31个消息,其中每个明文最多为128个MiB

2^45 messages, where each plaintext is at most 1 MiB

2^45个消息,其中每个明文最多为1个MiB

2^57 messages, where each plaintext is at most 16 KiB

2^57条消息,其中每条明文最多16 KiB

In addition to calculating fresh AES keys for each nonce, these AEADs also calculate fresh POLYVAL keys. Previous versions of GCM-SIV did not do this and instead used part of the AEAD's key as the POLYVAL key. Bleichenbacher pointed out [Bleichenbacher16] that this allowed an attacker who controlled the AEAD key to force the POLYVAL key to be zero. If a user of this AEAD authenticated messages with a secret additional-data value, then this would be insecure as the attacker could calculate a valid authenticator without knowing the input. This does not violate the standard properties of an AEAD as the

除了为每个nonce计算新的AES密钥外,这些AEAD还计算新的POLYVAL密钥。以前版本的GCM-SIV没有这样做,而是将AEAD的部分密钥用作POLYVAL密钥。Bleichenbacher指出[Bleichenbacher16]这允许控制AEAD密钥的攻击者强制POLYVAL密钥为零。如果此AEAD的用户使用机密附加数据值对消息进行身份验证,则这将是不安全的,因为攻击者可以在不知道输入的情况下计算有效的身份验证程序。这并不违反AEAD的标准属性

additional data is not assumed to be confidential. However, we want these AEADs to be robust against plausible misuse and also to be drop-in replacements for AES-GCM and so derive nonce-specific POLYVAL keys to avoid this issue.

其他数据不被视为机密。然而,我们希望这些AEAD对可能的误用具有鲁棒性,并且能够作为AES-GCM的替代品,因此可以派生出特定于nonce的POLYVAL密钥来避免此问题。

We also wish to note that the probability of successful forgery increases with the number of attempts that an attacker is permitted. The advantage defined in [key-derive] and used above is specified in terms of the ability of an attacker to distinguish ciphertexts from random bit strings. It thus covers both confidentiality and integrity, and Theorem 6.2 in [key-derive] shows that the advantage increases with the number of decryption attempts, although much more slowly than with the number of encryptions; the dependence on the number of decryption queries for forgery is actually only linear, not quadratic. The latter is an artifact of the bound in the paper not being tight. If an attacker is permitted extremely large numbers of attempts, then the tiny probability that any given attempt succeeds may sum to a non-trivial chance.

我们还希望注意,成功伪造的概率随着攻击者被允许的尝试次数的增加而增加。[key derive]中定义并在上面使用的优势是攻击者能够区分密文和随机位字符串。因此,它涵盖了机密性和完整性,[密钥派生]中的定理6.2表明,这种优势随着解密尝试次数的增加而增加,尽管比加密次数慢得多;伪造对解密查询数量的依赖实际上只是线性的,而不是二次的。后者是纸张装订不紧的假象。如果允许攻击者进行极大量的尝试,那么任何给定尝试成功的微小概率都可能是一个不小的机会。

A security analysis of a similar scheme without nonce-based key derivation appears in [GCM-SIV], and a full analysis of the bounds when applying nonce-based key derivation appears in [key-derive]. A larger table of bounds and other information appears at [aes-gcm-siv-homepage].

[GCM-SIV]中显示了没有基于nonce的密钥派生的类似方案的安全性分析,并且[key derive]中显示了应用基于nonce的密钥派生时的边界的完整分析。[aes gcm siv主页]上显示了更大的边界和其他信息表。

The multiuser/multikey security of AES-GCM-SIV was studied by [BHT18], which showed that security is almost the same as in the single-user setting, as long as nonces do not repeat many times across many users. This is the case when nonces are chosen randomly.

[BHT18]对AES-GCM-SIV的多用户/多密钥安全性进行了研究,结果表明,只要在多个用户之间不重复多次,安全性几乎与单用户设置相同。随机选择nonce时就是这种情况。

10. IANA Considerations
10. IANA考虑

IANA has added two entries to the "AEAD Algorithms" registry: AEAD_AES_128_GCM_SIV (Numeric ID 30) and AEAD_AES_256_GCM_SIV (Numeric ID 31), both referencing this document as their specification.

IANA在“AEAD算法”注册表中添加了两个条目:AEAD_AES_128_GCM_SIV(数字ID 30)和AEAD_AES_256_GCM_SIV(数字ID 31),均引用本文档作为其规范。

11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.

[SP800-38A] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", NIST SP 800-38A, DOI 10.6028/NIST.SP.800-38A, December 2001, <https://csrc.nist.gov/publications/detail/sp/800-38a/ final>.

[SP800-38A]德沃金,M.“分组密码操作模式的建议:方法和技术”,NIST SP 800-38A,DOI 10.6028/NIST.SP.800-38A,2001年12月<https://csrc.nist.gov/publications/detail/sp/800-38a/ 最终>。

11.2. Informative References
11.2. 资料性引用

[AES-GCM-SIV] Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: Specification and Analysis", July 2017, <https://eprint.iacr.org/2017/168>.

[AES-GCM-SIV]Gueron,S.,Langley,A.,和Y.Lindell,“AES-GCM-SIV:规范和分析”,2017年7月<https://eprint.iacr.org/2017/168>.

[aes-gcm-siv-homepage] Gueron, S., Langley, A., and Y. Lindell, "Webpage for the AES-GCM-SIV Mode of Operation", <https://cyber.biu.ac.il/aes-gcm-siv/>.

[aes gcm siv主页]Gueron,S.,Langley,A.,和Y.Lindell,“aes-gcm-siv运行模式网页”<https://cyber.biu.ac.il/aes-gcm-siv/>.

[BHT18] Bose, P., Hoang, V., and S. Tessaro, "Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds", Advances in Cryptology - EUROCRYPT 2018, DOI 10.1007/978-3-319-78381-9_18, May 2018, <https://eprint.iacr.org/2018/136.pdf>.

[BHT18]Bose,P.,Hoang,V.和S.Tessaro,“重温AES-GCM-SIV:多用户安全、更快的密钥推导和更好的边界”,《密码学进展-欧洲密码2018》,DOI 10.1007/978-3-319-78381-92018年5月<https://eprint.iacr.org/2018/136.pdf>.

[Bleichenbacher16] Bleichenbacher, D., "Subject: AES-GCM-SIV security of the additional data", message to the cfrg mailing list, 24 June 2016, <https://mailarchive.ietf.org/arch/msg/cfrg/ qgh-Yxmj7CC7cq2YZLpmfGA3x-o>.

[Bleichenbacher16]Bleichenbacher,D.,“主题:附加数据的AES-GCM-SIV安全”,发送至cfrg邮件列表的信息,2016年6月24日<https://mailarchive.ietf.org/arch/msg/cfrg/ qgh-Yxmj7CC7cq2YZLpmfGA3x-o>。

[GCM] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP 800-38D, DOI 10.6028/NIST.SP.800-38D, November 2007, <https://csrc.nist.gov/publications/detail/sp/800-38d/ final>.

[GCM]Dworkin,M.“分组密码操作模式的建议:Galois/计数器模式(GCM)和GMAC”,NIST SP 800-38D,DOI 10.6028/NIST.SP.800-38D,2007年11月<https://csrc.nist.gov/publications/detail/sp/800-38d/ 最终>。

[GCM-SIV] Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle Per Byte", Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, DOI 10.1145/2810103.2813613, October 2015, <http://doi.acm.org/10.1145/2810103.2813613>.

[GCM-SIV]Gueron,S.和Y.Lindell,“GCM-SIV:每字节不超过一个周期的全时态防误用认证加密”,第22届ACM SIGSAC计算机和通信安全会议记录,DOI 10.1145/2810103.2813613,2015年10月<http://doi.acm.org/10.1145/2810103.2813613>.

[key-derive] Gueron, S. and Y. Lindell, "Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation", Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, DOI 10.1145/3133956.3133992, 2017, <https://doi.org/10.1145/3133956.3133992>.

[密钥派生]Gueron,S.和Y.Lindell,“通过基于Nonce的密钥派生实现分组密码操作模式的更好边界”,2017年ACM SIGSAC计算机和通信安全会议论文集,DOI 10.1145/3133956.3133992,2017<https://doi.org/10.1145/3133956.3133992>.

[multi-birthday] Suzuki, K., Tonien, D., Kurosawa, K., and K. Toyota, "Birthday Paradox for Multi-collisions", Information Security and Cryptology - ICISC 2006, Lecture Notes in Computer Science, Volume 4296, DOI 10.1007/11927587_5, 2006, <http://dx.doi.org/10.1007/11927587_5>.

[多生日]Suzuki,K.,Tonien,D.,Kurosawa,K.,和K.Toyota,“多重碰撞的生日悖论”,信息安全和密码学-ICIC 2006,计算机科学课堂讲稿,第4296卷,DOI 10.1007/11927587_5,2006<http://dx.doi.org/10.1007/11927587_5>.

[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-MAC (CCM)", RFC 3610, DOI 10.17487/RFC3610, September 2003, <https://www.rfc-editor.org/info/rfc3610>.

[RFC3610]Whiting,D.,Housley,R.,和N.Ferguson,“CBC-MAC(CCM)计数器”,RFC 3610,DOI 10.17487/RFC3610,2003年9月<https://www.rfc-editor.org/info/rfc3610>.

[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, <https://www.rfc-editor.org/info/rfc5116>.

[RFC5116]McGrew,D.“认证加密的接口和算法”,RFC 5116,DOI 10.17487/RFC5116,2008年1月<https://www.rfc-editor.org/info/rfc5116>.

[RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October 2008, <https://www.rfc-editor.org/info/rfc5297>.

[RFC5297]Harkins,D.“使用高级加密标准(AES)的合成初始化向量(SIV)认证加密”,RFC 5297,DOI 10.17487/RFC5297,2008年10月<https://www.rfc-editor.org/info/rfc5297>.

Appendix A. The Relationship between POLYVAL and GHASH
附录A.POLYVAL和GHASH之间的关系

GHASH and POLYVAL both operate in GF(2^128), although with different irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note that these irreducible polynomials are the "reverse" of each other.

GHASH和POLYVAL都在GF(2^128)中工作,尽管使用不同的不可约多项式:POLYVAL工作于模x^128+x^127+x^126+x^121+1,GHASH工作于模x^128+x^7+x^2+x+1。请注意,这些不可约多项式是彼此的“反向”。

GHASH also has a different mapping between 128-bit strings and field elements. Whereas POLYVAL takes the least significant to most significant bits of the first byte to be the coefficients of x^0 to x^7, GHASH takes them to be the coefficients of x^7 to x^0. This continues until, for the last byte, POLYVAL takes the least significant to most significant bits to be the coefficients of x^120 to x^127, while GHASH takes them to be the coefficients of x^127 to x^120.

GHASH在128位字符串和字段元素之间也有不同的映射。POLYVAL将第一个字节的最低有效位到最高有效位作为x^0到x^7的系数,而GHASH将它们作为x^7到x^0的系数。直到最后一个字节,POLYVAL取最低有效位到最高有效位作为x^120到x^127的系数,而GHASH取它们作为x^127到x^120的系数。

The combination of these facts means that it's possible to "convert" values between the two by reversing the order of the bytes in a 16-byte string. The differing interpretations of bit order takes care of reversing the bits within each byte, and then reversing the bytes does the rest. This may have a practical benefit for implementations that wish to implement both GHASH and POLYVAL.

这些事实的结合意味着,通过颠倒16字节字符串中字节的顺序,可以在两者之间“转换”值。位顺序的不同解释负责反转每个字节内的位,然后反转字节完成其余部分。对于希望同时实现GHASH和POLYVAL的实现来说,这可能有实际的好处。

In order to be clear which field a given operation is performed in, let mulX_GHASH be a function that takes a 16-byte string, converts it to an element of GHASH's field using GHASH's convention, multiplies it by x, and converts it back to a string. Likewise, let mulX_POLYVAL be a function that converts a 16-byte string to an element of POLYVAL's field using POLYVAL's convention, multiplies it by x, and converts it back.

为了明确在哪个字段中执行给定操作,将mulX_GHASH设为一个函数,该函数接受一个16字节的字符串,使用GHASH的约定将其转换为GHASH字段的一个元素,将其乘以x,然后将其转换回字符串。同样,假设mulX_POLYVAL是一个函数,它使用POLYVAL的约定将一个16字节的字符串转换为POLYVAL字段的一个元素,将其乘以x,然后将其转换回。

Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH of that string is 00800000000000000000000000000000 and mulX_POLYVAL of that string is 02000000000000000000000000000000. As a more general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL of it is 3931819bf271fada0503eb52574ca5f2.

给定16字节字符串01000000000000000000000000,该字符串的mulX_-GHASH为00800000000000000000000000,该字符串的mulX_-POLYVAL为020000000000000000000000000000000000000。作为更一般的示例,给定9c98c04df9387ded828175a92ba652d8,该字符串的mulX_-GHASH为4e4c6026fc9c3ef6c140bad495d3296c,mulX_-POLYVAL为3931819bf271fada0503eb52574ca5f2。

Lastly, let ByteReverse be the function that takes a 16-byte string and returns a copy where the order of the bytes has been reversed.

最后,让ByteReverse成为接受16字节字符串并返回字节顺序颠倒的副本的函数。

Now GHASH and POLYVAL can be defined in terms of one another:

现在,GHASH和POLYVAL可以相互定义:

   POLYVAL(H, X_1, ..., X_n) =
   ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
   ByteReverse(X_n)))
        
   POLYVAL(H, X_1, ..., X_n) =
   ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
   ByteReverse(X_n)))
        
   GHASH(H, X_1, ..., X_n) =
   ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1),
   ..., ByteReverse(X_n)))
        
   GHASH(H, X_1, ..., X_n) =
   ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1),
   ..., ByteReverse(X_n)))
        

As a worked example: let H = 25629347589242761d31f826ba4b757b, X_1 = 4f4f95668c83dfb6401762bb2d01a262, and X_2 = d1a24ddd2721d006bbe45f20d3c9f362. POLYVAL(H, X_1, X_2) = f7a3b47b846119fae5b7866cf5e5b77e.

例如:设H=25629347589242761D31DF826BA4B757B,X_1=4F4F95668C83DFB6401762BB2BD01A262,X_2=D1A24DD2721D006BBE45F20D3C9F362。POLYVAL(H,X_1,X_2)=f7a3b47b846119fae5b7866cf5e5b77e。

If we wished to calculate this given only an implementation of GHASH, then the key for GHASH would be

如果我们只希望在GHASH实现的情况下计算这个值,那么GHASH的关键是

mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112.

mulX_GHASH(ByteReverse(H))=DCBAA5DD137C188EBB21492C3C9B112。

Then ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2))) = f7a3b47b846119fae5b7866cf5e5b77e, as required.

然后根据需要,ByteReverse(GHASH(dcba…、ByteReverse(X_1)、ByteReverse(X_2))=F7A3B47B846119 FAE5B7866CF5E5B77E。

In the other direction, GHASH(H, X_1, X_2) = bd9b3997046731fb96251b91f9c99d7a. If we wished to calculate this given only an implementation of POLYVAL, then we would first calculate the key for POLYVAL:

在另一个方向上,GHASH(H,X_1,X_2)=bd9b3997046731fb96251b91f9c99d7a。如果我们只希望在给定POLYVAL实现的情况下计算该值,那么我们将首先计算POLYVAL的密钥:

mulX_POLYVAL(ByteReverse(H)) = f6ea96744df0633aec8424b18e26c54a.

mulX_POLYVAL(ByteReverse(H))=f6ea96744df0633aec8424b18e26c54a。

Then ByteReverse(POLYVAL(f6ea..., ByteReverse(X_1), ByteReverse(X_2))) = bd9b3997046731fb96251b91f9c99d7a.

然后ByteReverse(POLYVAL(f6ea…,ByteReverse(X_1),ByteReverse(X_2))=bd9b3997046731fb96251b91f9c99d7a。

Appendix B. Additional Comparisons with AES-GCM
附录B.与AES-GCM的其他比较

Some functional properties that differ between AES-GCM and AES-GCM-SIV that are also worth noting:

AES-GCM和AES-GCM-SIV之间的一些功能特性也值得注意:

AES-GCM allows plaintexts to be encrypted in a streaming fashion -- i.e., the beginning of the plaintext can be encrypted and transmitted before the entire message has been processed. AES-GCM-SIV requires two passes for encryption and so cannot do this.

AES-GCM允许以流方式对明文进行加密——即,可以在处理整个消息之前对明文的开头进行加密和传输。AES-GCM-SIV需要两次加密,因此无法实现这一点。

AES-GCM allows a constant additional-data input to be precomputed in order to save per-message computation. AES-GCM-SIV varies the authenticator key based on the nonce and so does not permit this.

AES-GCM允许预先计算恒定的额外数据输入,以节省每条消息的计算。AES-GCM-SIV根据当前值改变验证器密钥,因此不允许这样做。

The performance for AES-GCM versus AES-GCM-SIV on small machines can be roughly characterized by the number of AES operations and the number of GF(2^128) multiplications needed to process a message.

AES-GCM与AES-GCM-SIV在小型机器上的性能大致可以通过AES操作的数量和处理消息所需的GF(2^128)乘法的数量来表征。

      Let a = (bytelen(additional-data) + 15) / 16 and
          p = (bytelen(plaintext) + 15) / 16.
        
      Let a = (bytelen(additional-data) + 15) / 16 and
          p = (bytelen(plaintext) + 15) / 16.
        

Then AES-GCM requires p + 1 AES operations and p + a + 1 field multiplications.

然后AES-GCM需要p+1 AES运算和p+a+1字段乘法。

Defined similarly, AES-GCM-SIV with AES-128 requires p + 5 AES operations and p + a + 1 field multiplications. With AES-256, that becomes p + 7 AES operations.

定义类似,AES-128的AES-GCM-SIV需要p+5 AES运算和p+a+1字段乘法。对于AES-256,这将成为p+7 AES操作。

With large machines, the available parallelism becomes far more important, and such simple performance analysis is no longer representative. For such machines, we find that decryption of AES-GCM-SIV is only about 5% slower than AES-GCM, as long as the message is at least a couple of kilobytes. Encryption tends to run about two-thirds the speed because of the additional pass required.

对于大型机器,可用的并行性变得更加重要,这种简单的性能分析不再具有代表性。对于这类机器,我们发现AES-GCM-SIV的解密速度仅比AES-GCM慢5%左右,只要消息至少有几千字节。由于需要额外的密码,加密的运行速度往往是速度的三分之二。

Appendix C. Test Vectors
附录C.测试向量
C.1. AEAD_AES_128_GCM_SIV
C.1. AEAD_AES_128_GCM_SIV
   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  03000000000000000000000000000000
   ... and masked =            03000000000000000000000000000000
   Tag =                       dc20e2d83f25705bb49e439eca56de25
   Initial counter =           dc20e2d83f25705bb49e439eca56dea5
   Result (16 bytes) =         dc20e2d83f25705bb49e439eca56de25
        
   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  03000000000000000000000000000000
   ... and masked =            03000000000000000000000000000000
   Tag =                       dc20e2d83f25705bb49e439eca56de25
   Initial counter =           dc20e2d83f25705bb49e439eca56dea5
   Result (16 bytes) =         dc20e2d83f25705bb49e439eca56de25
        

Plaintext (8 bytes) = 0100000000000000 AAD (0 bytes) = Key = 01000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = d9b360279694941ac5dbc6987ada7377 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c POLYVAL input = 01000000000000000000000000000000 00000000000000004000000000000000 POLYVAL result = eb93b7740962c5e49d2a90a7dc5cec74 POLYVAL result XOR nonce = e893b7740962c5e49d2a90a7dc5cec74 ... and masked = e893b7740962c5e49d2a90a7dc5cec74 Tag = 578782fff6013b815b287c22493a364c Initial counter = 578782fff6013b815b287c22493a36cc Result (24 bytes) = b5d839330ac7b786578782fff6013b81 5b287c22493a364c

纯文本(8字节)=0100000000000000 AAD(0字节)=Key=010000000000000000000000000000000000000 Nonce=030000000000000000000000000000000000记录身份验证密钥=d9b360279694941ac5dbc6987ada7377记录加密密钥=4004A0DCD862F2A573360219D2D44EF6C POLYVAL输入=010000000000000000000000000000000000000000000000000000000000000000000000000000000000000记录身份验证密钥=EB93B7740962C5E49D2A90A7DC5EC74 POLYVAL结果异或Nonce=E893B7740962C5E49D2A90A7DC5EC74。。。和屏蔽=e893b7740962c5e49d2a90a7dc5cec74标记=578782FFF6013B815B2877C22493A364C初始计数器=578782fff6013b815b287c22493a36cc结果(24字节)=B5D839330AC7B7865782FF6013B81 5b287c22493a364c

   Plaintext (12 bytes) =      010000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               00000000000000006000000000000000
   POLYVAL result =            48eb6c6c5a2dbe4a1dde508fee06361b
   POLYVAL result XOR nonce =  4beb6c6c5a2dbe4a1dde508fee06361b
   ... and masked =            4beb6c6c5a2dbe4a1dde508fee06361b
   Tag =                       a4978db357391a0bc4fdec8b0d106639
        
   Plaintext (12 bytes) =      010000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               00000000000000006000000000000000
   POLYVAL result =            48eb6c6c5a2dbe4a1dde508fee06361b
   POLYVAL result XOR nonce =  4beb6c6c5a2dbe4a1dde508fee06361b
   ... and masked =            4beb6c6c5a2dbe4a1dde508fee06361b
   Tag =                       a4978db357391a0bc4fdec8b0d106639
        

Initial counter = a4978db357391a0bc4fdec8b0d1066b9 Result (28 bytes) = 7323ea61d05932260047d942a4978db3 57391a0bc4fdec8b0d106639

初始计数器=a4978db357391a0bc4fdec8b0d1066b9结果(28字节)=7323ea61d05932260047d942a4978db3 57391a0bc4fdec8b0d106639

   Plaintext (16 bytes) =      01000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               00000000000000008000000000000000
   POLYVAL result =            20806c26e3c1de019e111255708031d6
   POLYVAL result XOR nonce =  23806c26e3c1de019e111255708031d6
   ... and masked =            23806c26e3c1de019e11125570803156
   Tag =                       303aaf90f6fe21199c6068577437a0c4
   Initial counter =           303aaf90f6fe21199c6068577437a0c4
   Result (32 bytes) =         743f7c8077ab25f8624e2e948579cf77
                               303aaf90f6fe21199c6068577437a0c4
        
   Plaintext (16 bytes) =      01000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               00000000000000008000000000000000
   POLYVAL result =            20806c26e3c1de019e111255708031d6
   POLYVAL result XOR nonce =  23806c26e3c1de019e111255708031d6
   ... and masked =            23806c26e3c1de019e11125570803156
   Tag =                       303aaf90f6fe21199c6068577437a0c4
   Initial counter =           303aaf90f6fe21199c6068577437a0c4
   Result (32 bytes) =         743f7c8077ab25f8624e2e948579cf77
                               303aaf90f6fe21199c6068577437a0c4
        
   Plaintext (32 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               00000000000000000001000000000000
   POLYVAL result =            ce6edc9a50b36d9a98986bbf6a261c3b
   POLYVAL result XOR nonce =  cd6edc9a50b36d9a98986bbf6a261c3b
   ... and masked =            cd6edc9a50b36d9a98986bbf6a261c3b
   Tag =                       1a8e45dcd4578c667cd86847bf6155ff
   Initial counter =           1a8e45dcd4578c667cd86847bf6155ff
   Result (48 bytes) =         84e07e62ba83a6585417245d7ec413a9
                               fe427d6315c09b57ce45f2e3936a9445
                               1a8e45dcd4578c667cd86847bf6155ff
        
   Plaintext (32 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               00000000000000000001000000000000
   POLYVAL result =            ce6edc9a50b36d9a98986bbf6a261c3b
   POLYVAL result XOR nonce =  cd6edc9a50b36d9a98986bbf6a261c3b
   ... and masked =            cd6edc9a50b36d9a98986bbf6a261c3b
   Tag =                       1a8e45dcd4578c667cd86847bf6155ff
   Initial counter =           1a8e45dcd4578c667cd86847bf6155ff
   Result (48 bytes) =         84e07e62ba83a6585417245d7ec413a9
                               fe427d6315c09b57ce45f2e3936a9445
                               1a8e45dcd4578c667cd86847bf6155ff
        

Plaintext (48 bytes) = 01000000000000000000000000000000 02000000000000000000000000000000 03000000000000000000000000000000 AAD (0 bytes) = Key = 01000000000000000000000000000000 Nonce = 030000000000000000000000

纯文本(48字节)=01000000000000000000000000020000000000000000000000000000000000000000000000000030000000000000000000000000000000000000000000 AAD(0字节)=键=010000000000000000000000000000000000000000000 Nonce=030000000000000000000000

   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               00000000000000008001000000000000
   POLYVAL result =            81388746bc22d26b2abc3dcb15754222
   POLYVAL result XOR nonce =  82388746bc22d26b2abc3dcb15754222
   ... and masked =            82388746bc22d26b2abc3dcb15754222
   Tag =                       5e6e311dbf395d35b0fe39c2714388f8
   Initial counter =           5e6e311dbf395d35b0fe39c2714388f8
   Result (64 bytes) =         3fd24ce1f5a67b75bf2351f181a475c7
                               b800a5b4d3dcf70106b1eea82fa1d64d
                               f42bf7226122fa92e17a40eeaac1201b
                               5e6e311dbf395d35b0fe39c2714388f8
        
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               00000000000000008001000000000000
   POLYVAL result =            81388746bc22d26b2abc3dcb15754222
   POLYVAL result XOR nonce =  82388746bc22d26b2abc3dcb15754222
   ... and masked =            82388746bc22d26b2abc3dcb15754222
   Tag =                       5e6e311dbf395d35b0fe39c2714388f8
   Initial counter =           5e6e311dbf395d35b0fe39c2714388f8
   Result (64 bytes) =         3fd24ce1f5a67b75bf2351f181a475c7
                               b800a5b4d3dcf70106b1eea82fa1d64d
                               f42bf7226122fa92e17a40eeaac1201b
                               5e6e311dbf395d35b0fe39c2714388f8
        
   Plaintext (64 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               00000000000000000002000000000000
   POLYVAL result =            1e39b6d3344d348f6044f89935d1cf78
   POLYVAL result XOR nonce =  1d39b6d3344d348f6044f89935d1cf78
   ... and masked =            1d39b6d3344d348f6044f89935d1cf78
   Tag =                       8a263dd317aa88d56bdf3936dba75bb8
   Initial counter =           8a263dd317aa88d56bdf3936dba75bb8
   Result (80 bytes) =         2433668f1058190f6d43e360f4f35cd8
                               e475127cfca7028ea8ab5c20f7ab2af0
                               2516a2bdcbc08d521be37ff28c152bba
                               36697f25b4cd169c6590d1dd39566d3f
                               8a263dd317aa88d56bdf3936dba75bb8
        
   Plaintext (64 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               00000000000000000002000000000000
   POLYVAL result =            1e39b6d3344d348f6044f89935d1cf78
   POLYVAL result XOR nonce =  1d39b6d3344d348f6044f89935d1cf78
   ... and masked =            1d39b6d3344d348f6044f89935d1cf78
   Tag =                       8a263dd317aa88d56bdf3936dba75bb8
   Initial counter =           8a263dd317aa88d56bdf3936dba75bb8
   Result (80 bytes) =         2433668f1058190f6d43e360f4f35cd8
                               e475127cfca7028ea8ab5c20f7ab2af0
                               2516a2bdcbc08d521be37ff28c152bba
                               36697f25b4cd169c6590d1dd39566d3f
                               8a263dd317aa88d56bdf3936dba75bb8
        
   Plaintext (8 bytes) =       0200000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
        
   Plaintext (8 bytes) =       0200000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
        

Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 08000000000000004000000000000000 POLYVAL result = b26781e7e2c1376f96bec195f3709b2a POLYVAL result XOR nonce = b16781e7e2c1376f96bec195f3709b2a ... and masked = b16781e7e2c1376f96bec195f3709b2a Tag = 3b0a1a2560969cdf790d99759abd1508 Initial counter = 3b0a1a2560969cdf790d99759abd1588 Result (24 bytes) = 1e6daba35669f4273b0a1a2560969cdf 790d99759abd1508

记录加密密钥=4004A0DCD862F2A573606219D2D44EF6C POLYVAL输入=01000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000 POLYVAL结果=b26781e7e2c1376f96bec195f3709b2a POLYVAL结果XOR nonce=b16781e7e2c1376f96bec195f3709b2a。。。和屏蔽=b16781e7e2c1376f96bec195f3709b2a标记=3b0a1a2560969cdf790d99759abd1508初始计数器=3b0a1a2560969cdf790d99759abd1588结果(24字节)=1E6DABA35669F4273B0A1A2560969CDF790D99759ABD1508

Plaintext (12 bytes) = 020000000000000000000000 AAD (1 bytes) = 01 Key = 01000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = d9b360279694941ac5dbc6987ada7377 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 08000000000000006000000000000000 POLYVAL result = 111f5affb18e4cc1164a01bdc12a4145 POLYVAL result XOR nonce = 121f5affb18e4cc1164a01bdc12a4145 ... and masked = 121f5affb18e4cc1164a01bdc12a4145 Tag = 08299c5102745aaa3a0c469fad9e075a Initial counter = 08299c5102745aaa3a0c469fad9e07da Result (28 bytes) = 296c7889fd99f41917f4462008299c51 02745aaa3a0c469fad9e075a

纯文本(12字节)=0200000000000000000000000 AAD(1字节)=01 Key=010000000000000000000000000000000 Nonce=030000000000000000000000记录身份验证密钥=d9b360279694941ac5dbc6987ada7377记录加密密钥=4004A0DCD862F2A573603219D2D44EF6C POLYVAL输入=01000000000000000000000000000000020000000000000000000000000000000000000000000000000 0800000000000000000006000000000000000 POLYVAL结果=111F5AFFB18E4C1164A01BDC12A4145多值结果XOR nonce=121F5AFFB18E4C1164A01BDC12A4145。。。和屏蔽=121F5AFFB18E4C1164A01BDC12A4145标记=08299c5102745aaa3a0c469fad9e075a初始计数器=08299c5102745aaa3a0c469fad9e07da结果(28字节)=296C7889FD99F41917F446200899C51 02745aaa3a0c469fad9e075a

   Plaintext (16 bytes) =      02000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               08000000000000008000000000000000
   POLYVAL result =            79745ab508622c8a958543675fac4688
   POLYVAL result XOR nonce =  7a745ab508622c8a958543675fac4688
   ... and masked =            7a745ab508622c8a958543675fac4608
   Tag =                       8f8936ec039e4e4bb97ebd8c4457441f
   Initial counter =           8f8936ec039e4e4bb97ebd8c4457449f
   Result (32 bytes) =         e2b0c5da79a901c1745f700525cb335b
                               8f8936ec039e4e4bb97ebd8c4457441f
        
   Plaintext (16 bytes) =      02000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               08000000000000008000000000000000
   POLYVAL result =            79745ab508622c8a958543675fac4688
   POLYVAL result XOR nonce =  7a745ab508622c8a958543675fac4688
   ... and masked =            7a745ab508622c8a958543675fac4608
   Tag =                       8f8936ec039e4e4bb97ebd8c4457441f
   Initial counter =           8f8936ec039e4e4bb97ebd8c4457449f
   Result (32 bytes) =         e2b0c5da79a901c1745f700525cb335b
                               8f8936ec039e4e4bb97ebd8c4457441f
        
   Plaintext (32 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               08000000000000000001000000000000
   POLYVAL result =            2ce7daaf7c89490822051255b12eca6b
   POLYVAL result XOR nonce =  2fe7daaf7c89490822051255b12eca6b
   ... and masked =            2fe7daaf7c89490822051255b12eca6b
   Tag =                       e6af6a7f87287da059a71684ed3498e1
   Initial counter =           e6af6a7f87287da059a71684ed3498e1
   Result (48 bytes) =         620048ef3c1e73e57e02bb8562c416a3
                               19e73e4caac8e96a1ecb2933145a1d71
                               e6af6a7f87287da059a71684ed3498e1
        
   Plaintext (32 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               08000000000000000001000000000000
   POLYVAL result =            2ce7daaf7c89490822051255b12eca6b
   POLYVAL result XOR nonce =  2fe7daaf7c89490822051255b12eca6b
   ... and masked =            2fe7daaf7c89490822051255b12eca6b
   Tag =                       e6af6a7f87287da059a71684ed3498e1
   Initial counter =           e6af6a7f87287da059a71684ed3498e1
   Result (48 bytes) =         620048ef3c1e73e57e02bb8562c416a3
                               19e73e4caac8e96a1ecb2933145a1d71
                               e6af6a7f87287da059a71684ed3498e1
        
   Plaintext (48 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               08000000000000008001000000000000
   POLYVAL result =            9ca987715d69c1786711dfcd22f830fc
   POLYVAL result XOR nonce =  9fa987715d69c1786711dfcd22f830fc
   ... and masked =            9fa987715d69c1786711dfcd22f8307c
   Tag =                       6a8cc3865f76897c2e4b245cf31c51f2
   Initial counter =           6a8cc3865f76897c2e4b245cf31c51f2
   Result (64 bytes) =         50c8303ea93925d64090d07bd109dfd9
                               515a5a33431019c17d93465999a8b005
                               3201d723120a8562b838cdff25bf9d1e
                               6a8cc3865f76897c2e4b245cf31c51f2
        
   Plaintext (48 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               08000000000000008001000000000000
   POLYVAL result =            9ca987715d69c1786711dfcd22f830fc
   POLYVAL result XOR nonce =  9fa987715d69c1786711dfcd22f830fc
   ... and masked =            9fa987715d69c1786711dfcd22f8307c
   Tag =                       6a8cc3865f76897c2e4b245cf31c51f2
   Initial counter =           6a8cc3865f76897c2e4b245cf31c51f2
   Result (64 bytes) =         50c8303ea93925d64090d07bd109dfd9
                               515a5a33431019c17d93465999a8b005
                               3201d723120a8562b838cdff25bf9d1e
                               6a8cc3865f76897c2e4b245cf31c51f2
        
   Plaintext (64 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
        
   Plaintext (64 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
        
                               05000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               05000000000000000000000000000000
                               08000000000000000002000000000000
   POLYVAL result =            ffcd05d5770f34ad9267f0a59994b15a
   POLYVAL result XOR nonce =  fccd05d5770f34ad9267f0a59994b15a
   ... and masked =            fccd05d5770f34ad9267f0a59994b15a
   Tag =                       cdc46ae475563de037001ef84ae21744
   Initial counter =           cdc46ae475563de037001ef84ae217c4
   Result (80 bytes) =         2f5c64059db55ee0fb847ed513003746
                               aca4e61c711b5de2e7a77ffd02da42fe
                               ec601910d3467bb8b36ebbaebce5fba3
                               0d36c95f48a3e7980f0e7ac299332a80
                               cdc46ae475563de037001ef84ae21744
        
                               05000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = d9b360279694941ac5dbc6987ada7377
   Record encryption key =     4004a0dcd862f2a57360219d2d44ef6c
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               05000000000000000000000000000000
                               08000000000000000002000000000000
   POLYVAL result =            ffcd05d5770f34ad9267f0a59994b15a
   POLYVAL result XOR nonce =  fccd05d5770f34ad9267f0a59994b15a
   ... and masked =            fccd05d5770f34ad9267f0a59994b15a
   Tag =                       cdc46ae475563de037001ef84ae21744
   Initial counter =           cdc46ae475563de037001ef84ae217c4
   Result (80 bytes) =         2f5c64059db55ee0fb847ed513003746
                               aca4e61c711b5de2e7a77ffd02da42fe
                               ec601910d3467bb8b36ebbaebce5fba3
                               0d36c95f48a3e7980f0e7ac299332a80
                               cdc46ae475563de037001ef84ae21744
        

Plaintext (4 bytes) = 02000000 AAD (12 bytes) = 010000000000000000000000 Key = 01000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = d9b360279694941ac5dbc6987ada7377 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 60000000000000002000000000000000 POLYVAL result = f6ce9d3dcd68a2fd603c7ecc18fb9918 POLYVAL result XOR nonce = f5ce9d3dcd68a2fd603c7ecc18fb9918 ... and masked = f5ce9d3dcd68a2fd603c7ecc18fb9918 Tag = 07eb1f84fb28f8cb73de8e99e2f48a14 Initial counter = 07eb1f84fb28f8cb73de8e99e2f48a94 Result (20 bytes) = a8fe3e8707eb1f84fb28f8cb73de8e99 e2f48a14

纯文本(4字节)=02000000 AAD(12字节)=010000000000000000000000 Key=010000000000000000000000000000000000000000000 Nonce=030000000000000000000000000000记录身份验证密钥=d9b360279694941ac5dbc6987ada7377记录加密密钥=4004A0DCD862F2A573360219D2D44EF6C POLYVAL输入=010000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 POLYVAL结果=f6ce9d3dcd68a2fd603c7ecc18fb9918多值结果异或当前值=f5ce9d3dcd68a2fd603c7ecc18fb9918。。。和屏蔽=f5ce9d3dcd68a2fd603c7ecc18fb9918标记=07eb1f84fb28f8cb73de8e99e2f48a14初始计数器=07eb1f84fb28f8cb73de8e99e2f48a94结果(20字节)=a8fe3e8707eb1f84fb28f8cb73de8e99 e2f48a14

Plaintext (20 bytes) = 03000000000000000000000000000000 04000000 AAD (18 bytes) = 01000000000000000000000000000000 0200 Key = 01000000000000000000000000000000 Nonce = 030000000000000000000000

纯文本(20字节)=03000000000000000000000000000000004000000 AAD(18字节)=0100000000000000000000000000200密钥=010000000000000000000000000000000000000000000 Nonce=030000000000000000000000

Record authentication key = d9b360279694941ac5dbc6987ada7377 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 03000000000000000000000000000000 04000000000000000000000000000000 9000000000000000a000000000000000 POLYVAL result = 4781d492cb8f926c504caa36f61008fe POLYVAL result XOR nonce = 4481d492cb8f926c504caa36f61008fe ... and masked = 4481d492cb8f926c504caa36f610087e Tag = 24afc9805e976f451e6d87f6fe106514 Initial counter = 24afc9805e976f451e6d87f6fe106594 Result (36 bytes) = 6bb0fecf5ded9b77f902c7d5da236a43 91dd029724afc9805e976f451e6d87f6 fe106514

记录身份验证密钥=d9b360279694941ac5dbc6987ada7377记录加密密钥=4004A0DCD862F2A5360219D2D44EF6C POLYVAL输入=0100000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 POLYVAL结果=4781d492cb8f926c504caa36f61008fePOLYVAL结果XOR nonce=4481d492cb8f926c504caa36f61008fe。。。和屏蔽=4481d492cb8f926c504caa36f610087e标记=24afc9805e976f451e6d87f6fe106514初始计数器=24afc9805e976f451e6d87f6fe106594结果(36字节)=6bb0fecf5ded9b77f902c7d5da236a43 91DD029724AFC9805E976F451E6D87F6FE106514

Plaintext (18 bytes) = 03000000000000000000000000000000 0400 AAD (20 bytes) = 01000000000000000000000000000000 02000000 Key = 01000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = d9b360279694941ac5dbc6987ada7377 Record encryption key = 4004a0dcd862f2a57360219d2d44ef6c POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 03000000000000000000000000000000 04000000000000000000000000000000 a0000000000000009000000000000000 POLYVAL result = 75cbc23a1a10e348aeb8e384b5cc79fd POLYVAL result XOR nonce = 76cbc23a1a10e348aeb8e384b5cc79fd ... and masked = 76cbc23a1a10e348aeb8e384b5cc797d Tag = bff9b2ef00fb47920cc72a0c0f13b9fd Initial counter = bff9b2ef00fb47920cc72a0c0f13b9fd Result (34 bytes) = 44d0aaf6fb2f1f34add5e8064e83e12a 2adabff9b2ef00fb47920cc72a0c0f13 b9fd

纯文本(18字节)=0300000000000000000000000000400 AAD(20字节)=010000000000000000000000000000000000000020000000密钥=010000000000000000000000000000000 Nonce=030000000000000000000000000000记录身份验证密钥=d9b360279694941ac5dbc6987ada7377记录加密密钥=4004A0DCD862F2A573360219D2D44EF6C POLYVAL输入=010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000000000000000000000000000000000000000000400000000000000000000000000000A0000000009000000000000000000000多值结果=75CBC23A1A110E348AEB8E384B5CC79FD多值结果异或nonce=76CBC23A1A1A10E348AEB8E384B5CC79FD。。。和屏蔽=76CBC23A110E348AEB8E384B5CC797D标记=bff9b2ef00fb47920cc72a0c0f13b9fd初始计数器=bff9b2ef00fb47920cc72a0c0f13b9fd结果(34字节)=44D0AAF6FB2F1F34添加5E8064E83E12A DABFF9B2EF00FB47920CC72A0C0F13 b9fd

   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       e66021d5eb8e4f4066d4adb9c33560e4
   Nonce =                     f46e44bb3da0015c94f70887
   Record authentication key = 036ee1fe2d7926af68898095e54e7b3c
   Record encryption key =     5e46482396008223b5c1d25173d87539
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  f46e44bb3da0015c94f7088700000000
        
   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       e66021d5eb8e4f4066d4adb9c33560e4
   Nonce =                     f46e44bb3da0015c94f70887
   Record authentication key = 036ee1fe2d7926af68898095e54e7b3c
   Record encryption key =     5e46482396008223b5c1d25173d87539
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  f46e44bb3da0015c94f7088700000000
        
   ... and masked =            f46e44bb3da0015c94f7088700000000
   Tag =                       a4194b79071b01a87d65f706e3949578
   Initial counter =           a4194b79071b01a87d65f706e39495f8
   Result (16 bytes) =         a4194b79071b01a87d65f706e3949578
        
   ... and masked =            f46e44bb3da0015c94f7088700000000
   Tag =                       a4194b79071b01a87d65f706e3949578
   Initial counter =           a4194b79071b01a87d65f706e39495f8
   Result (16 bytes) =         a4194b79071b01a87d65f706e3949578
        

Plaintext (3 bytes) = 7a806c AAD (5 bytes) = 46bb91c3c5 Key = 36864200e0eaf5284d884a0e77d31646 Nonce = bae8e37fc83441b16034566b Record authentication key = 3e28de1120b2981a0155795ca2812af6 Record encryption key = 6d4b78b31a4c9c03d8db0f42f7507fae POLYVAL input = 46bb91c3c50000000000000000000000 7a806c00000000000000000000000000 28000000000000001800000000000000 POLYVAL result = 43d9a745511dcfa21b96dd606f1d5720 POLYVAL result XOR nonce = f931443a99298e137ba28b0b6f1d5720 ... and masked = f931443a99298e137ba28b0b6f1d5720 Tag = 711bd85bc1e4d3e0a462e074eea428a8 Initial counter = 711bd85bc1e4d3e0a462e074eea428a8 Result (19 bytes) = af60eb711bd85bc1e4d3e0a462e074ee a428a8

纯文本(3字节)=7a806c AAD(5字节)=46bb91c3c5密钥=36864200e0eaf5284d884a0e77d31646 Nonce=bae8e37fc83441b16034566b记录身份验证密钥=3e28de1120b2981a0155795ca2812af6记录加密密钥=6d4b78b31a4c9c03d8db0f42f7507fae POLYVAL输入=46BB91C3C500000000000000000000000000000 7A806C00000000000000000000000000000000000000000000000000000000000000000000 28000000000000000000 POLYVAL结果=43d9a745511dcfa21b96dd606f1d5720多值结果异或当前值=f931443a99298e137ba28b0b6f1d5720。。。和掩码=f931443a99298e137ba28b0b6f1d5720标记=711BD85BC1E4D3E0A462E07EEA428A8初始计数器=711BD85BC1E4D3E0A462E07EEA428A8结果(19字节)=AF60EB711BD85BC1E4D3E0A462E0A428A8

Plaintext (6 bytes) = bdc66f146545 AAD (10 bytes) = fc880c94a95198874296 Key = aedb64a6c590bc84d1a5e269e4b47801 Nonce = afc0577e34699b9e671fdd4f Record authentication key = 43b8de9cea62330d15cccfc84a33e8c8 Record encryption key = 8e54631607e431e095b54852868e3a27 POLYVAL input = fc880c94a95198874296000000000000 bdc66f14654500000000000000000000 50000000000000003000000000000000 POLYVAL result = 26498e0d2b1ef004e808c458e8f2f515 POLYVAL result XOR nonce = 8989d9731f776b9a8f171917e8f2f515 ... and masked = 8989d9731f776b9a8f171917e8f2f515 Tag = d6a9c45545cfc11f03ad743dba20f966 Initial counter = d6a9c45545cfc11f03ad743dba20f9e6 Result (22 bytes) = bb93a3e34d3cd6a9c45545cfc11f03ad 743dba20f966

纯文本(6字节)=bdc66f146545 AAD(10字节)=fc880c94a95198874296 Key=aedb64a6c590bc84d1a5e269e4b47801 Nonce=afc0577e34699b9e671fdd4f记录身份验证密钥=43B8DE9CEA6230D15CCFC84A33E8C8记录加密密钥=8E54631607E431EE095B5458868E3A27 POLYVAL输入=FC880C94A951988742960000000 BDC66F14654500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000026498e0d2b1ef004e808c458e8f2f515多值结果异或当前值=8989d9731f776b9a8f171917e8f2f515。。。和屏蔽=8989d9731f776b9a8f171917e8f2f515标记=d6a9c45545cfc11f03ad743dba20f966初始计数器=d6a9c45545cfc11f03ad743dba20f9e6结果(22字节)=bb93a3e34d3cd6a9c45545cfc11f03ad 743dba20f966

   Plaintext (9 bytes) =       1177441f195495860f
   AAD (15 bytes) =            046787f3ea22c127aaf195d1894728
   Key =                       d5cc1fd161320b6920ce07787f86743b
   Nonce =                     275d1ab32f6d1f0434d8848c
   Record authentication key = 8a51df64d93eaf667c2c09bd454ce5c5
   Record encryption key =     43ab276c2b4a473918ca73f2dd85109c
        
   Plaintext (9 bytes) =       1177441f195495860f
   AAD (15 bytes) =            046787f3ea22c127aaf195d1894728
   Key =                       d5cc1fd161320b6920ce07787f86743b
   Nonce =                     275d1ab32f6d1f0434d8848c
   Record authentication key = 8a51df64d93eaf667c2c09bd454ce5c5
   Record encryption key =     43ab276c2b4a473918ca73f2dd85109c
        

POLYVAL input = 046787f3ea22c127aaf195d189472800 1177441f195495860f00000000000000 78000000000000004800000000000000 POLYVAL result = 63a3451c0b23345ad02bba59956517cf POLYVAL result XOR nonce = 44fe5faf244e2b5ee4f33ed5956517cf ... and masked = 44fe5faf244e2b5ee4f33ed59565174f Tag = 1d02fd0cd174c84fc5dae2f60f52fd2b Initial counter = 1d02fd0cd174c84fc5dae2f60f52fdab Result (25 bytes) = 4f37281f7ad12949d01d02fd0cd174c8 4fc5dae2f60f52fd2b

POLYVAL输入=046787f3ea22c127aaf195d189472800 1177441f195495860f00000000000000 780000000000000480000000000000 POLYVAL结果=63a3451c0b23345ad02bba59956517cf POLYVAL结果XOR nonce=44fe5faf244e2b5ee4f33ed5956517cf。。。和掩码=44fe5faf244e2b5ee4f33ed59565174f标记=1D02FD0CD174C84FC5DAE2F560F52FD2B初始计数器=1d02fd0cd174c84fc5dae2f60f52fdab结果(25字节)=4F37281F7AD12949D01D02FD0CD174C4FC5DAE2F52FD2B

Plaintext (12 bytes) = 9f572c614b4745914474e7c7 AAD (20 bytes) = c9882e5386fd9f92ec489c8fde2be2cf 97e74e93 Key = b3fed1473c528b8426a582995929a149 Nonce = 9e9ad8780c8d63d0ab4149c0 Record authentication key = 22f50707a95dd416df069d670cb775e8 Record encryption key = f674a5584ee21fe97b4cebc468ab61e4 POLYVAL input = c9882e5386fd9f92ec489c8fde2be2cf 97e74e93000000000000000000000000 9f572c614b4745914474e7c700000000 a0000000000000006000000000000000 POLYVAL result = 0cca0423fba9d77fe7e2e6963b08cdd0 POLYVAL result XOR nonce = 9250dc5bf724b4af4ca3af563b08cdd0 ... and masked = 9250dc5bf724b4af4ca3af563b08cd50 Tag = c1dc2f871fb7561da1286e655e24b7b0 Initial counter = c1dc2f871fb7561da1286e655e24b7b0 Result (28 bytes) = f54673c5ddf710c745641c8bc1dc2f87 1fb7561da1286e655e24b7b0

纯文本(12字节)=9F572C61414B4745914474E7C7 AAD(20字节)=c9882e5386fd9f92ec489c8fde2be2cf 97e74e93 Key=b3fed1473c528b8426a582995929a149 Nonce=9e9ad8780c8d63d0ab4149c0记录身份验证密钥=22f50707a95dd416df069d670cb775e8记录加密密钥=F674A5584EE21FE97B4CEB468AB61E4 POLYVAL输入=C9882E5386FD9F92EC489C8FDE22CF 97E9300000000000000000000000000000 9F577C67B47E747B4E7474C14400000a0000000000000006000000000000000多值结果=0cca0423fba9d77fe7e2e6963b08cdd0多值结果异或当前值=9250dc5bf724b4af4ca3af563b08cdd0。。。和屏蔽=9250dc5bf724b4af4ca3af563b08cd50标记=C1DC2F871FB7561DA1286E655E24BB7B0初始计数器=C1DC2F871FB7561DA1286E655E24BB0结果(28字节)=F54673C5DDF710C745641C8BC1FB7561DA1286E655E24BB7B0

   Plaintext (15 bytes) =      0d8c8451178082355c9e940fea2f58
   AAD (25 bytes) =            2950a70d5a1db2316fd568378da107b5
                               2b0da55210cc1c1b0a
   Key =                       2d4ed87da44102952ef94b02b805249b
   Nonce =                     ac80e6f61455bfac8308a2d4
   Record authentication key = 0b00a29a83e7e95b92e3a0783b29f140
   Record encryption key =     a430c27f285aed913005975c42eed5f3
   POLYVAL input =             2950a70d5a1db2316fd568378da107b5
                               2b0da55210cc1c1b0a00000000000000
                               0d8c8451178082355c9e940fea2f5800
                               c8000000000000007800000000000000
   POLYVAL result =            1086ef25247aa41009bbc40871d9b350
   POLYVAL result XOR nonce =  bc0609d3302f1bbc8ab366dc71d9b350
   ... and masked =            bc0609d3302f1bbc8ab366dc71d9b350
   Tag =                       83b3449b9f39552de99dc214a1190b0b
   Initial counter =           83b3449b9f39552de99dc214a1190b8b
        
   Plaintext (15 bytes) =      0d8c8451178082355c9e940fea2f58
   AAD (25 bytes) =            2950a70d5a1db2316fd568378da107b5
                               2b0da55210cc1c1b0a
   Key =                       2d4ed87da44102952ef94b02b805249b
   Nonce =                     ac80e6f61455bfac8308a2d4
   Record authentication key = 0b00a29a83e7e95b92e3a0783b29f140
   Record encryption key =     a430c27f285aed913005975c42eed5f3
   POLYVAL input =             2950a70d5a1db2316fd568378da107b5
                               2b0da55210cc1c1b0a00000000000000
                               0d8c8451178082355c9e940fea2f5800
                               c8000000000000007800000000000000
   POLYVAL result =            1086ef25247aa41009bbc40871d9b350
   POLYVAL result XOR nonce =  bc0609d3302f1bbc8ab366dc71d9b350
   ... and masked =            bc0609d3302f1bbc8ab366dc71d9b350
   Tag =                       83b3449b9f39552de99dc214a1190b0b
   Initial counter =           83b3449b9f39552de99dc214a1190b8b
        

Result (31 bytes) = c9ff545e07b88a015f05b274540aa183 b3449b9f39552de99dc214a1190b0b

结果(31字节)=c9ff545e07b88a015f05b274540aa183 b3449b9f39552de99dc214a1190b0b

Plaintext (18 bytes) = 6b3db4da3d57aa94842b9803a96e07fb 6de7 AAD (30 bytes) = 1860f762ebfbd08284e421702de0de18 baa9c9596291b08466f37de21c7f Key = bde3b2f204d1e9f8b06bc47f9745b3d1 Nonce = ae06556fb6aa7890bebc18fe Record authentication key = 21c874a8bad3603d1c3e8784df5b3f9f Record encryption key = d1c16d72651c3df504eae27129d818e8 POLYVAL input = 1860f762ebfbd08284e421702de0de18 baa9c9596291b08466f37de21c7f0000 6b3db4da3d57aa94842b9803a96e07fb 6de70000000000000000000000000000 f0000000000000009000000000000000 POLYVAL result = 55462a5afa0da8d646481e049ef9c764 POLYVAL result XOR nonce = fb407f354ca7d046f8f406fa9ef9c764 ... and masked = fb407f354ca7d046f8f406fa9ef9c764 Tag = 3e377094f04709f64d7b985310a4db84 Initial counter = 3e377094f04709f64d7b985310a4db84 Result (34 bytes) = 6298b296e24e8cc35dce0bed484b7f30 d5803e377094f04709f64d7b985310a4 db84

纯文本(18字节)=6b3db4da3d57aa94842b9803a96e07fb 6de7 AAD(30字节)=1860F762EBBD08284E421702DE018 BAA9C9596291B0846F37DE21C7F密钥=bde3b2f204d1e9f8b06bc47f9745b3d1 Nonce=ae06556fb6aa7890bebc18fe记录身份验证密钥=21C874A8BAD3603E8784DF5B3F9F记录加密密钥=d1c16d72651c3df504eae27129d818e8 POLYVAL输入=1860F762EBBD084E421702DE0186b3db4da3d57aa94842b9803a96e07fb 6DE700000000000000000000000000000000000000000000000000000000000000000000000000000000多值结果=55462a5afa0da8d646481e049ef9c764多值结果XOR nonce=fb407f354ca7d046f8f406fa9ef9c764。。。和掩码=fb407f354ca7d046f8f406fa9ef9c764标记=3e377094f04709f64d7b985310a4db84初始计数器=3e377094f04709f64d7b985310a4db84结果(34字节)=6298B296E24E8CC35DCE0BED484BF30 d5803e377094f04709f64d7b985310a4 db84

   Plaintext (21 bytes) =      e42a3c02c25b64869e146d7b233987bd
                               dfc240871d
   AAD (35 bytes) =            7576f7028ec6eb5ea7e298342a94d4b2
                               02b370ef9768ec6561c4fe6b7e7296fa
                               859c21
   Key =                       f901cfe8a69615a93fdf7a98cad48179
   Nonce =                     6245709fb18853f68d833640
   Record authentication key = 3724f55f1d22ac0ab830da0b6a995d74
   Record encryption key =     75ac87b70c05db287de779006105a344
   POLYVAL input =             7576f7028ec6eb5ea7e298342a94d4b2
                               02b370ef9768ec6561c4fe6b7e7296fa
                               859c2100000000000000000000000000
                               e42a3c02c25b64869e146d7b233987bd
                               dfc240871d0000000000000000000000
                               1801000000000000a800000000000000
   POLYVAL result =            4cbba090f03f7d1188ea55749fa6c7bd
   POLYVAL result XOR nonce =  2efed00f41b72ee7056963349fa6c7bd
   ... and masked =            2efed00f41b72ee7056963349fa6c73d
   Tag =                       2d15506c84a9edd65e13e9d24a2a6e70
   Initial counter =           2d15506c84a9edd65e13e9d24a2a6ef0
   Result (37 bytes) =         391cc328d484a4f46406181bcd62efd9
        
   Plaintext (21 bytes) =      e42a3c02c25b64869e146d7b233987bd
                               dfc240871d
   AAD (35 bytes) =            7576f7028ec6eb5ea7e298342a94d4b2
                               02b370ef9768ec6561c4fe6b7e7296fa
                               859c21
   Key =                       f901cfe8a69615a93fdf7a98cad48179
   Nonce =                     6245709fb18853f68d833640
   Record authentication key = 3724f55f1d22ac0ab830da0b6a995d74
   Record encryption key =     75ac87b70c05db287de779006105a344
   POLYVAL input =             7576f7028ec6eb5ea7e298342a94d4b2
                               02b370ef9768ec6561c4fe6b7e7296fa
                               859c2100000000000000000000000000
                               e42a3c02c25b64869e146d7b233987bd
                               dfc240871d0000000000000000000000
                               1801000000000000a800000000000000
   POLYVAL result =            4cbba090f03f7d1188ea55749fa6c7bd
   POLYVAL result XOR nonce =  2efed00f41b72ee7056963349fa6c7bd
   ... and masked =            2efed00f41b72ee7056963349fa6c73d
   Tag =                       2d15506c84a9edd65e13e9d24a2a6e70
   Initial counter =           2d15506c84a9edd65e13e9d24a2a6ef0
   Result (37 bytes) =         391cc328d484a4f46406181bcd62efd9
        

b3ee197d052d15506c84a9edd65e13e9 d24a2a6e70

b3ee197d052d15506c84a9edd65e13e9 d24a2a6e70

C.2. AEAD_AES_256_GCM_SIV
C.2. AEAD_AES_256_GCM_SIV
   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  03000000000000000000000000000000
   ... and masked =            03000000000000000000000000000000
   Tag =                       07f5f4169bbf55a8400cd47ea6fd400f
   Initial counter =           07f5f4169bbf55a8400cd47ea6fd408f
   Result (16 bytes) =         07f5f4169bbf55a8400cd47ea6fd400f
        
   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  03000000000000000000000000000000
   ... and masked =            03000000000000000000000000000000
   Tag =                       07f5f4169bbf55a8400cd47ea6fd400f
   Initial counter =           07f5f4169bbf55a8400cd47ea6fd408f
   Result (16 bytes) =         07f5f4169bbf55a8400cd47ea6fd400f
        

Plaintext (8 bytes) = 0100000000000000 AAD (0 bytes) = Key = 01000000000000000000000000000000 00000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = b5d3c529dfafac43136d2d11be284d7f Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 00000000000000004000000000000000 POLYVAL result = 05230f62f0eac8aa14fe4d646b59cd41 POLYVAL result XOR nonce = 06230f62f0eac8aa14fe4d646b59cd41 ... and masked = 06230f62f0eac8aa14fe4d646b59cd41 Tag = 843122130f7364b761e0b97427e3df28 Initial counter = 843122130f7364b761e0b97427e3dfa8 Result (24 bytes) = c2ef328e5c71c83b843122130f7364b7 61e0b97427e3df28

纯文本(8字节)=0100000000000000 AAD(0字节)=Key=010000000000000000000000000000000000000000000000000000000000000000000000000000000000 Nonce=030000000000000000000000000000记录身份验证密钥=b5d3c529dfafac43136d2d11be284d7f记录加密密钥=b914f4742be9e1d7a2f84addbf96dec3 456E3C6C05ECC157CDBF0700FEDAD22 POLYVAL输入=010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000结果=05230f62f0eac8aa14fe4d646b59cd41多值结果异或当前值=06230f62f0eac8aa14fe4d646b59cd41。。。和屏蔽=06230f62f0eac8aa14fe4d646b59cd41标记=84312130F7364B761E0B97427E3DF28初始计数器=84312130F7364B761E0B97427E3DFA8结果(24字节)=C2EF328E5C71C83B84312130F7364B7 61e0b97427e3df28

   Plaintext (12 bytes) =      010000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
        
   Plaintext (12 bytes) =      010000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
        

456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 00000000000000006000000000000000 POLYVAL result = 6d81a24732fd6d03ae5af544720a1c13 POLYVAL result XOR nonce = 6e81a24732fd6d03ae5af544720a1c13 ... and masked = 6e81a24732fd6d03ae5af544720a1c13 Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e Initial counter = 8ca50da9ae6559e48fd10f6e5c9ca1fe Result (28 bytes) = 9aab2aeb3faa0a34aea8e2b18ca50da9 ae6559e48fd10f6e5c9ca17e

456e3c6c05ecc157cdbf0700fedad222 POLYVAL输入=01000000000000000000000000000000000000000000000000000000600000000000000 POLYVAL结果=6d81a24732fd6d03ae5af544720a1c13 POLYVAL结果XOR nonce=6e81a24732fd6d03ae5af544720a1c13。。。和掩码=6e81a24732fd6d03ae5af544720a1c13标记=8CA50DA9AE65599E48FD10F6E5C9CA17E初始计数器=8CA50DA9AE65599E5C9E5C9CA1FE结果(28字节)=9AB2AEB3FAA0A34AEA8E2B18CA50DA9 ae6559e48fd10f6e5c9ca17e

   Plaintext (16 bytes) =      01000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               00000000000000008000000000000000
   POLYVAL result =            74eee2bf7c9a165f8b25dea73db32a6d
   POLYVAL result XOR nonce =  77eee2bf7c9a165f8b25dea73db32a6d
   ... and masked =            77eee2bf7c9a165f8b25dea73db32a6d
   Tag =                       c9eac6fa700942702e90862383c6c366
   Initial counter =           c9eac6fa700942702e90862383c6c3e6
   Result (32 bytes) =         85a01b63025ba19b7fd3ddfc033b3e76
                               c9eac6fa700942702e90862383c6c366
        
   Plaintext (16 bytes) =      01000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               00000000000000008000000000000000
   POLYVAL result =            74eee2bf7c9a165f8b25dea73db32a6d
   POLYVAL result XOR nonce =  77eee2bf7c9a165f8b25dea73db32a6d
   ... and masked =            77eee2bf7c9a165f8b25dea73db32a6d
   Tag =                       c9eac6fa700942702e90862383c6c366
   Initial counter =           c9eac6fa700942702e90862383c6c3e6
   Result (32 bytes) =         85a01b63025ba19b7fd3ddfc033b3e76
                               c9eac6fa700942702e90862383c6c366
        
   Plaintext (32 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               00000000000000000001000000000000
   POLYVAL result =            899b6381b3d46f0def7aa0517ba188f5
   POLYVAL result XOR nonce =  8a9b6381b3d46f0def7aa0517ba188f5
   ... and masked =            8a9b6381b3d46f0def7aa0517ba18875
   Tag =                       e819e63abcd020b006a976397632eb5d
   Initial counter =           e819e63abcd020b006a976397632ebdd
        
   Plaintext (32 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               00000000000000000001000000000000
   POLYVAL result =            899b6381b3d46f0def7aa0517ba188f5
   POLYVAL result XOR nonce =  8a9b6381b3d46f0def7aa0517ba188f5
   ... and masked =            8a9b6381b3d46f0def7aa0517ba18875
   Tag =                       e819e63abcd020b006a976397632eb5d
   Initial counter =           e819e63abcd020b006a976397632ebdd
        
   Result (48 bytes) =         4a6a9db4c8c6549201b9edb53006cba8
                               21ec9cf850948a7c86c68ac7539d027f
                               e819e63abcd020b006a976397632eb5d
        
   Result (48 bytes) =         4a6a9db4c8c6549201b9edb53006cba8
                               21ec9cf850948a7c86c68ac7539d027f
                               e819e63abcd020b006a976397632eb5d
        
   Plaintext (48 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               00000000000000008001000000000000
   POLYVAL result =            c1f8593d8fc29b0c290cae1992f71f51
   POLYVAL result XOR nonce =  c2f8593d8fc29b0c290cae1992f71f51
   ... and masked =            c2f8593d8fc29b0c290cae1992f71f51
   Tag =                       790bc96880a99ba804bd12c0e6a22cc4
   Initial counter =           790bc96880a99ba804bd12c0e6a22cc4
   Result (64 bytes) =         c00d121893a9fa603f48ccc1ca3c57ce
                               7499245ea0046db16c53c7c66fe717e3
                               9cf6c748837b61f6ee3adcee17534ed5
                               790bc96880a99ba804bd12c0e6a22cc4
        
   Plaintext (48 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               00000000000000008001000000000000
   POLYVAL result =            c1f8593d8fc29b0c290cae1992f71f51
   POLYVAL result XOR nonce =  c2f8593d8fc29b0c290cae1992f71f51
   ... and masked =            c2f8593d8fc29b0c290cae1992f71f51
   Tag =                       790bc96880a99ba804bd12c0e6a22cc4
   Initial counter =           790bc96880a99ba804bd12c0e6a22cc4
   Result (64 bytes) =         c00d121893a9fa603f48ccc1ca3c57ce
                               7499245ea0046db16c53c7c66fe717e3
                               9cf6c748837b61f6ee3adcee17534ed5
                               790bc96880a99ba804bd12c0e6a22cc4
        
   Plaintext (64 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               00000000000000000002000000000000
   POLYVAL result =            6ef38b06046c7c0e225efaef8e2ec4c4
   POLYVAL result XOR nonce =  6df38b06046c7c0e225efaef8e2ec4c4
        
   Plaintext (64 bytes) =      01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (0 bytes) =
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               00000000000000000002000000000000
   POLYVAL result =            6ef38b06046c7c0e225efaef8e2ec4c4
   POLYVAL result XOR nonce =  6df38b06046c7c0e225efaef8e2ec4c4
        
   ... and masked =            6df38b06046c7c0e225efaef8e2ec444
   Tag =                       112864c269fc0d9d88c61fa47e39aa08
   Initial counter =           112864c269fc0d9d88c61fa47e39aa88
   Result (80 bytes) =         c2d5160a1f8683834910acdafc41fbb1
                               632d4a353e8b905ec9a5499ac34f96c7
                               e1049eb080883891a4db8caaa1f99dd0
                               04d80487540735234e3744512c6f90ce
                               112864c269fc0d9d88c61fa47e39aa08
        
   ... and masked =            6df38b06046c7c0e225efaef8e2ec444
   Tag =                       112864c269fc0d9d88c61fa47e39aa08
   Initial counter =           112864c269fc0d9d88c61fa47e39aa88
   Result (80 bytes) =         c2d5160a1f8683834910acdafc41fbb1
                               632d4a353e8b905ec9a5499ac34f96c7
                               e1049eb080883891a4db8caaa1f99dd0
                               04d80487540735234e3744512c6f90ce
                               112864c269fc0d9d88c61fa47e39aa08
        

Plaintext (8 bytes) = 0200000000000000 AAD (1 bytes) = 01 Key = 01000000000000000000000000000000 00000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = b5d3c529dfafac43136d2d11be284d7f Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 08000000000000004000000000000000 POLYVAL result = 34e57bafe011b9b36fc6821b7ffb3354 POLYVAL result XOR nonce = 37e57bafe011b9b36fc6821b7ffb3354 ... and masked = 37e57bafe011b9b36fc6821b7ffb3354 Tag = 91213f267e3b452f02d01ae33e4ec854 Initial counter = 91213f267e3b452f02d01ae33e4ec8d4 Result (24 bytes) = 1de22967237a813291213f267e3b452f 02d01ae33e4ec854

纯文本(8字节)=02000000000000000 AAD(1字节)=01 Key=010000000000000000000000000000000000000000000000000000000000000000000000000000 Nonce=030000000000000000000000000000记录身份验证密钥=b5d3c529dfafac43136d2d11be284d7f记录加密密钥=b914f4742be9e1d7a2f84addbf96dec3 456E3C6C05ECC157CDBF0700FEDAD22多值输入=0100000000000000000000000000000000000000000000000000000000000000000000000000000800000000000004000000000000000多值结果=34e57bafe011b9b36fc6821b7ffb3354多值结果异或当前值=37e57bafe011b9b36fc6821b7ffb3354。。。和屏蔽=37e57bafe011b9b36fc6821b7ffb3354标记=91213F267E3B452F02D0AE33E4EC854初始计数器=91213F267E3B452F02D001AE33E4EC8D4结果(24字节)=1DE22967237A813291213F267E3B452D01AE33E4EC854

Plaintext (12 bytes) = 020000000000000000000000 AAD (1 bytes) = 01 Key = 01000000000000000000000000000000 00000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = b5d3c529dfafac43136d2d11be284d7f Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 08000000000000006000000000000000 POLYVAL result = 5c47d68a22061c1ad5623a3b66a8e206 POLYVAL result XOR nonce = 5f47d68a22061c1ad5623a3b66a8e206 ... and masked = 5f47d68a22061c1ad5623a3b66a8e206 Tag = c1a4a19ae800941ccdc57cc8413c277f Initial counter = c1a4a19ae800941ccdc57cc8413c27ff Result (28 bytes) = 163d6f9cc1b346cd453a2e4cc1a4a19a e800941ccdc57cc8413c277f

纯文本(12字节)=0200000000000000000000000 AAD(1字节)=01 Key=010000000000000000000000000000000000000000000000000000000000000000000000000000 Nonce=030000000000000000000000000000记录身份验证密钥=b5d3c529dfafac43136d2d11be284d7f记录加密密钥=b914f4742be9e1d7a2f84addbf96dec3 456E3C6C05ECC157CDBF0700FEDAD22多值输入=0100000000000000000000000000000000000000000000000000000000000000000000000000000800000000000006000000000000000多值结果=5c47d68a22061c1ad5623a3b66a8e206多值结果异或当前值=5f47d68a22061c1ad5623a3b66a8e206。。。和屏蔽=5f47d68a22061c1ad5623a3b66a8e206标记=c1a4a19ae800941ccdc57cc8413c277f初始计数器=c1a4a19ae800941ccdc57cc8413c27ff结果(28字节)=163D6F9CC1B346CD453A2E4C1A4A19A e800941ccdc57cc8413c277f

   Plaintext (16 bytes) =      02000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               08000000000000008000000000000000
   POLYVAL result =            452896726c616746f01d11d82911d478
   POLYVAL result XOR nonce =  462896726c616746f01d11d82911d478
   ... and masked =            462896726c616746f01d11d82911d478
   Tag =                       b292d28ff61189e8e49f3875ef91aff7
   Initial counter =           b292d28ff61189e8e49f3875ef91aff7
   Result (32 bytes) =         c91545823cc24f17dbb0e9e807d5ec17
                               b292d28ff61189e8e49f3875ef91aff7
        
   Plaintext (16 bytes) =      02000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               08000000000000008000000000000000
   POLYVAL result =            452896726c616746f01d11d82911d478
   POLYVAL result XOR nonce =  462896726c616746f01d11d82911d478
   ... and masked =            462896726c616746f01d11d82911d478
   Tag =                       b292d28ff61189e8e49f3875ef91aff7
   Initial counter =           b292d28ff61189e8e49f3875ef91aff7
   Result (32 bytes) =         c91545823cc24f17dbb0e9e807d5ec17
                               b292d28ff61189e8e49f3875ef91aff7
        
   Plaintext (32 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               08000000000000000001000000000000
   POLYVAL result =            4e58c1e341c9bb0ae34eda9509dfc90c
   POLYVAL result XOR nonce =  4d58c1e341c9bb0ae34eda9509dfc90c
   ... and masked =            4d58c1e341c9bb0ae34eda9509dfc90c
   Tag =                       aea1bad12702e1965604374aab96dbbc
   Initial counter =           aea1bad12702e1965604374aab96dbbc
   Result (48 bytes) =         07dad364bfc2b9da89116d7bef6daaaf
                               6f255510aa654f920ac81b94e8bad365
                               aea1bad12702e1965604374aab96dbbc
        
   Plaintext (32 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               08000000000000000001000000000000
   POLYVAL result =            4e58c1e341c9bb0ae34eda9509dfc90c
   POLYVAL result XOR nonce =  4d58c1e341c9bb0ae34eda9509dfc90c
   ... and masked =            4d58c1e341c9bb0ae34eda9509dfc90c
   Tag =                       aea1bad12702e1965604374aab96dbbc
   Initial counter =           aea1bad12702e1965604374aab96dbbc
   Result (48 bytes) =         07dad364bfc2b9da89116d7bef6daaaf
                               6f255510aa654f920ac81b94e8bad365
                               aea1bad12702e1965604374aab96dbbc
        
   Plaintext (48 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
        
   Plaintext (48 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
        
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               08000000000000008001000000000000
   POLYVAL result =            2566a4aff9a525df9772c16d4eaf8d2a
   POLYVAL result XOR nonce =  2666a4aff9a525df9772c16d4eaf8d2a
   ... and masked =            2666a4aff9a525df9772c16d4eaf8d2a
   Tag =                       03332742b228c647173616cfd44c54eb
   Initial counter =           03332742b228c647173616cfd44c54eb
   Result (64 bytes) =         c67a1f0f567a5198aa1fcc8e3f213143
                               36f7f51ca8b1af61feac35a86416fa47
                               fbca3b5f749cdf564527f2314f42fe25
                               03332742b228c647173616cfd44c54eb
        
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               08000000000000008001000000000000
   POLYVAL result =            2566a4aff9a525df9772c16d4eaf8d2a
   POLYVAL result XOR nonce =  2666a4aff9a525df9772c16d4eaf8d2a
   ... and masked =            2666a4aff9a525df9772c16d4eaf8d2a
   Tag =                       03332742b228c647173616cfd44c54eb
   Initial counter =           03332742b228c647173616cfd44c54eb
   Result (64 bytes) =         c67a1f0f567a5198aa1fcc8e3f213143
                               36f7f51ca8b1af61feac35a86416fa47
                               fbca3b5f749cdf564527f2314f42fe25
                               03332742b228c647173616cfd44c54eb
        
   Plaintext (64 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               05000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               05000000000000000000000000000000
                               08000000000000000002000000000000
   POLYVAL result =            da58d2f61b0a9d343b2f37fb0c519733
   POLYVAL result XOR nonce =  d958d2f61b0a9d343b2f37fb0c519733
   ... and masked =            d958d2f61b0a9d343b2f37fb0c519733
   Tag =                       5bde0285037c5de81e5b570a049b62a0
   Initial counter =           5bde0285037c5de81e5b570a049b62a0
   Result (80 bytes) =         67fd45e126bfb9a79930c43aad2d3696
                               7d3f0e4d217c1e551f59727870beefc9
                               8cb933a8fce9de887b1e40799988db1f
                               c3f91880ed405b2dd298318858467c89
                               5bde0285037c5de81e5b570a049b62a0
        
   Plaintext (64 bytes) =      02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               05000000000000000000000000000000
   AAD (1 bytes) =             01
   Key =                       01000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     030000000000000000000000
   Record authentication key = b5d3c529dfafac43136d2d11be284d7f
   Record encryption key =     b914f4742be9e1d7a2f84addbf96dec3
                               456e3c6c05ecc157cdbf0700fedad222
   POLYVAL input =             01000000000000000000000000000000
                               02000000000000000000000000000000
                               03000000000000000000000000000000
                               04000000000000000000000000000000
                               05000000000000000000000000000000
                               08000000000000000002000000000000
   POLYVAL result =            da58d2f61b0a9d343b2f37fb0c519733
   POLYVAL result XOR nonce =  d958d2f61b0a9d343b2f37fb0c519733
   ... and masked =            d958d2f61b0a9d343b2f37fb0c519733
   Tag =                       5bde0285037c5de81e5b570a049b62a0
   Initial counter =           5bde0285037c5de81e5b570a049b62a0
   Result (80 bytes) =         67fd45e126bfb9a79930c43aad2d3696
                               7d3f0e4d217c1e551f59727870beefc9
                               8cb933a8fce9de887b1e40799988db1f
                               c3f91880ed405b2dd298318858467c89
                               5bde0285037c5de81e5b570a049b62a0
        

Plaintext (4 bytes) = 02000000 AAD (12 bytes) = 010000000000000000000000 Key = 01000000000000000000000000000000 00000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = b5d3c529dfafac43136d2d11be284d7f Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 60000000000000002000000000000000 POLYVAL result = 6dc76ae84b88916e073a303aafde05cf POLYVAL result XOR nonce = 6ec76ae84b88916e073a303aafde05cf ... and masked = 6ec76ae84b88916e073a303aafde054f Tag = 1835e517741dfddccfa07fa4661b74cf Initial counter = 1835e517741dfddccfa07fa4661b74cf Result (20 bytes) = 22b3f4cd1835e517741dfddccfa07fa4 661b74cf

纯文本(4字节)=02000000 AAD(12字节)=010000000000000000000000密钥=010000000000000000000000000000000000000000000000000000 Nonce=030000000000000000000000记录身份验证密钥=b5d3c529dfafac43136d2d11be284d7f记录加密密钥=b914f4742be9e1d7a2f84addbf96dec3 456E3C6C05ECC157CDBF0700FEDAD22多值输入=010000000000000000000000000200000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000多值结果=6dc76ae84b88916e073a303aafde05cf多值结果异或当前值=6ec76ae84b88916e073a303aafde05cf。。。和屏蔽=6ec76ae84b88916e073a303aafde054f标记=1835e517741dfddccfa07fa4661b74cf初始计数器=1835e517741dfddccfa07fa4661b74cf结果(20字节)=22b3f4cd1835e517741dfddccfa07fa4 661b74cf

Plaintext (20 bytes) = 03000000000000000000000000000000 04000000 AAD (18 bytes) = 01000000000000000000000000000000 0200 Key = 01000000000000000000000000000000 00000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = b5d3c529dfafac43136d2d11be284d7f Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 03000000000000000000000000000000 04000000000000000000000000000000 9000000000000000a000000000000000 POLYVAL result = 973ef4fd04bd31d193816ab26f8655ca POLYVAL result XOR nonce = 943ef4fd04bd31d193816ab26f8655ca ... and masked = 943ef4fd04bd31d193816ab26f86554a Tag = b879ad976d8242acc188ab59cabfe307 Initial counter = b879ad976d8242acc188ab59cabfe387 Result (36 bytes) = 43dd0163cdb48f9fe3212bf61b201976 067f342bb879ad976d8242acc188ab59 cabfe307

纯文本(20字节)=03000000000000000000000000004000000AAD(18字节)=010000000000000000000000000000000000000200密钥=01000000000000000000000000000000000000000000000000000000000000000000000 Nonce=030000000000000000000000记录身份验证密钥=b5d3c529dfafac43136d2d11be284d7f记录加密密钥=B914F4742BE9E1D7A2F84ADBF96DEC3 456E3C6C05ECC157CDBF0700FEDAD22多值输入=01000000000000000000000000000000020000000000000000000000000000000030000000000000000000000000000000000000000000000000000000000000000000000000000000900000000000000000000A000000000000000 POLYVAL结果=973ef4fd04bd31d193816ab26f8655ca POLYVAL结果XOR nonce=943ef4fd04bd31d193816ab26f8655ca。。。和屏蔽=943ef4fd04bd31d193816ab26f86554a标记=b879ad976d8242acc188ab59cabfe307初始计数器=b879ad976d8242acc188ab59cabfe387结果(36字节)=43DD0163CDB48F3212BF61B201976 067f342bb879ad976d8242acc188ab59 cabfe307

   Plaintext (18 bytes) =      03000000000000000000000000000000
                               0400
   AAD (20 bytes) =            01000000000000000000000000000000
        
   Plaintext (18 bytes) =      03000000000000000000000000000000
                               0400
   AAD (20 bytes) =            01000000000000000000000000000000
        

02000000 Key = 01000000000000000000000000000000 00000000000000000000000000000000 Nonce = 030000000000000000000000 Record authentication key = b5d3c529dfafac43136d2d11be284d7f Record encryption key = b914f4742be9e1d7a2f84addbf96dec3 456e3c6c05ecc157cdbf0700fedad222 POLYVAL input = 01000000000000000000000000000000 02000000000000000000000000000000 03000000000000000000000000000000 04000000000000000000000000000000 a0000000000000009000000000000000 POLYVAL result = 2cbb6b7ab2dbffefb797f825f826870c POLYVAL result XOR nonce = 2fbb6b7ab2dbffefb797f825f826870c ... and masked = 2fbb6b7ab2dbffefb797f825f826870c Tag = cfcdf5042112aa29685c912fc2056543 Initial counter = cfcdf5042112aa29685c912fc20565c3 Result (34 bytes) = 462401724b5ce6588d5a54aae5375513 a075cfcdf5042112aa29685c912fc205 6543

02000000密钥=01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Nonce=030000000000000000000000000000记录身份验证密钥=b5d3c529dfafac43136d2d11be284d7f记录加密密钥=b914f4742be9e1d7a2f84addbf96dec3 456E3C6C05ECC157CDBF0700FEDAD22多值输入=0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000000000000000000000A0000000000000009000000000000000多值结果=2CBB6B7AB2DBFEFB797F825F826870C多值结果异或当前值=2FBB6B7AB2DBFEFB797F825F826870C。。。和掩码=2FBB6B7AB2DBFFFB797F825F826870C标记=CFCDF5042112AA29685C912FC056543初始计数器=CFCDF5042112AA29685C912FC0565C3结果(34字节)=462401724B5CE6588D5A54AAE5375A075CFCDF5042112AA29685C912FC056543

   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       e66021d5eb8e4f4066d4adb9c33560e4
                               f46e44bb3da0015c94f7088736864200
   Nonce =                     e0eaf5284d884a0e77d31646
   Record authentication key = e40d26f82774aa27f47b047b608b9585
   Record encryption key =     7c7c3d9a542cef53dde0e6de9b580040
                               0f82e73ec5f7ee41b7ba8dcb9ba078c3
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  e0eaf5284d884a0e77d3164600000000
   ... and masked =            e0eaf5284d884a0e77d3164600000000
   Tag =                       169fbb2fbf389a995f6390af22228a62
   Initial counter =           169fbb2fbf389a995f6390af22228ae2
   Result (16 bytes) =         169fbb2fbf389a995f6390af22228a62
        
   Plaintext (0 bytes) =
   AAD (0 bytes) =
   Key =                       e66021d5eb8e4f4066d4adb9c33560e4
                               f46e44bb3da0015c94f7088736864200
   Nonce =                     e0eaf5284d884a0e77d31646
   Record authentication key = e40d26f82774aa27f47b047b608b9585
   Record encryption key =     7c7c3d9a542cef53dde0e6de9b580040
                               0f82e73ec5f7ee41b7ba8dcb9ba078c3
   POLYVAL input =             00000000000000000000000000000000
   POLYVAL result =            00000000000000000000000000000000
   POLYVAL result XOR nonce =  e0eaf5284d884a0e77d3164600000000
   ... and masked =            e0eaf5284d884a0e77d3164600000000
   Tag =                       169fbb2fbf389a995f6390af22228a62
   Initial counter =           169fbb2fbf389a995f6390af22228ae2
   Result (16 bytes) =         169fbb2fbf389a995f6390af22228a62
        
   Plaintext (3 bytes) =       671fdd
   AAD (5 bytes) =             4fbdc66f14
   Key =                       bae8e37fc83441b16034566b7a806c46
                               bb91c3c5aedb64a6c590bc84d1a5e269
   Nonce =                     e4b47801afc0577e34699b9e
   Record authentication key = b546f5a850d0a90adfe39e95c2510fc6
   Record encryption key =     b9d1e239d62cbb5c49273ddac8838bdc
                               c53bca478a770f07087caa4e0a924a55
   POLYVAL input =             4fbdc66f140000000000000000000000
                               671fdd00000000000000000000000000
        
   Plaintext (3 bytes) =       671fdd
   AAD (5 bytes) =             4fbdc66f14
   Key =                       bae8e37fc83441b16034566b7a806c46
                               bb91c3c5aedb64a6c590bc84d1a5e269
   Nonce =                     e4b47801afc0577e34699b9e
   Record authentication key = b546f5a850d0a90adfe39e95c2510fc6
   Record encryption key =     b9d1e239d62cbb5c49273ddac8838bdc
                               c53bca478a770f07087caa4e0a924a55
   POLYVAL input =             4fbdc66f140000000000000000000000
                               671fdd00000000000000000000000000
        

28000000000000001800000000000000 POLYVAL result = b91f91f96b159a7c611c05035b839e92 POLYVAL result XOR nonce = 5dabe9f8c4d5cd0255759e9d5b839e92 ... and masked = 5dabe9f8c4d5cd0255759e9d5b839e12 Tag = 93da9bb81333aee0c785b240d319719d Initial counter = 93da9bb81333aee0c785b240d319719d Result (19 bytes) = 0eaccb93da9bb81333aee0c785b240d3 19719d

2800000000000000180000000000000多值结果=b91f91f96b159a7c611c05035b839e92多值结果异或当前值=5DABE9F8C4D5CD025759E9D5B839E92。。。和掩码=5dabe9f8c4d5cd0255759e9d5b839e12标记=93da9bb81333aee0c785b240d319719d初始计数器=93da9bb81333aee0c785b240d319719d结果(19字节)=0EACCB93DA9BB81333AEE0C785B240D319719D

Plaintext (6 bytes) = 195495860f04 AAD (10 bytes) = 6787f3ea22c127aaf195 Key = 6545fc880c94a95198874296d5cc1fd1 61320b6920ce07787f86743b275d1ab3 Nonce = 2f6d1f0434d8848c1177441f Record authentication key = e156e1f9b0b07b780cbe30f259e3c8da Record encryption key = 6fc1c494519f944aae52fcd8b14e5b17 1b5a9429d3b76e430d49940c0021d612 POLYVAL input = 6787f3ea22c127aaf195000000000000 195495860f0400000000000000000000 50000000000000003000000000000000 POLYVAL result = 2c480ed9d236b1df24c6eec109bd40c1 POLYVAL result XOR nonce = 032511dde6ee355335b1aade09bd40c1 ... and masked = 032511dde6ee355335b1aade09bd4041 Tag = 6b62b84dc40c84636a5ec12020ec8c2c Initial counter = 6b62b84dc40c84636a5ec12020ec8cac Result (22 bytes) = a254dad4f3f96b62b84dc40c84636a5e c12020ec8c2c

纯文本(6字节)=195495860f04 AAD(10字节)=6787f3ea22c127aaf195 Key=6545fc880c94a95198874296d5cc1fd1 61320b6920ce07787f86743b275d1ab3 Nonce=2f6d1f0434d8848c1177441f记录身份验证密钥=E156E1F9B07B780CBE30F259E3C8DA记录加密密钥=6FC1C494519F944AAE52FC14E5B17 1B9429D376E430D4940C0021D612多值输入=6787F322C127AAF19500000000195495860F04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000。。。和掩码=032511DE6EE35535B1AADE09BD4041标记=6b62b84dc40c84636a5ec12020ec8c2c初始计数器=6b62b84dc40c84636a5ec12020ec8cac结果(22字节)=a254dad4f3f96b62b84dc40c84636a5e c12020ec8c2c

Plaintext (9 bytes) = c9882e5386fd9f92ec AAD (15 bytes) = 489c8fde2be2cf97e74e932d4ed87d Key = d1894728b3fed1473c528b8426a58299 5929a1499e9ad8780c8d63d0ab4149c0 Nonce = 9f572c614b4745914474e7c7 Record authentication key = 0533fd71f4119257361a3ff1469dd4e5 Record encryption key = 4feba89799be8ac3684fa2bb30ade0ea 51390e6d87dcf3627d2ee44493853abe POLYVAL input = 489c8fde2be2cf97e74e932d4ed87d00 c9882e5386fd9f92ec00000000000000 78000000000000004800000000000000 POLYVAL result = bf160bc9ded8c63057d2c38aae552fb4 POLYVAL result XOR nonce = 204127a8959f83a113a6244dae552fb4 ... and masked = 204127a8959f83a113a6244dae552f34 Tag = c0fd3dc6628dfe55ebb0b9fb2295c8c2 Initial counter = c0fd3dc6628dfe55ebb0b9fb2295c8c2 Result (25 bytes) = 0df9e308678244c44bc0fd3dc6628dfe 55ebb0b9fb2295c8c2

纯文本(9字节)=c9882e5386fd9f92ec AAD(15字节)=489c8fde2be2cf97e74e932d4ed87d Key=d1894728b3fed1473c528b8426a58299 5929a1499e9ad8780c8d63d0ab4149c0 Nonce=9F572C14B47459474E7C7记录身份验证密钥=0533FD71F41192257361A3FF1469DD4E5记录加密密钥=4FEBA89799BE8AC3684FA2BB30EA51390E6D87DCF3627D2EE4438533PED7ED974D00多值输入=489FD71F712DE974D00c9882e5386fd9f92ec00000000000000 78000000000000048000000000000多值结果=bf160bc9ded8c63057d2c38aae552fb4多值结果异或当前值=204127a8959f83a113a6244dae552fb4。。。和屏蔽=204127a8959f83a113a6244dae552f34标记=c0fd3dc6628dfe55ebb0b9fb2295c8c2初始计数器=c0fd3dc6628dfe55ebb0b9fb2295c8c2结果(25字节)=0df9e308678244c44bc0fd3dc6628dfe 55ebb0b9fb2295c8c2

Plaintext (12 bytes) = 1db2316fd568378da107b52b AAD (20 bytes) = 0da55210cc1c1b0abde3b2f204d1e9f8 b06bc47f Key = a44102952ef94b02b805249bac80e6f6 1455bfac8308a2d40d8c845117808235 Nonce = 5c9e940fea2f582950a70d5a Record authentication key = 64779ab10ee8a280272f14cc8851b727 Record encryption key = 25f40fc63f49d3b9016a8eeeb75846e0 d72ca36ddbd312b6f5ef38ad14bd2651 POLYVAL input = 0da55210cc1c1b0abde3b2f204d1e9f8 b06bc47f000000000000000000000000 1db2316fd568378da107b52b00000000 a0000000000000006000000000000000 POLYVAL result = cc86ee22c861e1fd474c84676b42739c POLYVAL result XOR nonce = 90187a2d224eb9d417eb893d6b42739c ... and masked = 90187a2d224eb9d417eb893d6b42731c Tag = 404099c2587f64979f21826706d497d5 Initial counter = 404099c2587f64979f21826706d497d5 Result (28 bytes) = 8dbeb9f7255bf5769dd56692404099c2 587f64979f21826706d497d5

纯文本(12字节)=1db2316fd568378da107b52b AAD(20字节)=0da55210cc1c1b0abde3b2f204d1e9f8 b06bc47f密钥=a44102952ef94b02b805249bac80e6f6 1455bfac8308a2d40d8c845117808235 Nonce=5c9e940fea2f582950a70d5a记录身份验证密钥=64779AB10EE8A280272F14C8851B727记录加密密钥=25f40fc63f49d3b9016a8eeeb75846e0 D72CA36DD316F5EF38AD14BD1B10DA55CFB10ABDE10EB06BC47F0000000000000000000000000000001DB2316FD568378DA107B5200000000 a0000000000000006000000000000000多值结果=cc86ee22c861e1fd474c84676b42739c多值结果异或当前值=90187a2d224eb9d417eb893d6b42739c。。。和掩码=90187A224EB9D417EB893D6B42731C标记=404099c2587f64979f21826706d497d5初始计数器=404099c2587f64979f21826706d497d5结果(28字节)=8dbeb9f7255bf5769dd56692404099c2 587f64979f21826706d497d5

Plaintext (15 bytes) = 21702de0de18baa9c9596291b08466 AAD (25 bytes) = f37de21c7ff901cfe8a69615a93fdf7a 98cad481796245709f Key = 9745b3d1ae06556fb6aa7890bebc18fe 6b3db4da3d57aa94842b9803a96e07fb Nonce = 6de71860f762ebfbd08284e4 Record authentication key = 27c2959ed4daea3b1f52e849478de376 Record encryption key = 307a38a5a6cf231c0a9af3b527f23a62 e9a6ff09aff8ae669f760153e864fc93 POLYVAL input = f37de21c7ff901cfe8a69615a93fdf7a 98cad481796245709f00000000000000 21702de0de18baa9c9596291b0846600 c8000000000000007800000000000000 POLYVAL result = c4fa5e5b713853703bcf8e6424505fa5 POLYVAL result XOR nonce = a91d463b865ab88beb4d0a8024505fa5 ... and masked = a91d463b865ab88beb4d0a8024505f25 Tag = b3080d28f6ebb5d3648ce97bd5ba67fd Initial counter = b3080d28f6ebb5d3648ce97bd5ba67fd Result (31 bytes) = 793576dfa5c0f88729a7ed3c2f1bffb3 080d28f6ebb5d3648ce97bd5ba67fd

纯文本(15字节)=21702DE18BAA9C9596291B08466 AAD(25字节)=F37DE21C7FF901CFE8A69615A93FDF7A98CAD481796245709F密钥=9745b3d1ae06556fb6aa7890bebc18fe 6B3DB4B4DA3D57AA942B9803A96E07FB Nonce=6DE71860F762EBBD08284E4记录身份验证密钥=27C2959ED4DAEAA3B1F52E849478DE376记录加密密钥=307A38A5A6CF231C0A9AB527F23A662 E9AFF8669F760E864FC93多值输入=f37de21c7ff901cfe8a69615a93fdf7a 98CAD481796245709F0000000000000001702DE18BAA9C9596291B084660C800000000000000000007800000000000000000000多值结果=c4fa5e5b713853703bcf8e6424505fa5多值结果XOR nonce=a91d463b865ab88beb4d0a8024505fa5。。。和掩码=a91d463b865ab88beb4d0a8024505f25标记=b3080d28f6ebb5d3648ce97bd5ba67fd初始计数器=b3080d28f6ebb5d3648ce97bd5ba67fd结果(31字节)=793576DFA5C0F88729A7ED3C2F1BFB3080D28F6EBB5B3648CE97BD5BA67FD

Plaintext (18 bytes) = b202b370ef9768ec6561c4fe6b7e7296 fa85 AAD (30 bytes) = 9c2159058b1f0fe91433a5bdc20e214e ab7fecef4454a10ef0657df21ac7

纯文本(18字节)=b202b370ef9768ec6561c4fe6b7e7296 fa85 AAD(30字节)=9C2159058B1F0FE91433A3A5BDC20E214E AB7FECF4454A10EF0657DF21AC7

Key = b18853f68d833640e42a3c02c25b6486 9e146d7b233987bddfc240871d7576f7 Nonce = 028ec6eb5ea7e298342a94d4 Record authentication key = 670b98154076ddb59b7a9137d0dcc0f0 Record encryption key = 78116d78507fbe69d4a820c350f55c7c b36c3c9287df0e9614b142b76a587c3f POLYVAL input = 9c2159058b1f0fe91433a5bdc20e214e ab7fecef4454a10ef0657df21ac70000 b202b370ef9768ec6561c4fe6b7e7296 fa850000000000000000000000000000 f0000000000000009000000000000000 POLYVAL result = 4e4108f09f41d797dc9256f8da8d58c7 POLYVAL result XOR nonce = 4ccfce1bc1e6350fe8b8c22cda8d58c7 ... and masked = 4ccfce1bc1e6350fe8b8c22cda8d5847 Tag = 454fc2a154fea91f8363a39fec7d0a49 Initial counter = 454fc2a154fea91f8363a39fec7d0ac9 Result (34 bytes) = 857e16a64915a787637687db4a951963 5cdd454fc2a154fea91f8363a39fec7d 0a49

Key=B18853F68D833640E42A3C02C02C25B6486 9E146D7B233987DDFC240871D7576F7 Nonce=028ec6eb5ea7e298342a94d4记录身份验证Key=670b98154076ddb59b7a9137d0dcc0f0记录加密密钥=78116d78507fbe69d4a820c350f55c7c b36c3c9287df0e9614b142b76a587c3f POLYVAL输入=9C2159058B00FE91435DCE214E ABEF44547000AC2170b202b370ef9768ec6561c4fe6b7e7296 FA85000000000000000000000000000000000000000F0000000000000000000000000000POLYVAL结果=4e4108f09f41d797dc9256f8da8d58c7 POLYVAL结果XOR nonce=4CCFCE1BC1E6350FE8C22CDA8D58C7。。。和掩码=4ccfce1bc1e6350fe8b8c22cda8d5847标记=454FC2A154FEA91F8363A339FEC7D0A49初始计数器=454FC2A154FEA91F8363A339FEC7D0AC9结果(34字节)=857E16A64915A787687DB4A951963 5CD454FC2A154FEA91F8363A39FEC7D 0a49

Plaintext (21 bytes) = ced532ce4159b035277d4dfbb7db6296 8b13cd4eec AAD (35 bytes) = 734320ccc9d9bbbb19cb81b2af4ecbc3 e72834321f7aa0f70b7282b4f33df23f 167541 Key = 3c535de192eaed3822a2fbbe2ca9dfc8 8255e14a661b8aa82cc54236093bbc23 Nonce = 688089e55540db1872504e1c Record authentication key = cb8c3aa3f8dbaeb4b28a3e86ff6625f8 Record encryption key = 02426ce1aa3ab31313b0848469a1b5fc 6c9af9602600b195b04ad407026bc06d POLYVAL input = 734320ccc9d9bbbb19cb81b2af4ecbc3 e72834321f7aa0f70b7282b4f33df23f 16754100000000000000000000000000 ced532ce4159b035277d4dfbb7db6296 8b13cd4eec0000000000000000000000 1801000000000000a800000000000000 POLYVAL result = ffd503c7dd712eb3791b7114b17bb0cf POLYVAL result XOR nonce = 97558a228831f5ab0b4b3f08b17bb0cf ... and masked = 97558a228831f5ab0b4b3f08b17bb04f Tag = 9d6c7029675b89eaf4ba1ded1a286594 Initial counter = 9d6c7029675b89eaf4ba1ded1a286594 Result (37 bytes) = 626660c26ea6612fb17ad91e8e767639 edd6c9faee9d6c7029675b89eaf4ba1d ed1a286594

纯文本(21字节)=ced532ce4159b035277d4dfbb7db6296 8B13C4EEC AAD(35字节)=734320ccc9d9bbbb19cb81b2af4ecbc3 e72834321f7aa0f70b7282b4f33df23f 167541密钥=3c535de192eaed3822a2fbbe2ca9dfc8 8255e14a661b8aa82cc54236093bbc23 Nonce=688089E5540DB1872504E1C记录身份验证密钥=CB8C3AA3F8DBEB4B28A3E86FF6625F8记录加密密钥=02426CE1AA3AB31B08469A1B5B5B56B6B6BC9604D输入734320CCC9D9BB19CB81B2AF4ECBC3 e72834321f7aa0f70b7282b4f33df23f 1675410000000000000000000000000000000CED532CE4159B03527D4DFBB7DB6296 8B13CDBEECC000000000000000000000000000018010000000000A80000000000000多值结果=FFD503C7DD712EB37914B14B17BF0CF多值结果XOR nonce=97558A228831F5AB0B4BF017BB0CF。。。和屏蔽=97558a228831f5ab0b4b3f08b17bb04f标记=9d6c7029675b89eaf4ba1ded1a286594初始计数器=9d6c7029675b89eaf4ba1ded1a286594结果(37字节)=626660C26EA6612FB17AD91E8E7639 edd6c9faee9d6c7029675b89eaf4ba1d ed1a286594

C.3. Counter Wrap Tests
C.3. 反包裹试验

The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to test correct wrapping of the block counter.

本节中的测试使用AEAD_AES_256_GCM_SIV,旨在测试块计数器的正确包装。

   Plaintext (32 bytes) =      00000000000000000000000000000000
                               4db923dc793ee6497c76dcc03a98e108
   AAD (0 bytes) =
   Key =                       00000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     000000000000000000000000
   Record authentication key = dc95c078a24089895275f3d86b4fb868
   Record encryption key =     779b38d15bffb63d39d6e9ae76a9b2f3
                               75d11b0e3a68c422845c7d4690fa594f
   POLYVAL input =             00000000000000000000000000000000
                               4db923dc793ee6497c76dcc03a98e108
                               00000000000000000001000000000000
   POLYVAL result =            7367cdb411b730128dd56e8edc0eff56
   POLYVAL result XOR nonce =  7367cdb411b730128dd56e8edc0eff56
   ... and masked =            7367cdb411b730128dd56e8edc0eff56
   Tag =                       ffffffff000000000000000000000000
   Initial counter =           ffffffff000000000000000000000080
   Result (48 bytes) =         f3f80f2cf0cb2dd9c5984fcda908456c
                               c537703b5ba70324a6793a7bf218d3ea
                               ffffffff000000000000000000000000
        
   Plaintext (32 bytes) =      00000000000000000000000000000000
                               4db923dc793ee6497c76dcc03a98e108
   AAD (0 bytes) =
   Key =                       00000000000000000000000000000000
                               00000000000000000000000000000000
   Nonce =                     000000000000000000000000
   Record authentication key = dc95c078a24089895275f3d86b4fb868
   Record encryption key =     779b38d15bffb63d39d6e9ae76a9b2f3
                               75d11b0e3a68c422845c7d4690fa594f
   POLYVAL input =             00000000000000000000000000000000
                               4db923dc793ee6497c76dcc03a98e108
                               00000000000000000001000000000000
   POLYVAL result =            7367cdb411b730128dd56e8edc0eff56
   POLYVAL result XOR nonce =  7367cdb411b730128dd56e8edc0eff56
   ... and masked =            7367cdb411b730128dd56e8edc0eff56
   Tag =                       ffffffff000000000000000000000000
   Initial counter =           ffffffff000000000000000000000080
   Result (48 bytes) =         f3f80f2cf0cb2dd9c5984fcda908456c
                               c537703b5ba70324a6793a7bf218d3ea
                               ffffffff000000000000000000000000
        

Plaintext (24 bytes) = eb3640277c7ffd1303c7a542d02d3e4c 0000000000000000 AAD (0 bytes) = Key = 00000000000000000000000000000000 00000000000000000000000000000000 Nonce = 000000000000000000000000 Record authentication key = dc95c078a24089895275f3d86b4fb868 Record encryption key = 779b38d15bffb63d39d6e9ae76a9b2f3 75d11b0e3a68c422845c7d4690fa594f POLYVAL input = eb3640277c7ffd1303c7a542d02d3e4c 00000000000000000000000000000000 0000000000000000c000000000000000 POLYVAL result = 7367cdb411b730128dd56e8edc0eff56 POLYVAL result XOR nonce = 7367cdb411b730128dd56e8edc0eff56 ... and masked = 7367cdb411b730128dd56e8edc0eff56 Tag = ffffffff000000000000000000000000 Initial counter = ffffffff000000000000000000000080 Result (40 bytes) = 18ce4f0b8cb4d0cac65fea8f79257b20 888e53e72299e56dffffffff00000000 0000000000000000

纯文本(24字节)=eb3640277c7ffd1303c7a542d02d3e4c 0000000000000000 AAD(0字节)=Key=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Nonce=000000000000000000000000000000000000000000记录身份验证Key=DC95C078A240898995275F3D86B4FB868记录加密Key=779B38D15BFB63D39D6E9E76A9B2F375D11B0E3A68C422845C7D4690FA594F POLYVAL输入=EB3640277C7FFD1303C7A542D02D3E4C000000000000000000000000000000000000000000000000 C000000000000000多值结果=7367cdb411b730128dd56e8edc0eff56多值结果异或当前值=7367cdb411b730128dd56e8edc0eff56。。。和屏蔽=7367CDB41B730128DD56E8EDC0EFF56标记=FFFFFF000000000000000000000000000000000000000000000000000000初始计数器=FFFFFFFF00000000000000000000000000000080结果(40字节)=18ce4f0b8cb4d0cac65fea8f79257b20 888E53E72299E56DFFFFFF000000000000000000000000000000000000

Acknowledgements

致谢

The authors would like to thank Daniel Bleichenbacher, Uri Blumenthal, Deb Cooley's team at NSA Information Assurance, Scott Fluhrer, Tetsu Iwata, Tibor Jager, John Mattsson, Ondrej Mosnacek, Kenny Paterson, Bart Preneel, Yannick Seurin, and Bjoern Tackmann for their helpful suggestions and review.

作者要感谢Daniel Bleichenbacher、Uri Blumenthal、国家安全局信息保障部的Deb Cooley团队、Scott Fluhrer、岩田铁通、蒂博尔·贾格尔、约翰·马特松、昂德雷·莫斯纳切克、肯尼·帕特森、巴特·普雷尼尔、扬尼克·修林和比约恩·塔克曼,感谢他们提出的有益建议和评论。

Authors' Addresses

作者地址

Shay Gueron University of Haifa and Amazon Abba Khoushy Ave 199 Haifa 3498838 Israel

谢伊盖伦大学海法和亚马逊阿巴Kou害羞大道199海法3498838以色列

   Email: shay@math.haifa.ac.il
        
   Email: shay@math.haifa.ac.il
        

Adam Langley Google LLC 345 Spear St San Francisco, CA 94105 United States of America

Adam Langley Google LLC 345矛圣旧金山,CA 94105美利坚合众国

   Email: agl@google.com
        
   Email: agl@google.com
        

Yehuda Lindell Bar-Ilan University and Unbound Tech Ramat Gan 5290002 Israel

耶胡达·林德尔·巴伊兰大学和非绑定技术拉马特Gan 5290002以色列

   Email: Yehuda.Lindell@biu.ac.il
        
   Email: Yehuda.Lindell@biu.ac.il