[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-gueron-gcmsiv) 00 01 02 03 04 05 06 07 08 09

CFRG                                                           S. Gueron
Internet-Draft                 University of Haifa and Intel Corporation
Intended status: Informational                                A. Langley
Expires: March 2, 2017                                            Google
                                                              Y. Lindell
                                                     Bar Ilan University
                                                         August 29, 2016


      AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
                       draft-irtf-cfrg-gcmsiv-02

Abstract

   This memo specifies two authenticated encryption algorithms that are
   nonce misuse-resistant - that is that they do not fail
   catastrophically if a nonce is repeated.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 2, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of




Gueron, et al.            Expires March 2, 2017                 [Page 1]


Internet-Draft                 aes-gcm-siv                   August 2016


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Encryption  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Decryption  . . . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   7.  Field operation examples  . . . . . . . . . . . . . . . . . .   6
   8.  Worked example  . . . . . . . . . . . . . . . . . . . . . . .   6
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     12.1.  Normative References . . . . . . . . . . . . . . . . . .   8
     12.2.  Informative References . . . . . . . . . . . . . . . . .   8
   Appendix A.  The relationship between POLYVAL and GHASH . . . . .   8
   Appendix B.  Test vectors . . . . . . . . . . . . . . . . . . . .  10
     B.1.  AEAD_AES_128_GCM_SIV  . . . . . . . . . . . . . . . . . .  10
     B.2.  AEAD_AES_256_GCM_SIV  . . . . . . . . . . . . . . . . . .  47
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  89

1.  Introduction

   The concept of "Authenticated encryption with additional data" (AEAD
   [RFC5116]) couples confidentiality and integrity in a single
   operation that is easier for practitioners to use correctly.  The
   most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its
   attractive performance.

   However, most AEADs suffer catastrophic failures of confidentiality
   and/or integrity when two distinct messages are encrypted with the
   same nonce.  While the requirements for AEADs specify that the pair
   of (key, nonce) shall only ever be used once, and thus prohibit this,
   in practice this is a worry.

   Nonce misuse-resistant AEADs do not suffer from this problem.  For
   this class of AEADs, encrypting two messages with the same nonce only
   discloses whether the messages were equal or not.  This is the
   minimum amount of information that a deterministic algorithm can leak
   in this situation.

   This memo specifies two nonce misuse-resistant AEADs:
   "AEAD_AES_128_GCM_SIV" and "AEAD_AES_256_GCM_SIV".  These AEADs are
   designed to be able to take advantage of existing hardware support



Gueron, et al.            Expires March 2, 2017                 [Page 2]


Internet-Draft                 aes-gcm-siv                   August 2016


   for AES-GCM and can decrypt within 5% of the speed of AES-GCM.
   Encryption is, perforce, slower than AES-GCM because two passes are
   required.  However, measurements suggest that it can still run at
   2/3rds of the speed of AES-GCM.

   We suggest that these AEADs be considered in any situation where
   there is the slightest doubt about nonce uniqueness.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  POLYVAL

   The GCM-SIV construction is similar to GCM: the block cipher is used
   in counter mode to encrypt the plaintext and a polynomial
   authenticator is used to provide integrity.  The authenticator in
   GCM-SIV is called POLYVAL.

   POLYVAL, like GHASH, operates in a binary field of size 2^128.  The
   field is defined by the irreducible polynomial x^128 + x^127 + x^126
   + x^121 + 1.  The sum of any two elements in the field is the result
   of XORing them.  The product of any two elements is calculated using
   standard (binary) polynomial multiplication followed by reduction
   modulo the irreducible polynomial.

   We define another binary operation on elements of the field: dot(a,
   b), where dot(a, b) = a * b * x^-128.  The value of the field element
   x^-128 is equal to x^127 + x^124 + x^121 + x^114 + 1.  The result,
   dot(a, b), of this multiplication is another field element.

   Polynomials in this field are converted to and from 128-bit strings
   by taking the least-significant bit of the first byte to be the
   coefficient of x^0, the most-significant bit of the first byte to the
   the coefficient of x^7 and so on, until the most-significant bit of
   the last byte is the coefficient of x^127.

   POLYVAL takes a field element, H, and a series of field elements X_1,
   ..., X_s.  Its result is S_s, where S is defined by the iteration S_0
   = 0; S_j = dot(S_{j-1} + X_j, H).

   We note that POLYVAL(H, X_1, X_2, ...) is equal to
   ByteReverse(GHASH(ByteReverse(H)*x, ByteReverse(X_1),
   ByteReverse(X_2), ...)), where ByteReverse is a function that
   reverses the order of 16 bytes.  See Appendix A for a more detailed
   explanation.



Gueron, et al.            Expires March 2, 2017                 [Page 3]


Internet-Draft                 aes-gcm-siv                   August 2016


4.  Encryption

   AES-GCM-SIV encryption takes a 16- or 32-byte key-generating key, a
   128-bit nonce, and arbitrary-length plaintext & additional data
   inputs.  It outputs an authenticated ciphertext that will be 16 bytes
   longer than the plaintext.

   If the key-generating key is 16 bytes long then AES-128 is used
   throughout.  Otherwise AES-256 is used throughout.

   The first step of encryption is to generate a per-nonce, record-
   authentication key by encrypting the nonce with the key-generating
   key.

   Second, a per-nonce record-encryption key is generated by encrypting
   the record-authentication key with the key-generating key.  For
   AES-128 this is sufficient.  For AES-256 it is not because 256 bits
   are needed for a key.  Therefore that value forms bytes 16 to 31 of
   the record-encryption key and bytes 0 to 15 are the result of
   encrypting that value again.

   In pseudocode form:

if len(key-generating-key) == 16 {
  record-authentication-key = AES128(key = key-generating-key, input = nonce)
  record-encryption-key = AES128(key = key-generating-key,
                                 input = record-authentication-key)
} else if len(key-generating-key) == 32 {
  record-authentication-key = AES256(key = key-generating-key, input = nonce)
  second-half = AES256(key = key-generating-key, input = record-authentication-key)
  first-half = AES256(key = key-generating-key, input = second-half)
  record-encryption-key = concatenate(first-half, second-half)
}

   Define the _length block_ as a 16-byte value that is the
   concatenation of the 64-bit, little-endian encodings of
   len(additional_length)*8 and len(plaintext)*8.  Pad the plaintext and
   additional data with zeros until they are each a multiple of 16
   bytes, the AES block size.  Then X_1, X_2, etc (the series of field
   elements that are inputs to POLYVAL) are the concatenation of the
   padded additional data, the padded plaintext and the length block.

   Calculate S_s = POLYVAL(record-authentication-key, X_1, X_2, ...) and
   set the most-significant bit of the last byte to zero.  Encrypt the
   result with AES using the record-encryption key to produce the tag.

   The ciphertext is produced by using AES, with the record-encryption
   key, in counter mode on the unpadded plaintext.  The initial counter



Gueron, et al.            Expires March 2, 2017                 [Page 4]


Internet-Draft                 aes-gcm-siv                   August 2016


   block is the tag with the most-significant bit of the last byte set
   to one.  The counter advances by incrementing the first 32 bits
   interpreted as an unsigned, little-endian integer.  The result of the
   encryption is the resulting ciphertext followed by the tag.

5.  Decryption

   Decryption takes a 16- or 32-byte key-generating key, a 128-bit
   nonce, and arbitrary-length ciphertext & additional data inputs.  It
   either fails, or outputs a plaintext that is 16 bytes shorter than
   the ciphertext.

   Firstly, the record-encryption and record-authentication keys are
   derived in the same manner as when encrypting.

   If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes,
   then fail.  Otherwise split the input into the encrypted plaintext
   and a 16-byte tag.  Decrypt the encrypted plaintext with the record-
   encryption key in counter mode, where the initial counter block is
   the tag with the most-significant bit of the last byte set to one.
   The counter advances in the same way as for encryption.

   Pad the additional data and plaintext with zeros until they are each
   a multiple of 16 bytes, the AES block size.  Calculate the length
   block and X_1, X_2, etc as above and compute S_s = POLYVAL(record-
   authentication-key, X_1, X_2, ...).  Compute the expected tag by
   XORing S_s and the nonce, setting the most-significant byte of the
   last byte to zero and encrypting with the record-encryption key.
   Compare the provided and expected tag values in constant time.  If
   they do not match, fail.  Otherwise return the plaintext.

6.  AEADs

   We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV:
   AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV.  They differ only in
   the size of the AES key used.

   The key input to these AEADs becomes the key-generating key.  Thus
   AEAD_AES_128_GCM_SIV takes a 16-byte key and AEAD_AES_256_GCM_SIV
   takes a 32-byte key.

   The parameters for AEAD_AES_128_GCM_SIV are then: K_LEN is 16, P_MAX
   is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 16 and C_MAX is 2^36
   + 16.

   The parameters for AEAD_AES_256_GCM_SIV differ only in the key size:
   K_LEN is 32, P_MAX is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 16
   and C_MAX is 2^36 + 16.



Gueron, et al.            Expires March 2, 2017                 [Page 5]


Internet-Draft                 aes-gcm-siv                   August 2016


7.  Field operation examples

   Polynomials in this document will be written as 16-byte values.  For
   example, the sixteen bytes 01000000000000000000000000000492 would
   represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is
   also the value of x^-128 in this field.

   If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b =
   ff000000000000000000000000000000 then a+b =
   99e94bd4ef8a2c3b884cfa59ca342b2e, a*b =
   37856175e9dc9df26ebc6d6171aa0ae9 and dot(a, b) =
   ebe563401e7e91ea3ad6426b8140c394.

8.  Worked example

   Consider the encryption of the plaintext "Hello world" with the
   additional data "example" under key ee8e1ed9ff2540ae8f2ba9f50bc2f27c
   using AEAD_AES_128_GCM_SIV.  The random nonce that we'll use for this
   example is 752abad3e0afb5f434dc4310f71f3d21.

   The record-authentication key will be AES(key =
   ee8e1ed9ff2540ae8f2ba9f50bc2f27c, data =
   752abad3e0afb5f434dc4310f71f3d21) = 900f27af6e633f73e702a926078a2a2c.
   The record-encryption key will be AES(key =
   ee8e1ed9ff2540ae8f2ba9f50bc2f27c, data =
   900f27af6e633f73e702a926078a2a2c) = 751329f5a34f85c3f10cd7058ec7d005.

   The length block contains the encoding of the bit-lengths of the
   additional data and plaintext, respectively, which are and 56 and 88.
   Thus the length block is 38000000000000005800000000000000.

   The input to POLYVAL is the padded additional data, padded plaintext
   and then the length block.  This is 6578616d706c650000000000000000004
   8656c6c6f20776f726c64000000000038000000000000005800000000000000.

   Calling POLYVAL with the record-authentication key and the input
   above results in S_s = 99257a5834ceeec6dab6f3b588ef06ad.

   Before encrypting, the most-significant bit of the last byte is
   cleared.  This gives 99257a5834ceeec6dab6f3b588ef062d because that
   bit happened to be one previously.  Encrypting with the record-
   encryption key gives the tag, which is
   010a10f4942710781d2948ac0192572f.

   In order to form the initial counter block, the most-significant bit
   of the last byte of the tag is set to one.  This gives
   010a10f4942710781d2948ac019257af.  Encrypting this with the record




Gueron, et al.            Expires March 2, 2017                 [Page 6]


Internet-Draft                 aes-gcm-siv                   August 2016


   key gives the first block of the keystream:
   c963251e2844233444499bb6366e2dac.

   The final ciphertext is the result of XORing the plaintext with the
   keystream and appending the tag.  That gives
   810649724764545b3625ff010a10f4942710781d2948ac0192572f.

9.  Security Considerations

   The AEADs defined in this document calculate fresh AES keys for each
   nonce.  This allows a larger number of plaintexts to be encrypted
   under a given key.  Without this step, each SIV encryption would be
   like a standard GCM encryption with a random nonce.  Since the nonce
   size for GCM is only 12 bytes, NIST set a limit [GCM] of 2^32
   encryptions before the probability of duplicate nonces becomes too
   high.

   The authors felt that, while large, 2^32 wasn't so large that this
   limit could be safely ignored.  For example, consider encrypting the
   contents of a hard disk where the AEAD record size is 512 bytes, to
   match the traditional size of a disk sector.  This process would have
   encrypted 2^32 records after processing 2TB, yet hard drives of
   multiple terabytes are now common.

   Deriving fresh AES keys for each nonce eliminates this problem.

   If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a
   random nonce, with the caveat that identical plaintexts will produce
   identical ciphertexts.  Thus, with a fixed nonce, the 2^32 limit
   still applies as the number of distinct messages that can be
   encrypted under a given key.  Nonces should be unique and the misuse-
   resistance of these AEADs should not be depended on to the extent
   that 2^32 duplicates may occur.

   In addition to calculating fresh AES keys for each nonce, these AEADs
   also calculate fresh POLYVAL keys.  Previous versions of GCM-SIV did
   not do this and, instead, used part of the AEAD's key as the POLYVAL
   key.  Bleichenbacher pointed out that this allowed an attacker who
   controlled the AEAD key to force the POLYVAL key to be zero.  If a
   user of this AEAD authenticated messages with a secret additional-
   data value then this would be insecure as the attacker could
   calculate a valid authenticator without knowing the input.

   This does not violate the standard properties of an AEAD as the
   additional data is not assumed to be confidential.  However, we want
   these AEADs to be robust to plausible misuse and also to be drop-in
   replacements for AES-GCM and so derive nonce-specific POLYVAL keys to
   avoid this issue.



Gueron, et al.            Expires March 2, 2017                 [Page 7]


Internet-Draft                 aes-gcm-siv                   August 2016


   A security analysis of a similar scheme appears in [GCM-SIV].

10.  IANA Considerations

   This document has no actions for IANA.

11.  Acknowledgements

   The authors would like to thank Uri Blumenthal, Ondrej Mosnaček,
   Daniel Bleichenbacher, Kenny Paterson and Bart Preneel for their
   helpful suggestions.

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

12.2.  Informative References

   [GCM]      Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP-
              800-38D, November 2007,
              <http://csrc.nist.gov/publications/nistpubs/800-38D/
              SP-800-38D.pdf>.

   [GCM-SIV]  Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse-
              Resistant Authenticated Encryption at Under One Cycle Per
              Byte", Proceedings of the 22nd ACM SIGSAC Conference on
              Computer and Communications Security , 2015,
              <http://doi.acm.org/10.1145/2810103.2813613>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
              <http://www.rfc-editor.org/info/rfc5116>.

Appendix A.  The relationship between POLYVAL and GHASH

   GHASH and POLYVAL both operate in GF(2^128), although with different
   irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 +
   x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1.  Note
   that these irreducible polynomials are the "reverse" of each other.

   GHASH also has a different mapping between 128-bit strings and field
   elements.  Where as POLYVAL takes the least-significant to most-



Gueron, et al.            Expires March 2, 2017                 [Page 8]


Internet-Draft                 aes-gcm-siv                   August 2016


   significant bits of the first byte to be the coefficients of x^0 to
   x^7, GHASH takes them to be the coefficients of x^7 to x^0.  This
   continues until, for the last byte, POLYVAL takes the least-
   significant to most-significant bits to be the coefficients of x^120
   to x^127 while GHASH takes them to be the coefficients of x^127 to
   x^120.

   The combination of these facts means that it's possible to "convert"
   values between the two by reversing the order of the bytes in a
   16-byte string.  The differing interpretations of bit order takes
   care of reversing the bits within each byte and then reversing the
   bytes does the rest.  This may have a practical benefit for
   implementations that wish to implement both GHASH and POLYVAL.

   In order to be clear which field a given operation is performed in,
   let mulX_GHASH be a function that takes a 16-byte string, converts it
   to an element of GHASH's field using GHASH's convention, multiplies
   it by x and converts back to a string.  Likewise, let mulX_POLYVAL be
   a function that converts a 16-byte string to an element of POLYVAL's
   field using POLYVAL's convention, multiplies it by x and converts
   back.

   Given the 16-byte string 01000000000000000000000000000000, mulX_GHASH
   of that string is 00800000000000000000000000000000 and mulX_POLYVAL
   of that string is 02000000000000000000000000000000.  As a more
   general example, given 9c98c04df9387ded828175a92ba652d8, mulX_GHASH
   of that string is 4e4c6026fc9c3ef6c140bad495d3296c and mulX_POLYVAL
   of it is 3931819bf271fada0503eb52574ca5f2.

   Lastly, let ByteReverse be the function that takes a 16-byte string
   and returns a copy where the order of the bytes has been reversed.

   Now GHASH and POLYVAL can be defined in terms of one another:

   POLYVAL(H, X_1, ..., X_n) =
   ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
   ByteReverse(X_n)))

   GHASH(H, X_1, ..., X_n) =
   ByteReverse(POLYVAL(mulX_POLYVAL(ByteReverse(H)), ByteReverse(X_1),
   ..., ByteReverse(X_n)))

   As a worked example, let H = 25629347589242761d31f826ba4b757b, X_1 =
   4f4f95668c83dfb6401762bb2d01a262 and X_2 =
   d1a24ddd2721d006bbe45f20d3c9f362.  POLYVAL(H, X_1, X_2) =
   f7a3b47b846119fae5b7866cf5e5b77e.  If we wished to calculate this
   given only an implementation of GHASH then the key for GHASH would be
   mulX_GHASH(ByteReverse(H)) = dcbaa5dd137c188ebb21492c23c9b112.  Then



Gueron, et al.            Expires March 2, 2017                 [Page 9]


Internet-Draft                 aes-gcm-siv                   August 2016


   ByteReverse(GHASH(dcba..., ByteReverse(X_1), ByteReverse(X_2))) =
   f7a3b47b846119fae5b7866cf5e5b77e, as required.

   In the other direction, GHASH(H, X_1, X_2) =
   bd9b3997046731fb96251b91f9c99d7a.  If we wished to calculate this
   given only an implementation of POLYVAL then we would first calculate
   the key for POLYVAL, mulX_POLYVAL(ByteReverse(H)), which is
   f6ea96744df0633aec8424b18e26c54a.  Then ByteReverse(POLYVAL(f6ea...,
   ByteReverse(X_1), ByteReverse(X_2))) =
   bd9b3997046731fb96251b91f9c99d7a.

Appendix B.  Test vectors

B.1.  AEAD_AES_128_GCM_SIV

   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   with MSBit cleared =            00000000000000000000000000000000
   TAG =                           cb52de357fad226ae428d0ed5a575496
   AAD =
   CT  =
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX



Gueron, et al.            Expires March 2, 2017                [Page 10]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)




   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       c4f22afa8da308e044478b114f0441ae
   with MSBit cleared =            c4f22afa8da308e044478b114f04412e
   TAG =                           715835541f2136f03b6dc80ae0a8ac46
   AAD =
   CT  =                           7e139f58002d68ee
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6



Gueron, et al.            Expires March 2, 2017                [Page 11]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   715835541f2136f03b6dc80ae0a8acc6



   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       c334fe8aae6fd4f970df1f7227b08f21
   with MSBit cleared =            c334fe8aae6fd4f970df1f7227b08f21
   TAG =                           4dff905e48d512e9c34ae8f3be66ec43



Gueron, et al.            Expires March 2, 2017                [Page 12]


Internet-Draft                 aes-gcm-siv                   August 2016


   AAD =
   CT  =                           4a87f0cd26e5d5086e90da02
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   4dff905e48d512e9c34ae8f3be66ecc3



   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a



Gueron, et al.            Expires March 2, 2017                [Page 13]


Internet-Draft                 aes-gcm-siv                   August 2016


   buffer of 1 blocks + LENBLK.
   POLYVAL =                       d466d0d8460bc2b4fc17f0583ebde60a
   with MSBit cleared =            d466d0d8460bc2b4fc17f0583ebde60a
   TAG =                           971da9aa385283522c4f67a9aedb37e5
   AAD =
   CT  =                           048ca58c46d2368ce00132389f40b511
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   971da9aa385283522c4f67a9aedb37e5



   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 14]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       46f776b6c9ee93b25e196fada7a58ced
   with MSBit cleared =            46f776b6c9ee93b25e196fada7a58c6d
   TAG =                           1071338b8c2930d3ec4c17cecbefa4b4
   AAD =
   CT  =                           e1cf1cf545d2743ec005b26bd2c836ac
                                   1a4233d646c195ffa401f28063127baa
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   1071338b8c2930d3ec4c17cecbefa4b4
                                   1171338b8c2930d3ec4c17cecbefa4b4



   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER



Gueron, et al.            Expires March 2, 2017                [Page 15]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       87e3ea7ce9e6b09a3d5cba677c428ae6
   with MSBit cleared =            87e3ea7ce9e6b09a3d5cba677c428a66
   TAG =                           04b1b8a9c1630ff028b14d2e57bca429
   AAD =
   CT  =                           2e7e6881a02d57b877794b2fbfbfef54
                                   84f1cf74f4ad53a751b2582c0e698466
                                   bd9a49dcab53806d8e31d864c4632d00
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   04b1b8a9c1630ff028b14d2e57bca4a9
                                   05b1b8a9c1630ff028b14d2e57bca4a9
                                   06b1b8a9c1630ff028b14d2e57bca4a9





Gueron, et al.            Expires March 2, 2017                [Page 16]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       c6251df62d622f205df456c1fdd9d3e7
   with MSBit cleared =            c6251df62d622f205df456c1fdd9d367
   TAG =                           860b73a1ed8a5b9acd925c3f3f49c5c5
   AAD =
   CT  =                           0ac5be860726209d9218de3e9d533743
                                   e1efe1595bc58f93f00e9bb9a7558dc1
                                   e1b14a9c0d49eb5064c7efa79842f9c7
                                   cfdd77614709f0b545d3227498e774d5
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60



Gueron, et al.            Expires March 2, 2017                [Page 17]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   860b73a1ed8a5b9acd925c3f3f49c5c5
                                   870b73a1ed8a5b9acd925c3f3f49c5c5
                                   880b73a1ed8a5b9acd925c3f3f49c5c5
                                   890b73a1ed8a5b9acd925c3f3f49c5c5



   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       7a6d9cc98ebabf3fd46778e21ce6b9c6
   with MSBit cleared =            7a6d9cc98ebabf3fd46778e21ce6b946
   TAG =                           1433a5c0284c911163888dbd128e6874
   AAD =                           01
   CT  =                           4919e29e9890e452
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6




Gueron, et al.            Expires March 2, 2017                [Page 18]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   1433a5c0284c911163888dbd128e68f4



   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       7dab48b9ad766326e0ffec8174527749
   with MSBit cleared =            7dab48b9ad766326e0ffec8174527749



Gueron, et al.            Expires March 2, 2017                [Page 19]


Internet-Draft                 aes-gcm-siv                   August 2016


   TAG =                           5a8ab948ccd205a70c78e8fdf954693b
   AAD =                           01
   CT  =                           db55d6da719fe0473538294e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   5a8ab948ccd205a70c78e8fdf95469bb



   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 20]


Internet-Draft                 aes-gcm-siv                   August 2016


   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       6af966eb4512756b6c3703ab6d5f1e62
   with MSBit cleared =            6af966eb4512756b6c3703ab6d5f1e62
   TAG =                           da10d98bfe23784cfdfd0af97b6d5b78
   AAD =                           01
   CT  =                           aea3c54272abc1b58ed34a536743f4da
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   da10d98bfe23784cfdfd0af97b6d5bf8



   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01



Gueron, et al.            Expires March 2, 2017                [Page 21]


Internet-Draft                 aes-gcm-siv                   August 2016


   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       95dd5ca77e7bb08dafb3727df51b6d9b
   with MSBit cleared =            95dd5ca77e7bb08dafb3727df51b6d1b
   TAG =                           778c5b68356a1a6a6f3c14a8f96c35ca
   AAD =                           01
   CT  =                           aa694c0cfe148100cb5c6e27a77a7ff7
                                   b4233d6af251d9faa3d84f7c0d1113f1
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   778c5b68356a1a6a6f3c14a8f96c35ca
                                   788c5b68356a1a6a6f3c14a8f96c35ca



   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1



Gueron, et al.            Expires March 2, 2017                [Page 22]


Internet-Draft                 aes-gcm-siv                   August 2016


   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       974b41a6965c05642e5973feb165aa4e
   with MSBit cleared =            974b41a6965c05642e5973feb165aa4e
   TAG =                           26c0c0d146d38787ca0fcbc3f911577a
   AAD =                           01
   CT  =                           9ac909928bcde79c2afa885df9c035c8
                                   5a9eab136f6f6ea11034456bd306ea3c
                                   5dd542f706fffe538b5f139fa9dc622e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   26c0c0d146d38787ca0fcbc3f91157fa
                                   27c0c0d146d38787ca0fcbc3f91157fa



Gueron, et al.            Expires March 2, 2017                [Page 23]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   28c0c0d146d38787ca0fcbc3f91157fa



   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       d14991cbe3496e3e55c40714ffbd7987
   with MSBit cleared =            d14991cbe3496e3e55c40714ffbd7907
   TAG =                           a60986309b99431a35dd8c5ebeef8375
   AAD =                           01
   CT  =                           c56be9d61ecf6a31a6289cddc9b91aaf
                                   84cdb53a3913b825d6eb5e157906dfb0
                                   a308c6b0b095d6fd1a5b761ca7fa0e39
                                   ca92f38ae206eec844c0c4ab0c1c165e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************



Gueron, et al.            Expires March 2, 2017                [Page 24]


Internet-Draft                 aes-gcm-siv                   August 2016


   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   a60986309b99431a35dd8c5ebeef83f5
                                   a70986309b99431a35dd8c5ebeef83f5
                                   a80986309b99431a35dd8c5ebeef83f5
                                   a90986309b99431a35dd8c5ebeef83f5



   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       23a9b9e4499ffa27d007e1246ad3ada5
   with MSBit cleared =            23a9b9e4499ffa27d007e1246ad3ad25



Gueron, et al.            Expires March 2, 2017                [Page 25]


Internet-Draft                 aes-gcm-siv                   August 2016


   TAG =                           16b668094202cadde992e0c16205793c
   AAD =                           010000000000000000000000
   CT  =                           47995b96
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   16b668094202cadde992e0c1620579bc



   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 26]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       69b74ef721d791245b6544756a68af73
   with MSBit cleared =            69b74ef721d791245b6544756a68af73
   TAG =                           89ca91ebc560709432fe9496746404cc
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           8fe25de75089e9f849150e57ab7f7810
                                   981cd319
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   89ca91ebc560709432fe9496746404cc
                                   8aca91ebc560709432fe9496746404cc



   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2



Gueron, et al.            Expires March 2, 2017                [Page 27]


Internet-Draft                 aes-gcm-siv                   August 2016


                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       43c6ae6d4f938a10f892455cc5b64b40
   with MSBit cleared =            43c6ae6d4f938a10f892455cc5b64b40
   TAG =                           13b7c01d08dd6969d51d1bf0fbbdc4d2
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           b26d43ae158316ac37f41579ccf1d461
                                   274e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   13b7c01d08dd6969d51d1bf0fbbdc4d2
                                   14b7c01d08dd6969d51d1bf0fbbdc4d2




Gueron, et al.            Expires March 2, 2017                [Page 28]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   with MSBit cleared =            00000000000000000000000000000000
   TAG =                           cb52de357fad226ae428d0ed5a575496
   AAD =
   CT  =
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)




Gueron, et al.            Expires March 2, 2017                [Page 29]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       c4f22afa8da308e044478b114f0441ae
   with MSBit cleared =            c4f22afa8da308e044478b114f04412e
   TAG =                           715835541f2136f03b6dc80ae0a8ac46
   AAD =
   CT  =                           7e139f58002d68ee
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)




Gueron, et al.            Expires March 2, 2017                [Page 30]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   715835541f2136f03b6dc80ae0a8acc6



   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       c334fe8aae6fd4f970df1f7227b08f21
   with MSBit cleared =            c334fe8aae6fd4f970df1f7227b08f21
   TAG =                           4dff905e48d512e9c34ae8f3be66ec43
   AAD =
   CT  =                           4a87f0cd26e5d5086e90da02
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde



Gueron, et al.            Expires March 2, 2017                [Page 31]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   4dff905e48d512e9c34ae8f3be66ecc3



   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       d466d0d8460bc2b4fc17f0583ebde60a
   with MSBit cleared =            d466d0d8460bc2b4fc17f0583ebde60a
   TAG =                           971da9aa385283522c4f67a9aedb37e5
   AAD =
   CT  =                           048ca58c46d2368ce00132389f40b511
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71



Gueron, et al.            Expires March 2, 2017                [Page 32]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   971da9aa385283522c4f67a9aedb37e5



   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       46f776b6c9ee93b25e196fada7a58ced
   with MSBit cleared =            46f776b6c9ee93b25e196fada7a58c6d
   TAG =                           1071338b8c2930d3ec4c17cecbefa4b4
   AAD =
   CT  =                           e1cf1cf545d2743ec005b26bd2c836ac
                                   1a4233d646c195ffa401f28063127baa
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX



Gueron, et al.            Expires March 2, 2017                [Page 33]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   1071338b8c2930d3ec4c17cecbefa4b4
                                   1171338b8c2930d3ec4c17cecbefa4b4



   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.



Gueron, et al.            Expires March 2, 2017                [Page 34]


Internet-Draft                 aes-gcm-siv                   August 2016


   POLYVAL =                       87e3ea7ce9e6b09a3d5cba677c428ae6
   with MSBit cleared =            87e3ea7ce9e6b09a3d5cba677c428a66
   TAG =                           04b1b8a9c1630ff028b14d2e57bca429
   AAD =
   CT  =                           2e7e6881a02d57b877794b2fbfbfef54
                                   84f1cf74f4ad53a751b2582c0e698466
                                   bd9a49dcab53806d8e31d864c4632d00
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   04b1b8a9c1630ff028b14d2e57bca4a9
                                   05b1b8a9c1630ff028b14d2e57bca4a9
                                   06b1b8a9c1630ff028b14d2e57bca4a9



   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 35]


Internet-Draft                 aes-gcm-siv                   August 2016


   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       c6251df62d622f205df456c1fdd9d3e7
   with MSBit cleared =            c6251df62d622f205df456c1fdd9d367
   TAG =                           860b73a1ed8a5b9acd925c3f3f49c5c5
   AAD =
   CT  =                           0ac5be860726209d9218de3e9d533743
                                   e1efe1595bc58f93f00e9bb9a7558dc1
                                   e1b14a9c0d49eb5064c7efa79842f9c7
                                   cfdd77614709f0b545d3227498e774d5
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   860b73a1ed8a5b9acd925c3f3f49c5c5
                                   870b73a1ed8a5b9acd925c3f3f49c5c5
                                   880b73a1ed8a5b9acd925c3f3f49c5c5
                                   890b73a1ed8a5b9acd925c3f3f49c5c5






Gueron, et al.            Expires March 2, 2017                [Page 36]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       7a6d9cc98ebabf3fd46778e21ce6b9c6
   with MSBit cleared =            7a6d9cc98ebabf3fd46778e21ce6b946
   TAG =                           1433a5c0284c911163888dbd128e6874
   AAD =                           01
   CT  =                           4919e29e9890e452
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)



Gueron, et al.            Expires March 2, 2017                [Page 37]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   1433a5c0284c911163888dbd128e68f4



   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       7dab48b9ad766326e0ffec8174527749
   with MSBit cleared =            7dab48b9ad766326e0ffec8174527749
   TAG =                           5a8ab948ccd205a70c78e8fdf954693b
   AAD =                           01
   CT  =                           db55d6da719fe0473538294e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a



Gueron, et al.            Expires March 2, 2017                [Page 38]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   5a8ab948ccd205a70c78e8fdf95469bb



   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       6af966eb4512756b6c3703ab6d5f1e62
   with MSBit cleared =            6af966eb4512756b6c3703ab6d5f1e62
   TAG =                           da10d98bfe23784cfdfd0af97b6d5b78
   AAD =                           01
   CT  =                           aea3c54272abc1b58ed34a536743f4da
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07



Gueron, et al.            Expires March 2, 2017                [Page 39]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   da10d98bfe23784cfdfd0af97b6d5bf8



   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       95dd5ca77e7bb08dafb3727df51b6d9b
   with MSBit cleared =            95dd5ca77e7bb08dafb3727df51b6d1b
   TAG =                           778c5b68356a1a6a6f3c14a8f96c35ca
   AAD =                           01
   CT  =                           aa694c0cfe148100cb5c6e27a77a7ff7
                                   b4233d6af251d9faa3d84f7c0d1113f1
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6



Gueron, et al.            Expires March 2, 2017                [Page 40]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   778c5b68356a1a6a6f3c14a8f96c35ca
                                   788c5b68356a1a6a6f3c14a8f96c35ca



   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000



Gueron, et al.            Expires March 2, 2017                [Page 41]


Internet-Draft                 aes-gcm-siv                   August 2016


   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       974b41a6965c05642e5973feb165aa4e
   with MSBit cleared =            974b41a6965c05642e5973feb165aa4e
   TAG =                           26c0c0d146d38787ca0fcbc3f911577a
   AAD =                           01
   CT  =                           9ac909928bcde79c2afa885df9c035c8
                                   5a9eab136f6f6ea11034456bd306ea3c
                                   5dd542f706fffe538b5f139fa9dc622e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   26c0c0d146d38787ca0fcbc3f91157fa
                                   27c0c0d146d38787ca0fcbc3f91157fa
                                   28c0c0d146d38787ca0fcbc3f91157fa



   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------



Gueron, et al.            Expires March 2, 2017                [Page 42]


Internet-Draft                 aes-gcm-siv                   August 2016


   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       d14991cbe3496e3e55c40714ffbd7987
   with MSBit cleared =            d14991cbe3496e3e55c40714ffbd7907
   TAG =                           a60986309b99431a35dd8c5ebeef8375
   AAD =                           01
   CT  =                           c56be9d61ecf6a31a6289cddc9b91aaf
                                   84cdb53a3913b825d6eb5e157906dfb0
                                   a308c6b0b095d6fd1a5b761ca7fa0e39
                                   ca92f38ae206eec844c0c4ab0c1c165e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   a60986309b99431a35dd8c5ebeef83f5
                                   a70986309b99431a35dd8c5ebeef83f5
                                   a80986309b99431a35dd8c5ebeef83f5
                                   a90986309b99431a35dd8c5ebeef83f5



Gueron, et al.            Expires March 2, 2017                [Page 43]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       23a9b9e4499ffa27d007e1246ad3ada5
   with MSBit cleared =            23a9b9e4499ffa27d007e1246ad3ad25
   TAG =                           16b668094202cadde992e0c16205793c
   AAD =                           010000000000000000000000
   CT  =                           47995b96
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)



Gueron, et al.            Expires March 2, 2017                [Page 44]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   16b668094202cadde992e0c1620579bc



   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       69b74ef721d791245b6544756a68af73
   with MSBit cleared =            69b74ef721d791245b6544756a68af73
   TAG =                           89ca91ebc560709432fe9496746404cc
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           8fe25de75089e9f849150e57ab7f7810
                                   981cd319
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1



Gueron, et al.            Expires March 2, 2017                [Page 45]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   89ca91ebc560709432fe9496746404cc
                                   8aca91ebc560709432fe9496746404cc



   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K =                             01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   Record_Hash_Key =               57d4b7aec8de993e30a6861b61e6ce4e
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       43c6ae6d4f938a10f892455cc5b64b40
   with MSBit cleared =            43c6ae6d4f938a10f892455cc5b64b40
   TAG =                           13b7c01d08dd6969d51d1bf0fbbdc4d2



Gueron, et al.            Expires March 2, 2017                [Page 46]


Internet-Draft                 aes-gcm-siv                   August 2016


   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           b26d43ae158316ac37f41579ccf1d461
                                   274e
   Encryption_Key=                 40163363796658e1400b1aaa02aad8a6

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   40163363796658e1400b1aaa02aad8a6
                                   ed77171494114ff5d41a555fd6b08df9
                                   082a8ee29c3bc117482194489e9119b1
                                   8dfe46e911c587fe59e413b6c7750a07
                                   1899832f095c04d150b8176797cd1d60
                                   b53d53a7bc615776ecd940117b145d71
                                   6f71f086d310a7f03fc9e7e144ddba90
                                   ee85909d3d95376d025cd08c46816a1c
                                   62870cc75f123baa5d4eeb261bcf813a
                                   f38b8c68ac99b7c2f1d75ce4ea18ddde
                                   684a91efc4d3262d35047ac9df1ca717

   CTRBLKS (with MSbit set to 1)

                                   13b7c01d08dd6969d51d1bf0fbbdc4d2
                                   14b7c01d08dd6969d51d1bf0fbbdc4d2

B.2.  AEAD_AES_256_GCM_SIV

   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =



Gueron, et al.            Expires March 2, 2017                [Page 47]


Internet-Draft                 aes-gcm-siv                   August 2016


   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   with MSBit cleared =            00000000000000000000000000000000
   TAG =                           eb7ccf36eeff369241379c87cc08e4f0
   AAD =
   CT  =
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)




   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER



Gueron, et al.            Expires March 2, 2017                [Page 48]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       6889f69f7a083ff47c24c9fdadd08205
   with MSBit cleared =            6889f69f7a083ff47c24c9fdadd08205
   TAG =                           a0a69e07b73281f5cdfd034f646cfa08
   AAD =
   CT  =                           ab3f382a6f0fb4c3
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   a0a69e07b73281f5cdfd034f646cfa88



   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------



Gueron, et al.            Expires March 2, 2017                [Page 49]


Internet-Draft                 aes-gcm-siv                   August 2016


   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       e3934f1fe1f68f2a5bfe4062c8d93bf3
   with MSBit cleared =            e3934f1fe1f68f2a5bfe4062c8d93b73
   TAG =                           cdf3ba70da9c7cbd45f5140ba0cca9f1
   AAD =
   CT  =                           be8d81f033ca23b953da2197
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9



Gueron, et al.            Expires March 2, 2017                [Page 50]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   cdf3ba70da9c7cbd45f5140ba0cca9f1



   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       51d6609c230f9d33acf8fdbcf0e71474
   with MSBit cleared =            51d6609c230f9d33acf8fdbcf0e71474
   TAG =                           be19d78991c62130cf97f628c37c3eaa
   AAD =
   CT  =                           46e05b7116dbe27aaeffe99892194072
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2



Gueron, et al.            Expires March 2, 2017                [Page 51]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   be19d78991c62130cf97f628c37c3eaa



   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       6ff9b451b1034e07bc8f4c6050e36abe
   with MSBit cleared =            6ff9b451b1034e07bc8f4c6050e36a3e
   TAG =                           16c5944034050657af7c0fec7efbc40f



Gueron, et al.            Expires March 2, 2017                [Page 52]


Internet-Draft                 aes-gcm-siv                   August 2016


   AAD =
   CT  =                           23ddbe9ef342b03003f56d6b4a2e8aff
                                   035c7d7cfd705e1ab4502904254bb67a
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   16c5944034050657af7c0fec7efbc48f
                                   17c5944034050657af7c0fec7efbc48f



   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 53]


Internet-Draft                 aes-gcm-siv                   August 2016


   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       50a69c018ba7ffe0b48f515a328d40fe
   with MSBit cleared =            50a69c018ba7ffe0b48f515a328d407e
   TAG =                           abedb4841c20f3b05e61e0fd1fcaf3d0
   AAD =
   CT  =                           b104c8945f280e75b52c05c45a63d187
                                   2c7f0552b1501968d9913d71207d0433
                                   f978f1a3eecdf782016b77e8c9d3ff53
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   abedb4841c20f3b05e61e0fd1fcaf3d0
                                   acedb4841c20f3b05e61e0fd1fcaf3d0
                                   adedb4841c20f3b05e61e0fd1fcaf3d0




Gueron, et al.            Expires March 2, 2017                [Page 54]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       4c05a571416b080b089958ede5b4f698
   with MSBit cleared =            4c05a571416b080b089958ede5b4f618
   TAG =                           3ced67f5e03bb476a738c1343926dc19
   AAD =
   CT  =                           e3f2bd14f4c80c9cea4c90c81f0e4d7e
                                   edb87eb19a7c0cf5a5a95cd3e441a710
                                   83b1191d115e9a9ff008b93feeb5a86d
                                   012a3e0adb89de2d1e3225479022292f
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d



Gueron, et al.            Expires March 2, 2017                [Page 55]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   3ced67f5e03bb476a738c1343926dc99
                                   3ded67f5e03bb476a738c1343926dc99
                                   3eed67f5e03bb476a738c1343926dc99
                                   3fed67f5e03bb476a738c1343926dc99



   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.



Gueron, et al.            Expires March 2, 2017                [Page 56]


Internet-Draft                 aes-gcm-siv                   August 2016


   POLYVAL =                       ad6eec32034886271b42e3c654cdae9c
   with MSBit cleared =            ad6eec32034886271b42e3c654cdae1c
   TAG =                           ac9b952c76a6f8b5df315f88126daa1c
   AAD =                           01
   CT  =                           4dca2c16c3b0413c
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   ac9b952c76a6f8b5df315f88126daa9c



   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 57]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       267455b298b636f93c986a5931c4176a
   with MSBit cleared =            267455b298b636f93c986a5931c4176a
   TAG =                           756d6155927271077d790a05390ecb71
   AAD =                           01
   CT  =                           ee0ca9068b5b85dfe115a660
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   756d6155927271077d790a05390ecbf1



   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8



Gueron, et al.            Expires March 2, 2017                [Page 58]


Internet-Draft                 aes-gcm-siv                   August 2016


   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       94317a315a4f24e0cb9ed78709fa38ed
   with MSBit cleared =            94317a315a4f24e0cb9ed78709fa386d
   TAG =                           ac2c8f711c86dbecc8c7b663c5fbc1ea
   AAD =                           01
   CT  =                           590edb785c0cb89d19f031fa7e7d4f91
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d



Gueron, et al.            Expires March 2, 2017                [Page 59]


Internet-Draft                 aes-gcm-siv                   August 2016


   CTRBLKS (with MSbit set to 1)

                                   ac2c8f711c86dbecc8c7b663c5fbc1ea



   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       f7ba9a64bc1f12f2fd4f844147dfda10
   with MSBit cleared =            f7ba9a64bc1f12f2fd4f844147dfda10
   TAG =                           a9b406643e190e602fb104fbb842a1ac
   AAD =                           01
   CT  =                           dcf2024f5f98d463b82a8673c47dd821
                                   59748cac8bcc7c76b8cfa26029cb333c
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be



Gueron, et al.            Expires March 2, 2017                [Page 60]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   a9b406643e190e602fb104fbb842a1ac
                                   aab406643e190e602fb104fbb842a1ac



   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000



Gueron, et al.            Expires March 2, 2017                [Page 61]


Internet-Draft                 aes-gcm-siv                   August 2016


   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       0e65fa1a12ce6d07022a5ef2e53b3472
   with MSBit cleared =            0e65fa1a12ce6d07022a5ef2e53b3472
   TAG =                           3ddfe9ad2c350980942638d3f954ac6d
   AAD =                           01
   CT  =                           79216506b1ddadfe16366e4ec886d10d
                                   c9400b995259f74c0091f9b5a6add568
                                   0a612130f6c31ab833aa76d9b2be86de
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   3ddfe9ad2c350980942638d3f954aced
                                   3edfe9ad2c350980942638d3f954aced
                                   3fdfe9ad2c350980942638d3f954aced



   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1



Gueron, et al.            Expires March 2, 2017                [Page 62]


Internet-Draft                 aes-gcm-siv                   August 2016


   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       aabda7609b016f65b95ad45c247f1ec9
   with MSBit cleared =            aabda7609b016f65b95ad45c247f1e49
   TAG =                           abcb59ee31d25ee8889b70d7c36f9a41
   AAD =                           01
   CT  =                           9535eb67240c49f30a0de5a90670813f
                                   a615e71fcb4c522ca79d9a33459a22f8
                                   c6a56d650bf0b15eecdd706e7689cf65
                                   10a281724613fea76b5366b40574b1b9
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a



Gueron, et al.            Expires March 2, 2017                [Page 63]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   abcb59ee31d25ee8889b70d7c36f9ac1
                                   accb59ee31d25ee8889b70d7c36f9ac1
                                   adcb59ee31d25ee8889b70d7c36f9ac1
                                   aecb59ee31d25ee8889b70d7c36f9ac1



   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       d0595f745812b2cd4f61d4bb8fc111bf
   with MSBit cleared =            d0595f745812b2cd4f61d4bb8fc1113f
   TAG =                           53daf2bc5916f7a6750f2432068dabee
   AAD =                           010000000000000000000000
   CT  =                           9611baa0
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be




Gueron, et al.            Expires March 2, 2017                [Page 64]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   53daf2bc5916f7a6750f2432068dabee



   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 65]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       dc588a492827cc160755a460bf9f2072
   with MSBit cleared =            dc588a492827cc160755a460bf9f2072
   TAG =                           f65187d8c28adba364d659b627b16431
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           78e3a1b54daa6547f775f30c38a45e88
                                   7aea5c87
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   f65187d8c28adba364d659b627b164b1
                                   f75187d8c28adba364d659b627b164b1



   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18



Gueron, et al.            Expires March 2, 2017                [Page 66]


Internet-Draft                 aes-gcm-siv                   August 2016


   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       26f82259292bc157c690c66c2322c03b
   with MSBit cleared =            26f82259292bc157c690c66c2322c03b
   TAG =                           6ac0135a4379dbc67967ff55fd4d1f2f
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           c6d3d28704bf20067d62e1a3872d40dd
                                   a44b
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069



Gueron, et al.            Expires March 2, 2017                [Page 67]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   6ac0135a4379dbc67967ff55fd4d1faf
                                   6bc0135a4379dbc67967ff55fd4d1faf



   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   with MSBit cleared =            00000000000000000000000000000000
   TAG =                           eb7ccf36eeff369241379c87cc08e4f0
   AAD =
   CT  =
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX



Gueron, et al.            Expires March 2, 2017                [Page 68]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)




   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       6889f69f7a083ff47c24c9fdadd08205



Gueron, et al.            Expires March 2, 2017                [Page 69]


Internet-Draft                 aes-gcm-siv                   August 2016


   with MSBit cleared =            6889f69f7a083ff47c24c9fdadd08205
   TAG =                           a0a69e07b73281f5cdfd034f646cfa08
   AAD =
   CT  =                           ab3f382a6f0fb4c3
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   a0a69e07b73281f5cdfd034f646cfa88



   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 70]


Internet-Draft                 aes-gcm-siv                   August 2016


   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       e3934f1fe1f68f2a5bfe4062c8d93bf3
   with MSBit cleared =            e3934f1fe1f68f2a5bfe4062c8d93b73
   TAG =                           cdf3ba70da9c7cbd45f5140ba0cca9f1
   AAD =
   CT  =                           be8d81f033ca23b953da2197
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   cdf3ba70da9c7cbd45f5140ba0cca9f1



   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128



Gueron, et al.            Expires March 2, 2017                [Page 71]


Internet-Draft                 aes-gcm-siv                   August 2016


   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       51d6609c230f9d33acf8fdbcf0e71474
   with MSBit cleared =            51d6609c230f9d33acf8fdbcf0e71474
   TAG =                           be19d78991c62130cf97f628c37c3eaa
   AAD =
   CT  =                           46e05b7116dbe27aaeffe99892194072
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)




Gueron, et al.            Expires March 2, 2017                [Page 72]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   be19d78991c62130cf97f628c37c3eaa



   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       6ff9b451b1034e07bc8f4c6050e36abe
   with MSBit cleared =            6ff9b451b1034e07bc8f4c6050e36a3e
   TAG =                           16c5944034050657af7c0fec7efbc40f
   AAD =
   CT  =                           23ddbe9ef342b03003f56d6b4a2e8aff
                                   035c7d7cfd705e1ab4502904254bb67a
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933



Gueron, et al.            Expires March 2, 2017                [Page 73]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   16c5944034050657af7c0fec7efbc48f
                                   17c5944034050657af7c0fec7efbc48f



   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       50a69c018ba7ffe0b48f515a328d40fe



Gueron, et al.            Expires March 2, 2017                [Page 74]


Internet-Draft                 aes-gcm-siv                   August 2016


   with MSBit cleared =            50a69c018ba7ffe0b48f515a328d407e
   TAG =                           abedb4841c20f3b05e61e0fd1fcaf3d0
   AAD =
   CT  =                           b104c8945f280e75b52c05c45a63d187
                                   2c7f0552b1501968d9913d71207d0433
                                   f978f1a3eecdf782016b77e8c9d3ff53
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   abedb4841c20f3b05e61e0fd1fcaf3d0
                                   acedb4841c20f3b05e61e0fd1fcaf3d0
                                   adedb4841c20f3b05e61e0fd1fcaf3d0



   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB



Gueron, et al.            Expires March 2, 2017                [Page 75]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       4c05a571416b080b089958ede5b4f698
   with MSBit cleared =            4c05a571416b080b089958ede5b4f618
   TAG =                           3ced67f5e03bb476a738c1343926dc19
   AAD =
   CT  =                           e3f2bd14f4c80c9cea4c90c81f0e4d7e
                                   edb87eb19a7c0cf5a5a95cd3e441a710
                                   83b1191d115e9a9ff008b93feeb5a86d
                                   012a3e0adb89de2d1e3225479022292f
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d



Gueron, et al.            Expires March 2, 2017                [Page 76]


Internet-Draft                 aes-gcm-siv                   August 2016


   CTRBLKS (with MSbit set to 1)

                                   3ced67f5e03bb476a738c1343926dc99
                                   3ded67f5e03bb476a738c1343926dc99
                                   3eed67f5e03bb476a738c1343926dc99
                                   3fed67f5e03bb476a738c1343926dc99



   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       ad6eec32034886271b42e3c654cdae9c
   with MSBit cleared =            ad6eec32034886271b42e3c654cdae1c
   TAG =                           ac9b952c76a6f8b5df315f88126daa1c
   AAD =                           01
   CT  =                           4dca2c16c3b0413c
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be



Gueron, et al.            Expires March 2, 2017                [Page 77]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   ac9b952c76a6f8b5df315f88126daa9c



   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       267455b298b636f93c986a5931c4176a
   with MSBit cleared =            267455b298b636f93c986a5931c4176a



Gueron, et al.            Expires March 2, 2017                [Page 78]


Internet-Draft                 aes-gcm-siv                   August 2016


   TAG =                           756d6155927271077d790a05390ecb71
   AAD =                           01
   CT  =                           ee0ca9068b5b85dfe115a660
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   756d6155927271077d790a05390ecbf1



   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae



Gueron, et al.            Expires March 2, 2017                [Page 79]


Internet-Draft                 aes-gcm-siv                   August 2016


   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       94317a315a4f24e0cb9ed78709fa38ed
   with MSBit cleared =            94317a315a4f24e0cb9ed78709fa386d
   TAG =                           ac2c8f711c86dbecc8c7b663c5fbc1ea
   AAD =                           01
   CT  =                           590edb785c0cb89d19f031fa7e7d4f91
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   ac2c8f711c86dbecc8c7b663c5fbc1ea



   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256



Gueron, et al.            Expires March 2, 2017                [Page 80]


Internet-Draft                 aes-gcm-siv                   August 2016


   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       f7ba9a64bc1f12f2fd4f844147dfda10
   with MSBit cleared =            f7ba9a64bc1f12f2fd4f844147dfda10
   TAG =                           a9b406643e190e602fb104fbb842a1ac
   AAD =                           01
   CT  =                           dcf2024f5f98d463b82a8673c47dd821
                                   59748cac8bcc7c76b8cfa26029cb333c
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9



Gueron, et al.            Expires March 2, 2017                [Page 81]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   a9b406643e190e602fb104fbb842a1ac
                                   aab406643e190e602fb104fbb842a1ac



   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       0e65fa1a12ce6d07022a5ef2e53b3472
   with MSBit cleared =            0e65fa1a12ce6d07022a5ef2e53b3472
   TAG =                           3ddfe9ad2c350980942638d3f954ac6d
   AAD =                           01
   CT  =                           79216506b1ddadfe16366e4ec886d10d
                                   c9400b995259f74c0091f9b5a6add568
                                   0a612130f6c31ab833aa76d9b2be86de
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be



Gueron, et al.            Expires March 2, 2017                [Page 82]


Internet-Draft                 aes-gcm-siv                   August 2016


   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   3ddfe9ad2c350980942638d3f954aced
                                   3edfe9ad2c350980942638d3f954aced
                                   3fdfe9ad2c350980942638d3f954aced



   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 83]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       aabda7609b016f65b95ad45c247f1ec9
   with MSBit cleared =            aabda7609b016f65b95ad45c247f1e49
   TAG =                           abcb59ee31d25ee8889b70d7c36f9a41
   AAD =                           01
   CT  =                           9535eb67240c49f30a0de5a90670813f
                                   a615e71fcb4c522ca79d9a33459a22f8
                                   c6a56d650bf0b15eecdd706e7689cf65
                                   10a281724613fea76b5366b40574b1b9
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   abcb59ee31d25ee8889b70d7c36f9ac1
                                   accb59ee31d25ee8889b70d7c36f9ac1
                                   adcb59ee31d25ee8889b70d7c36f9ac1
                                   aecb59ee31d25ee8889b70d7c36f9ac1




Gueron, et al.            Expires March 2, 2017                [Page 84]


Internet-Draft                 aes-gcm-siv                   August 2016


   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       d0595f745812b2cd4f61d4bb8fc111bf
   with MSBit cleared =            d0595f745812b2cd4f61d4bb8fc1113f
   TAG =                           53daf2bc5916f7a6750f2432068dabee
   AAD =                           010000000000000000000000
   CT  =                           9611baa0
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a



Gueron, et al.            Expires March 2, 2017                [Page 85]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   53daf2bc5916f7a6750f2432068dabee



   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       dc588a492827cc160755a460bf9f2072
   with MSBit cleared =            dc588a492827cc160755a460bf9f2072
   TAG =                           f65187d8c28adba364d659b627b16431
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           78e3a1b54daa6547f775f30c38a45e88
                                   7aea5c87



Gueron, et al.            Expires March 2, 2017                [Page 86]


Internet-Draft                 aes-gcm-siv                   August 2016


   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   f65187d8c28adba364d659b627b164b1
                                   f75187d8c28adba364d659b627b164b1



   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   Record_Hash_Key                 c88735cffb99fd5cd4c805dcf487f5ae
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000



Gueron, et al.            Expires March 2, 2017                [Page 87]


Internet-Draft                 aes-gcm-siv                   August 2016


                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       26f82259292bc157c690c66c2322c03b
   with MSBit cleared =            26f82259292bc157c690c66c2322c03b
   TAG =                           6ac0135a4379dbc67967ff55fd4d1f2f
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           c6d3d28704bf20067d62e1a3872d40dd
                                   a44b
   Encryption_Key =                d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d95d837a46024de4fa60cad460744e4b
                                   5f377914db056de594bd23b0f07076be
                                   89652df6cf6760123507aac65573e48d
                                   a3b8104978bd7dacec005e1c1c7028a2
                                   da51176a153677782031ddbe75423933
                                   3e94028a46297f26aa29213ab6590998
                                   155051240066265c2057fbe25515c2d1
                                   c2cd27b484e458922ecd79a898947030
                                   3f0155623f67733e1f3088dc4a254a0d
                                   14f2f1639016a9f1bedbd059264fa069
                                   abe1ac959486dfab8bb65777c1931d7a
                                   6c2e55b9fc38fc4842e32c1164ac8c78
                                   1a8510d68e03cf7d05b5980ac4268570
                                   70d9c2e88ce13ea0ce0212b1aaae9ec9
                                   be8ecd7a308d020735389a0df11e1f7d

   CTRBLKS (with MSbit set to 1)

                                   6ac0135a4379dbc67967ff55fd4d1faf
                                   6bc0135a4379dbc67967ff55fd4d1faf







Gueron, et al.            Expires March 2, 2017                [Page 88]


Internet-Draft                 aes-gcm-siv                   August 2016


Authors' Addresses

   Shay Gueron
   University of Haifa and Intel Corporation
   Abba Khoushy Ave 199
   Haifa  3498838
   Israel

   Email: shay@math.haifa.ac.il


   Adam Langley
   Google
   345 Spear St
   San Francisco, CA  94105
   US

   Email: agl@google.com


   Yehuda Lindell
   Bar Ilan University
   Bar Ilan University
   Ramat Gan  5290002
   Israel

   Email: Yehuda.Lindell@biu.ac.il
























Gueron, et al.            Expires March 2, 2017                [Page 89]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/