Skip to main content

AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
draft-irtf-cfrg-gcmsiv-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8452.
Authors Shay Gueron , Adam Langley , Yehuda Lindell
Last updated 2016-04-19
Replaces draft-gueron-gcmsiv
RFC stream Internet Research Task Force (IRTF)
Formats
IETF conflict review conflict-review-irtf-cfrg-gcmsiv, conflict-review-irtf-cfrg-gcmsiv, conflict-review-irtf-cfrg-gcmsiv, conflict-review-irtf-cfrg-gcmsiv, conflict-review-irtf-cfrg-gcmsiv, conflict-review-irtf-cfrg-gcmsiv, conflict-review-irtf-cfrg-gcmsiv
Additional resources Mailing list discussion
Stream IRTF state (None)
Consensus boilerplate Unknown
Document shepherd (None)
IESG IESG state Became RFC 8452 (Informational)
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-irtf-cfrg-gcmsiv-00
CFRG                                                           S. Gueron
Internet-Draft                 University of Haifa and Intel Corporation
Intended status: Informational                                A. Langley
Expires: October 21, 2016                                         Google
                                                              Y. Lindell
                                                     Bar Ilan University
                                                          April 19, 2016

      AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
                       draft-irtf-cfrg-gcmsiv-00

Abstract

   This memo specifies two authenticated encryption algorithms that are
   nonce misuse-resistant - that is that they do not fail
   catastrophically if a nonce is repeated.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 21, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Gueron, et al.          Expires October 21, 2016                [Page 1]
Internet-Draft                 aes-gcm-siv                    April 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  POLYVAL . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Encryption  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Decryption  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   6.  AEADs . . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   7.  Field operation examples  . . . . . . . . . . . . . . . . . .   5
   8.  Worked example  . . . . . . . . . . . . . . . . . . . . . . .   6
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     12.1.  Normative References . . . . . . . . . . . . . . . . . .   7
     12.2.  Informative References . . . . . . . . . . . . . . . . .   8
   Appendix A.  Test vectors . . . . . . . . . . . . . . . . . . . .   8
     A.1.  AEAD_AES_128_GCM_SIV  . . . . . . . . . . . . . . . . . .   8
     A.2.  AEAD_AES_256_GCM_SIV  . . . . . . . . . . . . . . . . . .  46
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  88

1.  Introduction

   The concept of "Authenticated encryption with additional data" (AEAD
   [RFC5116]) couples confidentiality and integrity in a single
   operation that is easier for practitioners to use correctly.  The
   most popular AEAD, AES-GCM [GCM], is seeing widespread use due to its
   attractive performance.

   However, most AEADs suffer catastrophic failures of confidentiality
   and/or integrity when two distinct messages are encrypted with the
   same nonce.  While the requirements for AEADs specify that the pair
   of (key, nonce) shall only ever be used once, and thus prohibit this,
   in practice this is a worry.

   Nonce misuse-resistant AEADs do not suffer from this problem.  For
   this class of AEADs, encrypting two messages with the same nonce only
   discloses whether the messages were equal or not.  This is the
   minimum amount of information that a deterministic algorithm can leak
   in this situation.

   This memo specifies two nonce misuse-resistant AEADs:
   "AEAD_AES_128_GCM_SIV" and "AEAD_AES_256_GCM_SIV".  These AEADs are
   designed to be able to take advantage of existing hardware support
   for AES-GCM and can run within 5% of the speed of AES-GCM.

Gueron, et al.          Expires October 21, 2016                [Page 2]
Internet-Draft                 aes-gcm-siv                    April 2016

   We suggest that these AEADs be considered in any situation where
   there is the slightest doubt about nonce uniqueness.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  POLYVAL

   The GCM-SIV construction is similar to GCM: the block cipher is used
   in counter mode to encrypt the plaintext and a polynomial
   authenticator is used to provide integrity.  The authenticator in
   GCM-SIV is called POLYVAL.

   POLYVAL, like GHASH, operates in a binary field of size 2^128.  The
   field is defined by the irreducible polynomial x^128 + x^127 + x^126
   + x^121 + 1.  The sum of any two elements in the field is the result
   of XORing them.  The product of any two elements is calculated using
   standard polynomial multiplication followed by reduction by the
   irreducible polynomial.

   We define another binary operation on elements of the field: dot(a,
   b), where dot(a, b) = a * b * x^-128.  The value x^-128 is equal to
   x^127 + x^124 + x^121 + x^114 + 1.  Since the result of
   multiplications in the field is defined to be reduced, the result of
   dot(a, b) is another field element.

   Polynomials in this field are converted to and from 128-bit strings
   by taking the least-significant bit of the first byte to be the
   coefficient of x^0, the most-significant bit of the first byte to the
   the coefficient of x^7 and so on, until the most-significant bit of
   the last byte is the coefficient of x^127.

   POLYVAL takes a field element, H, and a series of field elements X_1,
   ..., X_s.  Its result is S_s, where S is defined by the iteration S_0
   = 0; S_j = dot(S_{j-1} + X_j, H).

   We note that POLYVAL(H, X_1, X_2, ...) is equal to
   ByteSwap(GHASH(x*H, ByteSwap(X_1), ByteSwap(X_2), ...)), where
   ByteSwap is a function that converts a field element to a 128-bit
   string, reverses the order of the bytes, and interprets the result as
   a field element again.

Gueron, et al.          Expires October 21, 2016                [Page 3]
Internet-Draft                 aes-gcm-siv                    April 2016

4.  Encryption

   AES-GCM-SIV encryption takes a 16-byte authentication key, a 16- or
   32-byte AES key, a 128-bit nonce, and arbitrary-length plaintext and
   additional data inputs.  It outputs an authenticated ciphertext that
   will be 16 bytes longer than the plaintext.

   If the AES key is 16 bytes long then AES-128 is used throughout and
   the _record-encryption key_ is defined as the encryption of the nonce
   using the AES key.

   Alternatively, if the AES key is 32 bytes long then AES-256 is used
   throughout.  Simply encrypting the nonce (as done in the case of a 16
   bytes key) is now insufficient, because 256 bits of key material are
   needed.  Therefore, AES-256 is used as a Pseudo Random Function to
   produce the 256 bits record-encryption key.  This record-encryption
   key is defined as the concatenation of the result of encrypting,
   using the AES key, the nonce with the least-significant bit of the
   first byte set to zero and then to one.

   Define the _length block_ as a 16-byte value that is the
   concatenation of the 64-bit, little-endian encodings of
   len(additional_length)*8 and len(plaintext)*8.  Pad the plaintext and
   additional data with zeros until they are each a multiple of 16
   bytes, the AES block size.  Then X_1, X_2, etc (the series of field
   elements that are inputs to POLYVAL) are the concatenation of the
   padded additional data, the padded plaintext and the length block.

   Calculate S_s = POLYVAL(authentication_key, X_1, X_2, ...), XOR it
   with the nonce and then set the most-significant bit of the last byte
   to zero.  Encrypt the result with AES using the record-encryption key
   to produce the tag.

   The ciphertext is produced by using AES in counter mode on the
   unpadded plaintext.  The initial counter is the tag with the most-
   significant bit of the last byte set to one and the first 32 bits set
   to zero.  The counter advances by incrementing the first 32 bits
   interpreted as an unsigned, little-endian integer.  The result of the
   encryption is the resulting ciphertext followed by the tag.

5.  Decryption

   Decryption takes a 16-byte authentication key, a 16- or 32-byte AES
   key, a 128-bit nonce, and arbitrary-length ciphertext and additional
   data inputs.  It either fails, or outputs a plaintext that is 16
   bytes shorter than the ciphertext.

Gueron, et al.          Expires October 21, 2016                [Page 4]
Internet-Draft                 aes-gcm-siv                    April 2016

   Firstly, the record-encryption key is derived in the same manner as
   when encrypting.

   If the ciphertext is less than 16 bytes or more than 2^36 + 16 bytes,
   then fail.  Otherwise split the input into the encrypted plaintext
   and a 16-byte tag.  Decrypt the encrypted plaintext with the record-
   encryption key in counter mode, where the initial counter is the tag
   with the most-significant bit of the last byte set to one and the
   first 32 bits set to zero.  The counter advances in the same way as
   for encryption.

   Pad the additional data and plaintext with zeros until they are each
   a multiple of 16 bytes, the AES block size.  Calculate length_block
   and X_1, X_2, etc as above and compute S_s =
   POLYVAL(authentication_key, X_1, X_2, ...).  Compute the expected tag
   by XORing S_s and the nonce, setting the most-significant byte of the
   last byte to zero and encrypting with the record-encryption key.
   Compare the provided and expected tag values in constant time.  If
   they do not match, fail.  Otherwise return the plaintext.

6.  AEADs

   We define two AEADs, in the format of RFC 5116, that use AES-GCM-SIV:
   AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV.  They differ only in
   the size of the AES key used.

   Since the definition of an AEAD requires that the key be a single
   value we define AEAD_AES_128_GCM_SIV to take a 32-byte key: the first
   16 bytes of which are used as the authentication key and the
   remaining 16 bytes are used as the AES key.  Likewise
   AEAD_AES_256_GCM_SIV takes an 48-byte key: the first 16 bytes are
   again the authentication key and the remaining 32 bytes is the AES
   key.

   The parameters for AEAD_AES_128_GCM_SIV are then: K_LEN is 32, P_MAX
   is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 16 and C_MAX is 2^36
   + 16.

   The parameters for AEAD_AES_256_GCM_SIV differ only in the key size:
   K_LEN is 48, P_MAX is 2^36, A_MAX is 2^61 - 1, N_MIN and N_MAX are 16
   and C_MAX is 2^36 + 16.

7.  Field operation examples

   Polynomials in this document will be written as 16-byte values.  For
   example, the sixteen bytes 01000000000000000000000000000492 would
   represent the polynomial x^127 + x^124 + x^121 + x^114 + 1, which is
   also the value of x^-128 in this field.

Gueron, et al.          Expires October 21, 2016                [Page 5]
Internet-Draft                 aes-gcm-siv                    April 2016

   If a = 66e94bd4ef8a2c3b884cfa59ca342b2e and b =
   ff000000000000000000000000000000 then a+b =
   99e94bd4ef8a2c3b884cfa59ca342b2e, a*b =
   37856175e9dc9df26ebc6d6171aa0ae9 and dot(a, b) =
   ebe563401e7e91ea3ad6426b8140c394.

8.  Worked example

   Consider the encryption of the plaintext "Hello world" with the
   additional data "example" under key
   4f2229294acbdf99c4584ec0e6e23638fab3a110b8ae672eba07d91ba52d6cea
   using AEAD_AES_128_GCM_SIV.  The random nonce that we'll use for this
   example is 752abad3e0afb5f434dc4310f71f3d21.

   The record encryption key will be AES(key =
   fab3a110b8ae672eba07d91ba52d6cea, data =
   752abad3e0afb5f434dc4310f71f3d21) = b55e60e9e8886006db16db23e1e0e103.

   The length block contains the encoding of the bit-lengths of the
   additional data and plaintext, respectively, which are and 56 and 88.
   Thus length_block is 38000000000000005800000000000000.

   The input to POLYVAL is the padded additional data, padded plaintext
   and then the length block.  This is 6578616d706c650000000000000000004
   8656c6c6f20776f726c64000000000058000000000000003800000000000000.

   The POLYVAL key will be the first 16 bytes of the AEAD key, namely
   4f2229294acbdf99c4584ec0e6e23638.  Calling POLYVAL with that key and
   the input above results in S_s = 0b9ae2c5bd7fe4dcd17a007d11ac280e.
   XORing this with the nonce gives 7eb058165dd05128e5a6436de6b3152f.

   Before encrypting the most-significant bit of the last byte is
   cleared.  This again gives 7eb058165dd05128e5a6436de6b3152f because
   that bit happened to be zero already.  Encrypting with the record key
   gives the tag, which is 8e2d69ed54c0997cae05d8b2be1d963e.

   In order to form the initial counter block, the most-significant bit
   of the last byte of the tag is set to one and a 32-bit, little-endian
   counter is written to the first four bytes.  This gives
   0000000054c0997cae05d8b2be1d96be.  Encrypting this with the record
   key gives the first block of the keystream:
   b30b19ed9ba05d29b6aecc0146b7fb19.

   The final ciphertext is the result of XORing the plaintext with the
   keystream and appending the tag.  That gives
   fb6e7581f4802a46c4c2a88e2d69ed54c0997cae05d8b2be1d963e.

Gueron, et al.          Expires October 21, 2016                [Page 6]
Internet-Draft                 aes-gcm-siv                    April 2016

9.  Security Considerations

   The AEADs defined in this document calculate fresh AES keys for each
   nonce.  This allows a larger number of plaintexts to be encrypted
   under a given key.  Without this step, each SIV encryption would be
   like a standard GCM encryption with a random nonce.  Since the nonce
   size for GCM is only 12 bytes, NIST set a limit [GCM] of 2^32
   encryptions before the probability of duplicate nonces becomes too
   high.

   The authors felt that, while large, 2^32 wasn't so large that this
   limit could be safely ignored.  For example, consider encrypting the
   contents of a hard disk where the AEAD record size is 512 bytes, to
   match the traditional size of a disk sector.  This process would have
   encrypted 2^32 records after processing 2TB, yet hard drives of
   multiple terabytes are now common.

   Deriving fresh AES keys for each nonce eliminates this problem.

   If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a
   random nonce, with the caveat that identical plaintexts will produce
   identical ciphertexts.  Thus, with a fixed nonce, the 2^32 limit
   still applies as the number of distinct messages that can be
   encrypted under a given key.  Nonces should be unique and the misuse-
   resistance of these AEADs should not be depended on to the extent
   that 2^32 duplicates may occur.  (Or 2^31 duplicates in the case of
   AEAD_AES_256_GCM_SIV.)

   The construction of the record-encryption key in AEAD_AES_256_GCM_SIV
   cannot result in the first and second halves of the key having the
   same value.  Thus 2^128 of the 2^256 keys cannot occur.  We consider
   this to be insignificant.

   A security analysis of a similar scheme appears in [GCM-SIV].

10.  IANA Considerations

   This document has no actions for IANA.

11.  Acknowledgements

12.  References

12.1.  Normative References

Gueron, et al.          Expires October 21, 2016                [Page 7]
Internet-Draft                 aes-gcm-siv                    April 2016

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

12.2.  Informative References

   [GCM]      Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP-
              800-38D, November 2007,
              <http://csrc.nist.gov/publications/nistpubs/800-38D/
              SP-800-38D.pdf>.

   [GCM-SIV]  Gueron, S. and Y. Lindell, "GCM-SIV: Full Nonce Misuse-
              Resistant Authenticated Encryption at Under One Cycle Per
              Byte", Proceedings of the 22nd ACM SIGSAC Conference on
              Computer and Communications Security , 2015,
              <http://doi.acm.org/10.1145/2810103.2813613>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
              <http://www.rfc-editor.org/info/rfc5116>.

Appendix A.  Test vectors

A.1.  AEAD_AES_128_GCM_SIV

   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016                [Page 8]
Internet-Draft                 aes-gcm-siv                    April 2016

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   POLYVAL_xor_NONCE  =            03000000000000000000000000000000
   with MSBit cleared =            03000000000000000000000000000000
   TAG =                           fabfd7964630aa6128ee6269f061f08b
   AAD =
   CT  =
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =

Gueron, et al.          Expires October 21, 2016                [Page 9]
Internet-Draft                 aes-gcm-siv                    April 2016

   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000809100000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000809100000000283b1c
   with MSBit cleared =            07000000000000809100000000283b1c
   TAG =                           5537355b0a4f4cb05ce77d1b815d7299
   AAD =
   CT  =                           3b0f5baabe526e9f
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000000a4f4cb05ce77d1b815d7299

   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415

Gueron, et al.          Expires October 21, 2016               [Page 10]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       0400000000000040d900000000283b1c
   POLYVAL_xor_NONCE  =            0700000000000040d900000000283b1c
   with MSBit cleared =            0700000000000040d900000000283b1c
   TAG =                           dd55830c690eadd7fd2155b3615470bd
   AAD =
   CT  =                           9391b4122fccfecb60ec40ab
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000690eadd7fd2155b3615470bd

   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16

Gueron, et al.          Expires October 21, 2016               [Page 11]
Internet-Draft                 aes-gcm-siv                    April 2016

   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000002301000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000002301000000283b1c
   with MSBit cleared =            07000000000000002301000000283b1c
   TAG =                           147650d36f064f6b5dbbe8f04077d903
   AAD =
   CT  =                           565e4a931280ecdece8620abcf90b65e
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000006f064f6b5dbbe8f04077d983

   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0

Gueron, et al.          Expires October 21, 2016               [Page 12]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       010000000000000046020000f0507615
   POLYVAL_xor_NONCE  =            020000000000000046020000f0507615
   with MSBit cleared =            020000000000000046020000f0507615
   TAG =                           78a50cb3f901ee38c588f6662d785a24
   AAD =
   CT  =                           9b1d2ba7d2d3a02efeecc18d03be2b56
                                   1753b147ae642183f2c4bbd72e4ed8e1
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

Gueron, et al.          Expires October 21, 2016               [Page 13]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   00000000f901ee38c588f6662d785aa4
                                   01000000f901ee38c588f6662d785aa4

   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       0e00000000000000650300203e788f7f
   POLYVAL_xor_NONCE  =            0d00000000000000650300203e788f7f
   with MSBit cleared =            0d00000000000000650300203e788f7f
   TAG =                           a75aa62b704e826d984a72184e370598
   AAD =
   CT  =                           dcc8d2f2c0e30b565f5d3ef58bf6638f
                                   f50e8909ced008e0515b79f7c8c3d1f5
                                   8ec1bb09177133b4cd1b375911d81579
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a

Gueron, et al.          Expires October 21, 2016               [Page 14]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000704e826d984a72184e370598
                                   01000000704e826d984a72184e370598
                                   02000000704e826d984a72184e370598

   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.

Gueron, et al.          Expires October 21, 2016               [Page 15]
Internet-Draft                 aes-gcm-siv                    April 2016

   POLYVAL =                       0f000000000000008c04c04c63ad584f
   POLYVAL_xor_NONCE  =            0c000000000000008c04c04c63ad584f
   with MSBit cleared =            0c000000000000008c04c04c63ad584f
   TAG =                           d7f4efe2f6c72e3b8df168cab6b790ab
   AAD =
   CT  =                           472d6309563c74b6d5497145e929725a
                                   ab08979e6c4fc72c30c2e3a1ce568b94
                                   92e1b0351167937ee2faae79d40af93e
                                   24eee045fdab1b2040440632f1a34433
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000f6c72e3b8df168cab6b790ab
                                   01000000f6c72e3b8df168cab6b790ab
                                   02000000f6c72e3b8df168cab6b790ab
                                   03000000f6c72e3b8df168cab6b790ab

   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415

Gueron, et al.          Expires October 21, 2016               [Page 16]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000008091000000f0501631
   POLYVAL_xor_NONCE  =            100000000000008091000000f0501631
   with MSBit cleared =            100000000000008091000000f0501631
   TAG =                           633c11b2eee1f65be0e3f1e0c824c5e0
   AAD =                           01
   CT  =                           5adcda74026afb99
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000eee1f65be0e3f1e0c824c5e0

   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16

Gueron, et al.          Expires October 21, 2016               [Page 17]
Internet-Draft                 aes-gcm-siv                    April 2016

   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       1300000000000040d9000000f0501631
   POLYVAL_xor_NONCE  =            1000000000000040d9000000f0501631
   with MSBit cleared =            1000000000000040d9000000f0501631
   TAG =                           f229e75b2c4c3048fc70f163c9aefe0d
   AAD =                           01
   CT  =                           b4fabbadb27257bbe8b807d5
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000002c4c3048fc70f163c9aefe8d

   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

Gueron, et al.          Expires October 21, 2016               [Page 18]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000000023010000f0501631
   POLYVAL_xor_NONCE  =            100000000000000023010000f0501631
   with MSBit cleared =            100000000000000023010000f0501631
   TAG =                           cfb5aa16cdd9d39acc5d99b6eee2c6fc
   AAD =                           01
   CT  =                           dce7c7cd4d1060fdc663b9fe8de25385
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

Gueron, et al.          Expires October 21, 2016               [Page 19]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   00000000cdd9d39acc5d99b6eee2c6fc

   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       1c00000000000000460200203e78ef5b
   POLYVAL_xor_NONCE  =            1f00000000000000460200203e78ef5b
   with MSBit cleared =            1f00000000000000460200203e78ef5b
   TAG =                           8df5606f057468e4b38e89736255ad2d
   AAD =                           01
   CT  =                           c6d3098e12ac653520764cbccdb90655
                                   b3d91bf034f7549d5f775fca5d6ad34f
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f

Gueron, et al.          Expires October 21, 2016               [Page 20]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000057468e4b38e89736255adad
                                   01000000057468e4b38e89736255adad

   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       1d000000000000006503c04c63ad386b
   POLYVAL_xor_NONCE  =            1e000000000000006503c04c63ad386b
   with MSBit cleared =            1e000000000000006503c04c63ad386b
   TAG =                           b52274e14d6111c74edf5d95855256a2
   AAD =                           01

Gueron, et al.          Expires October 21, 2016               [Page 21]
Internet-Draft                 aes-gcm-siv                    April 2016

   CT  =                           186abbbe486294281b1514c11c240e6a
                                   4d959a1ac6da46e5b83bbe2d3d37de44
                                   ab009bb885b5c0bf83db80b651c06e74
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000004d6111c74edf5d95855256a2
                                   010000004d6111c74edf5d95855256a2
                                   020000004d6111c74edf5d95855256a2

   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 22]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       1b000000000000008c841a01712a376e
   POLYVAL_xor_NONCE  =            18000000000000008c841a01712a376e
   with MSBit cleared =            18000000000000008c841a01712a376e
   TAG =                           668fc00b6b40b4bb0c8d6cdb9730358d
   AAD =                           01
   CT  =                           499ec09c83c2b79cf6b219e6b79ec81c
                                   7c7b572c8a04b322094ec011e7003ded
                                   388627f831ee79bd3df5db27f648125a
                                   fbfe2774388c34bb652b866ca84bdcd8
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000006b40b4bb0c8d6cdb9730358d
                                   010000006b40b4bb0c8d6cdb9730358d
                                   020000006b40b4bb0c8d6cdb9730358d
                                   030000006b40b4bb0c8d6cdb9730358d

   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

Gueron, et al.          Expires October 21, 2016               [Page 23]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       d8000000000000c048000000f050f665
   POLYVAL_xor_NONCE  =            db000000000000c048000000f050f665
   with MSBit cleared =            db000000000000c048000000f050f665
   TAG =                           488346eaebe2d64ffa58e0fa82f8cd43
   AAD =                           010000000000000000000000
   CT  =                           7d5240be
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

Gueron, et al.          Expires October 21, 2016               [Page 24]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   00000000ebe2d64ffa58e0fa82f8cdc3

   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       08010000000000c06b01c04c63ad9807
   POLYVAL_xor_NONCE  =            0b010000000000c06b01c04c63ad9807
   with MSBit cleared =            0b010000000000c06b01c04c63ad9807
   TAG =                           d010794cfdbbc65ef641b8ccb9c2dda3
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           6d98c309d4f472480c5b1389e83569e5
                                   217ddb9c
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a

Gueron, et al.          Expires October 21, 2016               [Page 25]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000fdbbc65ef641b8ccb9c2dda3
                                   01000000fdbbc65ef641b8ccb9c2dda3

   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       64010000000000600701c04c63add8de
   POLYVAL_xor_NONCE  =            67010000000000600701c04c63add8de

Gueron, et al.          Expires October 21, 2016               [Page 26]
Internet-Draft                 aes-gcm-siv                    April 2016

   with MSBit cleared =            67010000000000600701c04c63add85e
   TAG =                           98e16515942fb8ff9ef108e7ce53a963
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           4649087685b01b476bd3420f36ca67d3
                                   b18b
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000942fb8ff9ef108e7ce53a9e3
                                   01000000942fb8ff9ef108e7ce53a9e3

   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =

Gueron, et al.          Expires October 21, 2016               [Page 27]
Internet-Draft                 aes-gcm-siv                    April 2016

   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   POLYVAL_xor_NONCE  =            03000000000000000000000000000000
   with MSBit cleared =            03000000000000000000000000000000
   TAG =                           fabfd7964630aa6128ee6269f061f08b
   AAD =
   CT  =
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------

Gueron, et al.          Expires October 21, 2016               [Page 28]
Internet-Draft                 aes-gcm-siv                    April 2016

   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000809100000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000809100000000283b1c
   with MSBit cleared =            07000000000000809100000000283b1c
   TAG =                           5537355b0a4f4cb05ce77d1b815d7299
   AAD =
   CT  =                           3b0f5baabe526e9f
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000000a4f4cb05ce77d1b815d7299

   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0

Gueron, et al.          Expires October 21, 2016               [Page 29]
Internet-Draft                 aes-gcm-siv                    April 2016

   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       0400000000000040d900000000283b1c
   POLYVAL_xor_NONCE  =            0700000000000040d900000000283b1c
   with MSBit cleared =            0700000000000040d900000000283b1c
   TAG =                           dd55830c690eadd7fd2155b3615470bd
   AAD =
   CT  =                           9391b4122fccfecb60ec40ab
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000690eadd7fd2155b3615470bd

   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0

Gueron, et al.          Expires October 21, 2016               [Page 30]
Internet-Draft                 aes-gcm-siv                    April 2016

   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000002301000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000002301000000283b1c
   with MSBit cleared =            07000000000000002301000000283b1c
   TAG =                           147650d36f064f6b5dbbe8f04077d903
   AAD =
   CT  =                           565e4a931280ecdece8620abcf90b65e
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000006f064f6b5dbbe8f04077d983

Gueron, et al.          Expires October 21, 2016               [Page 31]
Internet-Draft                 aes-gcm-siv                    April 2016

   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       010000000000000046020000f0507615
   POLYVAL_xor_NONCE  =            020000000000000046020000f0507615
   with MSBit cleared =            020000000000000046020000f0507615
   TAG =                           78a50cb3f901ee38c588f6662d785a24
   AAD =
   CT  =                           9b1d2ba7d2d3a02efeecc18d03be2b56
                                   1753b147ae642183f2c4bbd72e4ed8e1
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944

Gueron, et al.          Expires October 21, 2016               [Page 32]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000f901ee38c588f6662d785aa4
                                   01000000f901ee38c588f6662d785aa4

   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       0e00000000000000650300203e788f7f
   POLYVAL_xor_NONCE  =            0d00000000000000650300203e788f7f
   with MSBit cleared =            0d00000000000000650300203e788f7f
   TAG =                           a75aa62b704e826d984a72184e370598
   AAD =
   CT  =                           dcc8d2f2c0e30b565f5d3ef58bf6638f
                                   f50e8909ced008e0515b79f7c8c3d1f5
                                   8ec1bb09177133b4cd1b375911d81579
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************

Gueron, et al.          Expires October 21, 2016               [Page 33]
Internet-Draft                 aes-gcm-siv                    April 2016

            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000704e826d984a72184e370598
                                   01000000704e826d984a72184e370598
                                   02000000704e826d984a72184e370598

   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 34]
Internet-Draft                 aes-gcm-siv                    April 2016

   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       0f000000000000008c04c04c63ad584f
   POLYVAL_xor_NONCE  =            0c000000000000008c04c04c63ad584f
   with MSBit cleared =            0c000000000000008c04c04c63ad584f
   TAG =                           d7f4efe2f6c72e3b8df168cab6b790ab
   AAD =
   CT  =                           472d6309563c74b6d5497145e929725a
                                   ab08979e6c4fc72c30c2e3a1ce568b94
                                   92e1b0351167937ee2faae79d40af93e
                                   24eee045fdab1b2040440632f1a34433
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000f6c72e3b8df168cab6b790ab
                                   01000000f6c72e3b8df168cab6b790ab
                                   02000000f6c72e3b8df168cab6b790ab
                                   03000000f6c72e3b8df168cab6b790ab

   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1

Gueron, et al.          Expires October 21, 2016               [Page 35]
Internet-Draft                 aes-gcm-siv                    April 2016

   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000008091000000f0501631
   POLYVAL_xor_NONCE  =            100000000000008091000000f0501631
   with MSBit cleared =            100000000000008091000000f0501631
   TAG =                           633c11b2eee1f65be0e3f1e0c824c5e0
   AAD =                           01
   CT  =                           5adcda74026afb99
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000eee1f65be0e3f1e0c824c5e0

   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1

Gueron, et al.          Expires October 21, 2016               [Page 36]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       1300000000000040d9000000f0501631
   POLYVAL_xor_NONCE  =            1000000000000040d9000000f0501631
   with MSBit cleared =            1000000000000040d9000000f0501631
   TAG =                           f229e75b2c4c3048fc70f163c9aefe0d
   AAD =                           01
   CT  =                           b4fabbadb27257bbe8b807d5
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000002c4c3048fc70f163c9aefe8d

Gueron, et al.          Expires October 21, 2016               [Page 37]
Internet-Draft                 aes-gcm-siv                    April 2016

   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000000023010000f0501631
   POLYVAL_xor_NONCE  =            100000000000000023010000f0501631
   with MSBit cleared =            100000000000000023010000f0501631
   TAG =                           cfb5aa16cdd9d39acc5d99b6eee2c6fc
   AAD =                           01
   CT  =                           dce7c7cd4d1060fdc663b9fe8de25385
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

Gueron, et al.          Expires October 21, 2016               [Page 38]
Internet-Draft                 aes-gcm-siv                    April 2016

   CTRBLKS (with MSbit set to 1)

                                   00000000cdd9d39acc5d99b6eee2c6fc

   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       1c00000000000000460200203e78ef5b
   POLYVAL_xor_NONCE  =            1f00000000000000460200203e78ef5b
   with MSBit cleared =            1f00000000000000460200203e78ef5b
   TAG =                           8df5606f057468e4b38e89736255ad2d
   AAD =                           01
   CT  =                           c6d3098e12ac653520764cbccdb90655
                                   b3d91bf034f7549d5f775fca5d6ad34f
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3

Gueron, et al.          Expires October 21, 2016               [Page 39]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000057468e4b38e89736255adad
                                   01000000057468e4b38e89736255adad

   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       1d000000000000006503c04c63ad386b
   POLYVAL_xor_NONCE  =            1e000000000000006503c04c63ad386b
   with MSBit cleared =            1e000000000000006503c04c63ad386b

Gueron, et al.          Expires October 21, 2016               [Page 40]
Internet-Draft                 aes-gcm-siv                    April 2016

   TAG =                           b52274e14d6111c74edf5d95855256a2
   AAD =                           01
   CT  =                           186abbbe486294281b1514c11c240e6a
                                   4d959a1ac6da46e5b83bbe2d3d37de44
                                   ab009bb885b5c0bf83db80b651c06e74
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000004d6111c74edf5d95855256a2
                                   010000004d6111c74edf5d95855256a2
                                   020000004d6111c74edf5d95855256a2

   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01

Gueron, et al.          Expires October 21, 2016               [Page 41]
Internet-Draft                 aes-gcm-siv                    April 2016

   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       1b000000000000008c841a01712a376e
   POLYVAL_xor_NONCE  =            18000000000000008c841a01712a376e
   with MSBit cleared =            18000000000000008c841a01712a376e
   TAG =                           668fc00b6b40b4bb0c8d6cdb9730358d
   AAD =                           01
   CT  =                           499ec09c83c2b79cf6b219e6b79ec81c
                                   7c7b572c8a04b322094ec011e7003ded
                                   388627f831ee79bd3df5db27f648125a
                                   fbfe2774388c34bb652b866ca84bdcd8
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   000000006b40b4bb0c8d6cdb9730358d
                                   010000006b40b4bb0c8d6cdb9730358d
                                   020000006b40b4bb0c8d6cdb9730358d
                                   030000006b40b4bb0c8d6cdb9730358d

Gueron, et al.          Expires October 21, 2016               [Page 42]
Internet-Draft                 aes-gcm-siv                    April 2016

   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       d8000000000000c048000000f050f665
   POLYVAL_xor_NONCE  =            db000000000000c048000000f050f665
   with MSBit cleared =            db000000000000c048000000f050f665
   TAG =                           488346eaebe2d64ffa58e0fa82f8cd43
   AAD =                           010000000000000000000000
   CT  =                           7d5240be
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

Gueron, et al.          Expires October 21, 2016               [Page 43]
Internet-Draft                 aes-gcm-siv                    April 2016

   CTRBLKS (with MSbit set to 1)

                                   00000000ebe2d64ffa58e0fa82f8cdc3

   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       08010000000000c06b01c04c63ad9807
   POLYVAL_xor_NONCE  =            0b010000000000c06b01c04c63ad9807
   with MSBit cleared =            0b010000000000c06b01c04c63ad9807
   TAG =                           d010794cfdbbc65ef641b8ccb9c2dda3
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           6d98c309d4f472480c5b1389e83569e5
                                   217ddb9c
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************

Gueron, et al.          Expires October 21, 2016               [Page 44]
Internet-Draft                 aes-gcm-siv                    April 2016

   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000fdbbc65ef641b8ccb9c2dda3
                                   01000000fdbbc65ef641b8ccb9c2dda3

   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.

Gueron, et al.          Expires October 21, 2016               [Page 45]
Internet-Draft                 aes-gcm-siv                    April 2016

   POLYVAL =                       64010000000000600701c04c63add8de
   POLYVAL_xor_NONCE  =            67010000000000600701c04c63add8de
   with MSBit cleared =            67010000000000600701c04c63add85e
   TAG =                           98e16515942fb8ff9ef108e7ce53a963
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           4649087685b01b476bd3420f36ca67d3
                                   b18b
   Encryption_Key=                 57d4b7aec8de993e30a6861b61e6ce4e

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   57d4b7aec8de993e30a6861b61e6ce4e
                                   d85f98411081017f2027876441c1492a
                                   a2647dc2b2e57cbd92c2fbd9d303b2f3
                                   dd5370a46fb60c19fd74f7c02e774533
                                   203db3954f8bbf8cb2ff484c9c880d7f
                                   f4ea614bbb61dec7099e968b95169bf4
                                   93fede61289f00a62101962db4170dd9
                                   2329ebec0bb6eb4a2ab77d679ea070be
                                   437845e748ceaead6279d3cafcd9a374
                                   6d72d75725bc79fa47c5aa30bb1c0944
                                   c773ccbde2cfb547a50a1f771e161633

   CTRBLKS (with MSbit set to 1)

                                   00000000942fb8ff9ef108e7ce53a9e3
                                   01000000942fb8ff9ef108e7ce53a9e3

A.2.  AEAD_AES_256_GCM_SIV

   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 46]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   POLYVAL_xor_NONCE  =            03000000000000000000000000000000
   with MSBit cleared =            03000000000000000000000000000000
   TAG =                           de1a5fcd85a5217d91d8b349ab9cd224
   AAD =
   CT  =
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64

Gueron, et al.          Expires October 21, 2016               [Page 47]
Internet-Draft                 aes-gcm-siv                    April 2016

   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000809100000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000809100000000283b1c
   with MSBit cleared =            07000000000000809100000000283b1c
   TAG =                           90d1e4ad87f53fbf3eb26c066193fdf3
   AAD =
   CT  =                           4b0619edd74c6a09
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

Gueron, et al.          Expires October 21, 2016               [Page 48]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   0000000087f53fbf3eb26c066193fdf3

   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       0400000000000040d900000000283b1c
   POLYVAL_xor_NONCE  =            0700000000000040d900000000283b1c
   with MSBit cleared =            0700000000000040d900000000283b1c
   TAG =                           a42c36bcd7dd95273c5ded5a5ab0a8fc
   AAD =
   CT  =                           ea410b6727fe50357dc2c9f9
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48

Gueron, et al.          Expires October 21, 2016               [Page 49]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000d7dd95273c5ded5a5ab0a8fc

   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000002301000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000002301000000283b1c
   with MSBit cleared =            07000000000000002301000000283b1c
   TAG =                           a86f26245dea30d23ec045223ef5851e
   AAD =
   CT  =                           d5d6c0782d45de97a027156334229387
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

Gueron, et al.          Expires October 21, 2016               [Page 50]
Internet-Draft                 aes-gcm-siv                    April 2016

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000005dea30d23ec045223ef5859e

   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 51]
Internet-Draft                 aes-gcm-siv                    April 2016

   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       010000000000000046020000f0507615
   POLYVAL_xor_NONCE  =            020000000000000046020000f0507615
   with MSBit cleared =            020000000000000046020000f0507615
   TAG =                           ac78c482d3499b26ae97bf353c2c1bdb
   AAD =
   CT  =                           cac82890d7f5a8330fa2f0f03701901a
                                   ed8a98666b42f74cc1887bd18964cf37
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000d3499b26ae97bf353c2c1bdb
                                   01000000d3499b26ae97bf353c2c1bdb

   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48

Gueron, et al.          Expires October 21, 2016               [Page 52]
Internet-Draft                 aes-gcm-siv                    April 2016

   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       0e00000000000000650300203e788f7f
   POLYVAL_xor_NONCE  =            0d00000000000000650300203e788f7f
   with MSBit cleared =            0d00000000000000650300203e788f7f
   TAG =                           d47a0a762c2dea133c87aea50fb1c1b3
   AAD =
   CT  =                           bd562c8f8bbde467149c17a3f316fd2c
                                   8859c748760332d3296a5b233c4059e3
                                   e70a042dfc2b1812f484801a184b23ae
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c

Gueron, et al.          Expires October 21, 2016               [Page 53]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000002c2dea133c87aea50fb1c1b3
                                   010000002c2dea133c87aea50fb1c1b3
                                   020000002c2dea133c87aea50fb1c1b3

   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       0f000000000000008c04c04c63ad584f
   POLYVAL_xor_NONCE  =            0c000000000000008c04c04c63ad584f
   with MSBit cleared =            0c000000000000008c04c04c63ad584f
   TAG =                           15e4bd316b19caa3a3493a81a3e4153c
   AAD =
   CT  =                           d53e727defb0fe560c87f405ab19b1a2

Gueron, et al.          Expires October 21, 2016               [Page 54]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   6fd85249324b974564c477b2eb4d4162
                                   943fa821946537d507e0713dcc556075
                                   220130acb5f3daa8dd46ee9af3b36642
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000006b19caa3a3493a81a3e415bc
                                   010000006b19caa3a3493a81a3e415bc
                                   020000006b19caa3a3493a81a3e415bc
                                   030000006b19caa3a3493a81a3e415bc

   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------

Gueron, et al.          Expires October 21, 2016               [Page 55]
Internet-Draft                 aes-gcm-siv                    April 2016

   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000008091000000f0501631
   POLYVAL_xor_NONCE  =            100000000000008091000000f0501631
   with MSBit cleared =            100000000000008091000000f0501631
   TAG =                           4cac1deb89734986b5f0546c661932e9
   AAD =                           01
   CT  =                           8e5a22875d5d692e
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   0000000089734986b5f0546c661932e9

   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

Gueron, et al.          Expires October 21, 2016               [Page 56]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       1300000000000040d9000000f0501631
   POLYVAL_xor_NONCE  =            1000000000000040d9000000f0501631
   with MSBit cleared =            1000000000000040d9000000f0501631
   TAG =                           42794bd56cd0b78ebdad8dc2c2c11720
   AAD =                           01
   CT  =                           ed921994f8d27aad941bfb6f
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905

Gueron, et al.          Expires October 21, 2016               [Page 57]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000006cd0b78ebdad8dc2c2c117a0

   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000000023010000f0501631
   POLYVAL_xor_NONCE  =            100000000000000023010000f0501631
   with MSBit cleared =            100000000000000023010000f0501631
   TAG =                           1e1fb157ee961567ee5a686a3ac66e74
   AAD =                           01
   CT  =                           295cb156a7ccc66c9026829a26b08a92
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************

Gueron, et al.          Expires October 21, 2016               [Page 58]
Internet-Draft                 aes-gcm-siv                    April 2016

   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000ee961567ee5a686a3ac66ef4

   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

Gueron, et al.          Expires October 21, 2016               [Page 59]
Internet-Draft                 aes-gcm-siv                    April 2016

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       1c00000000000000460200203e78ef5b
   POLYVAL_xor_NONCE  =            1f00000000000000460200203e78ef5b
   with MSBit cleared =            1f00000000000000460200203e78ef5b
   TAG =                           c5558db375fc7fb253b477d990435e79
   AAD =                           01
   CT  =                           b1403a920a945105017054ccd7754e54
                                   7f471b9e42bd847f9ff2a6d5e1f72b92
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   0000000075fc7fb253b477d990435ef9
                                   0100000075fc7fb253b477d990435ef9

   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3

Gueron, et al.          Expires October 21, 2016               [Page 60]
Internet-Draft                 aes-gcm-siv                    April 2016

                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       1d000000000000006503c04c63ad386b
   POLYVAL_xor_NONCE  =            1e000000000000006503c04c63ad386b
   with MSBit cleared =            1e000000000000006503c04c63ad386b
   TAG =                           54538b4b90c4877f29632ec9441d9809
   AAD =                           01
   CT  =                           687c9c5846e8fde28bc1bde37dd15b80
                                   7ab731537d765e93f0d74bcac390ffbd
                                   b71ddb1af7505791ca74e87c697120b8
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba

Gueron, et al.          Expires October 21, 2016               [Page 61]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   0000000090c4877f29632ec9441d9889
                                   0100000090c4877f29632ec9441d9889
                                   0200000090c4877f29632ec9441d9889

   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.
   POLYVAL =                       1b000000000000008c841a01712a376e
   POLYVAL_xor_NONCE  =            18000000000000008c841a01712a376e
   with MSBit cleared =            18000000000000008c841a01712a376e
   TAG =                           49650717f842d3d193e3cc498e80f2c7
   AAD =                           01
   CT  =                           c17abb9e321814304f3844af4c90cb8e

Gueron, et al.          Expires October 21, 2016               [Page 62]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   a89be09bd7a43a05021266c59a31609a
                                   3a2e7edf107c4c83d8370b36e52caca9
                                   de04c10dfd7eac3008852914cd9e900d
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000f842d3d193e3cc498e80f2c7
                                   01000000f842d3d193e3cc498e80f2c7
                                   02000000f842d3d193e3cc498e80f2c7
                                   03000000f842d3d193e3cc498e80f2c7

   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------

Gueron, et al.          Expires October 21, 2016               [Page 63]
Internet-Draft                 aes-gcm-siv                    April 2016

   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       d8000000000000c048000000f050f665
   POLYVAL_xor_NONCE  =            db000000000000c048000000f050f665
   with MSBit cleared =            db000000000000c048000000f050f665
   TAG =                           0ee2162b829d1b8087a61dec79c2b4dd
   AAD =                           010000000000000000000000
   CT  =                           7f25e1eb
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000829d1b8087a61dec79c2b4dd

   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

Gueron, et al.          Expires October 21, 2016               [Page 64]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       08010000000000c06b01c04c63ad9807
   POLYVAL_xor_NONCE  =            0b010000000000c06b01c04c63ad9807
   with MSBit cleared =            0b010000000000c06b01c04c63ad9807
   TAG =                           07e3ed3f0c192bb05b8de76bba7901aa
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           4f39b03d1cf9f45d74e756ff1a382004
                                   54b94c28
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026

Gueron, et al.          Expires October 21, 2016               [Page 65]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000000c192bb05b8de76bba7901aa
                                   010000000c192bb05b8de76bba7901aa

   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       64010000000000600701c04c63add8de

Gueron, et al.          Expires October 21, 2016               [Page 66]
Internet-Draft                 aes-gcm-siv                    April 2016

   POLYVAL_xor_NONCE  =            67010000000000600701c04c63add8de
   with MSBit cleared =            67010000000000600701c04c63add85e
   TAG =                           33f0e38bd6fb197ed4f7eaaea861d60b
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           625534f47020a12f11754fbc86ed46cf
                                   41d0
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000d6fb197ed4f7eaaea861d68b
                                   01000000d6fb197ed4f7eaaea861d68b

   --------------------- TWO_KEYS     (AAD = 0, MSG = 0)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 0
   MSG_bit_len  = 0
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 0
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 0
                                               BYTES ORDER
                                   LSB--------------------------MSB

Gueron, et al.          Expires October 21, 2016               [Page 67]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =
   PADDED_AAD_and_MSG =
   LENBLK =                        00000000000000000000000000000000

   Computing POLYVAL on a
   buffer of 0 blocks + LENBLK.
   POLYVAL =                       00000000000000000000000000000000
   POLYVAL_xor_NONCE  =            03000000000000000000000000000000
   with MSBit cleared =            03000000000000000000000000000000
   TAG =                           de1a5fcd85a5217d91d8b349ab9cd224
   AAD =
   CT  =
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

   --------------------- TWO_KEYS     (AAD = 0, MSG = 8)---------

Gueron, et al.          Expires October 21, 2016               [Page 68]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           0100000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000809100000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000809100000000283b1c
   with MSBit cleared =            07000000000000809100000000283b1c
   TAG =                           90d1e4ad87f53fbf3eb26c066193fdf3
   AAD =
   CT  =                           4b0619edd74c6a09
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c

Gueron, et al.          Expires October 21, 2016               [Page 69]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   0000000087f53fbf3eb26c066193fdf3

   --------------------- TWO_KEYS     (AAD = 0, MSG = 12)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           010000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       0400000000000040d900000000283b1c
   POLYVAL_xor_NONCE  =            0700000000000040d900000000283b1c
   with MSBit cleared =            0700000000000040d900000000283b1c
   TAG =                           a42c36bcd7dd95273c5ded5a5ab0a8fc
   AAD =
   CT  =                           ea410b6727fe50357dc2c9f9
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

Gueron, et al.          Expires October 21, 2016               [Page 70]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000d7dd95273c5ded5a5ab0a8fc

   --------------------- TWO_KEYS     (AAD = 0, MSG = 16)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
   LENBLK =                        00000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 1 blocks + LENBLK.
   POLYVAL =                       04000000000000002301000000283b1c
   POLYVAL_xor_NONCE  =            07000000000000002301000000283b1c
   with MSBit cleared =            07000000000000002301000000283b1c

Gueron, et al.          Expires October 21, 2016               [Page 71]
Internet-Draft                 aes-gcm-siv                    April 2016

   TAG =                           a86f26245dea30d23ec045223ef5851e
   AAD =
   CT  =                           d5d6c0782d45de97a027156334229387
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000005dea30d23ec045223ef5859e

   --------------------- TWO_KEYS     (AAD = 0, MSG = 32)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 72]
Internet-Draft                 aes-gcm-siv                    April 2016

   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        00000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       010000000000000046020000f0507615
   POLYVAL_xor_NONCE  =            020000000000000046020000f0507615
   with MSBit cleared =            020000000000000046020000f0507615
   TAG =                           ac78c482d3499b26ae97bf353c2c1bdb
   AAD =
   CT  =                           cac82890d7f5a8330fa2f0f03701901a
                                   ed8a98666b42f74cc1887bd18964cf37
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000d3499b26ae97bf353c2c1bdb
                                   01000000d3499b26ae97bf353c2c1bdb

   --------------------- TWO_KEYS     (AAD = 0, MSG = 48)---------

Gueron, et al.          Expires October 21, 2016               [Page 73]
Internet-Draft                 aes-gcm-siv                    April 2016

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        00000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       0e00000000000000650300203e788f7f
   POLYVAL_xor_NONCE  =            0d00000000000000650300203e788f7f
   with MSBit cleared =            0d00000000000000650300203e788f7f
   TAG =                           d47a0a762c2dea133c87aea50fb1c1b3
   AAD =
   CT  =                           bd562c8f8bbde467149c17a3f316fd2c
                                   8859c748760332d3296a5b233c4059e3
                                   e70a042dfc2b1812f484801a184b23ae
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48

Gueron, et al.          Expires October 21, 2016               [Page 74]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000002c2dea133c87aea50fb1c1b3
                                   010000002c2dea133c87aea50fb1c1b3
                                   020000002c2dea133c87aea50fb1c1b3

   --------------------- TWO_KEYS     (AAD = 0, MSG = 64)---------

   AAD_byte_len = 0
   AAD_bit_len  = 0
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 0
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 0
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =
   MSG =                           01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        00000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.

Gueron, et al.          Expires October 21, 2016               [Page 75]
Internet-Draft                 aes-gcm-siv                    April 2016

   POLYVAL =                       0f000000000000008c04c04c63ad584f
   POLYVAL_xor_NONCE  =            0c000000000000008c04c04c63ad584f
   with MSBit cleared =            0c000000000000008c04c04c63ad584f
   TAG =                           15e4bd316b19caa3a3493a81a3e4153c
   AAD =
   CT  =                           d53e727defb0fe560c87f405ab19b1a2
                                   6fd85249324b974564c477b2eb4d4162
                                   943fa821946537d507e0713dcc556075
                                   220130acb5f3daa8dd46ee9af3b36642
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000006b19caa3a3493a81a3e415bc
                                   010000006b19caa3a3493a81a3e415bc
                                   020000006b19caa3a3493a81a3e415bc
                                   030000006b19caa3a3493a81a3e415bc

   --------------------- TWO_KEYS     (AAD = 1, MSG = 8)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 8
   MSG_bit_len  = 64
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16

Gueron, et al.          Expires October 21, 2016               [Page 76]
Internet-Draft                 aes-gcm-siv                    April 2016

   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           0200000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000004000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000008091000000f0501631
   POLYVAL_xor_NONCE  =            100000000000008091000000f0501631
   with MSBit cleared =            100000000000008091000000f0501631
   TAG =                           4cac1deb89734986b5f0546c661932e9
   AAD =                           01
   CT  =                           8e5a22875d5d692e
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

Gueron, et al.          Expires October 21, 2016               [Page 77]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   0000000089734986b5f0546c661932e9

   --------------------- TWO_KEYS     (AAD = 1, MSG = 12)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 12
   MSG_bit_len  = 96
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           020000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000006000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       1300000000000040d9000000f0501631
   POLYVAL_xor_NONCE  =            1000000000000040d9000000f0501631
   with MSBit cleared =            1000000000000040d9000000f0501631
   TAG =                           42794bd56cd0b78ebdad8dc2c2c11720
   AAD =                           01
   CT  =                           ed921994f8d27aad941bfb6f
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026

Gueron, et al.          Expires October 21, 2016               [Page 78]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000006cd0b78ebdad8dc2c2c117a0

   --------------------- TWO_KEYS     (AAD = 1, MSG = 16)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 16
   MSG_bit_len  = 128
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        08000000000000008000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       130000000000000023010000f0501631
   POLYVAL_xor_NONCE  =            100000000000000023010000f0501631
   with MSBit cleared =            100000000000000023010000f0501631
   TAG =                           1e1fb157ee961567ee5a686a3ac66e74
   AAD =                           01
   CT  =                           295cb156a7ccc66c9026829a26b08a92

Gueron, et al.          Expires October 21, 2016               [Page 79]
Internet-Draft                 aes-gcm-siv                    April 2016

   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000ee961567ee5a686a3ac66ef4

   --------------------- TWO_KEYS     (AAD = 1, MSG = 32)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 32
   MSG_bit_len  = 256
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 80]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   03000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
   LENBLK =                        08000000000000000001000000000000

   Computing POLYVAL on a
   buffer of 3 blocks + LENBLK.
   POLYVAL =                       1c00000000000000460200203e78ef5b
   POLYVAL_xor_NONCE  =            1f00000000000000460200203e78ef5b
   with MSBit cleared =            1f00000000000000460200203e78ef5b
   TAG =                           c5558db375fc7fb253b477d990435e79
   AAD =                           01
   CT  =                           b1403a920a945105017054ccd7754e54
                                   7f471b9e42bd847f9ff2a6d5e1f72b92
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   0000000075fc7fb253b477d990435ef9
                                   0100000075fc7fb253b477d990435ef9

   --------------------- TWO_KEYS     (AAD = 1, MSG = 48)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8

Gueron, et al.          Expires October 21, 2016               [Page 81]
Internet-Draft                 aes-gcm-siv                    April 2016

   MSG_byte_len = 48
   MSG_bit_len  = 384
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 48
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 3
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        08000000000000008001000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       1d000000000000006503c04c63ad386b
   POLYVAL_xor_NONCE  =            1e000000000000006503c04c63ad386b
   with MSBit cleared =            1e000000000000006503c04c63ad386b
   TAG =                           54538b4b90c4877f29632ec9441d9809
   AAD =                           01
   CT  =                           687c9c5846e8fde28bc1bde37dd15b80
                                   7ab731537d765e93f0d74bcac390ffbd
                                   b71ddb1af7505791ca74e87c697120b8
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20

Gueron, et al.          Expires October 21, 2016               [Page 82]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   0000000090c4877f29632ec9441d9889
                                   0100000090c4877f29632ec9441d9889
                                   0200000090c4877f29632ec9441d9889

   --------------------- TWO_KEYS     (AAD = 1, MSG = 64)---------

   AAD_byte_len = 1
   AAD_bit_len  = 8
   MSG_byte_len = 64
   MSG_bit_len  = 512
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 64
   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 4
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01
   MSG =                           02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
                                   05000000000000000000000000000000
   LENBLK =                        08000000000000000002000000000000

   Computing POLYVAL on a
   buffer of 5 blocks + LENBLK.

Gueron, et al.          Expires October 21, 2016               [Page 83]
Internet-Draft                 aes-gcm-siv                    April 2016

   POLYVAL =                       1b000000000000008c841a01712a376e
   POLYVAL_xor_NONCE  =            18000000000000008c841a01712a376e
   with MSBit cleared =            18000000000000008c841a01712a376e
   TAG =                           49650717f842d3d193e3cc498e80f2c7
   AAD =                           01
   CT  =                           c17abb9e321814304f3844af4c90cb8e
                                   a89be09bd7a43a05021266c59a31609a
                                   3a2e7edf107c4c83d8370b36e52caca9
                                   de04c10dfd7eac3008852914cd9e900d
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000f842d3d193e3cc498e80f2c7
                                   01000000f842d3d193e3cc498e80f2c7
                                   02000000f842d3d193e3cc498e80f2c7
                                   03000000f842d3d193e3cc498e80f2c7

   --------------------- TWO_KEYS     (AAD = 12, MSG = 4)---------

   AAD_byte_len = 12
   AAD_bit_len  = 96
   MSG_byte_len = 4
   MSG_bit_len  = 32
   padded_AAD_byte_len = 16
   padded_MSG_byte_len = 16

Gueron, et al.          Expires October 21, 2016               [Page 84]
Internet-Draft                 aes-gcm-siv                    April 2016

   L1 blocks AAD(padded)  = 1
   L2 blocks MSG(padded)  = 1
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           010000000000000000000000
   MSG =                           02000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
   LENBLK =                        60000000000000002000000000000000

   Computing POLYVAL on a
   buffer of 2 blocks + LENBLK.
   POLYVAL =                       d8000000000000c048000000f050f665
   POLYVAL_xor_NONCE  =            db000000000000c048000000f050f665
   with MSBit cleared =            db000000000000c048000000f050f665
   TAG =                           0ee2162b829d1b8087a61dec79c2b4dd
   AAD =                           010000000000000000000000
   CT  =                           7f25e1eb
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

Gueron, et al.          Expires October 21, 2016               [Page 85]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   00000000829d1b8087a61dec79c2b4dd

   --------------------- TWO_KEYS     (AAD = 18, MSG = 20)---------

   AAD_byte_len = 18
   AAD_bit_len  = 144
   MSG_byte_len = 20
   MSG_bit_len  = 160
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   0200
   MSG =                           03000000000000000000000000000000
                                   04000000
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000
                                   04000000000000000000000000000000
   LENBLK =                        9000000000000000a000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       08010000000000c06b01c04c63ad9807
   POLYVAL_xor_NONCE  =            0b010000000000c06b01c04c63ad9807
   with MSBit cleared =            0b010000000000c06b01c04c63ad9807
   TAG =                           07e3ed3f0c192bb05b8de76bba7901aa
   AAD =                           01000000000000000000000000000000
                                   0200
   CT  =                           4f39b03d1cf9f45d74e756ff1a382004
                                   54b94c28
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************

Gueron, et al.          Expires October 21, 2016               [Page 86]
Internet-Draft                 aes-gcm-siv                    April 2016

   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   000000000c192bb05b8de76bba7901aa
                                   010000000c192bb05b8de76bba7901aa

   --------------------- TWO_KEYS     (AAD = 20, MSG = 18)---------

   AAD_byte_len = 20
   AAD_bit_len  = 160
   MSG_byte_len = 18
   MSG_bit_len  = 144
   padded_AAD_byte_len = 32
   padded_MSG_byte_len = 32
   L1 blocks AAD(padded)  = 2
   L2 blocks MSG(padded)  = 2
                                               BYTES ORDER
                                   LSB--------------------------MSB
                                   00010203040506070809101112131415
                                   --------------------------------
   K1 = H =                        03000000000000000000000000000000
   K2 = K =                        01000000000000000000000000000000
                                   00000000000000000000000000000000
   NONCE =                         03000000000000000000000000000000
   AAD =                           01000000000000000000000000000000
                                   02000000
   MSG =                           03000000000000000000000000000000
                                   0400
   PADDED_AAD_and_MSG =            01000000000000000000000000000000
                                   02000000000000000000000000000000
                                   03000000000000000000000000000000

Gueron, et al.          Expires October 21, 2016               [Page 87]
Internet-Draft                 aes-gcm-siv                    April 2016

                                   04000000000000000000000000000000
   LENBLK =                        a0000000000000009000000000000000

   Computing POLYVAL on a
   buffer of 4 blocks + LENBLK.
   POLYVAL =                       64010000000000600701c04c63add8de
   POLYVAL_xor_NONCE  =            67010000000000600701c04c63add8de
   with MSBit cleared =            67010000000000600701c04c63add85e
   TAG =                           33f0e38bd6fb197ed4f7eaaea861d60b
   AAD =                           01000000000000000000000000000000
                                   02000000
   CT  =                           625534f47020a12f11754fbc86ed46cf
                                   41d0
   Encryption_Key =                d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae

   ***************************
            APPENDIX
   ***************************
   KEY_SCHEDULE (Encryption_Key)   d77cdb05a40231d52ec7ef3b115a4259
                                   c88735cffb99fd5cd4c805dcf487f5ae
                                   c19a3fba65980e6f4b5fe1545a05a30d
                                   76ec3f188d75c24459bdc798ad3a3236
                                   43b93a2f262134406d7ed514377b7619
                                   eccd07cc61b8c58838050210953f3026
                                   32bdcd05149cf94579e22c514e995a48
                                   c323b99ea29b7c169a9e7e060fa14e20
                                   08927a731c0e833665ecaf672b75f52f
                                   32be5f8b9025239d0abb5d9b051a13bb
                                   baef9018a6e1132ec30dbc49e8784966
                                   a90264b839274725339c1abe36860905
                                   deeefb1d780fe833bb02547a537a1d1c
                                   44d8c0247dff87014e639dbf78e594ba
                                   47cc0fa13fc3e79284c1b3e8d7bbaef4

   CTRBLKS (with MSbit set to 1)

                                   00000000d6fb197ed4f7eaaea861d68b
                                   01000000d6fb197ed4f7eaaea861d68b

Authors' Addresses

Gueron, et al.          Expires October 21, 2016               [Page 88]
Internet-Draft                 aes-gcm-siv                    April 2016

   Shay Gueron
   University of Haifa and Intel Corporation
   Abba Khoushy Ave 199
   Haifa  3498838
   Israel

   Email: shay@math.haifa.ac.il

   Adam Langley
   Google
   345 Spear St
   San Francisco, CA  94105
   US

   Email: agl@google.com

   Yehuda Lindell
   Bar Ilan University
   Bar Ilan University
   Ramat Gan  5290002
   Israel

   Email: Yehuda.Lindell@biu.ac.il

Gueron, et al.          Expires October 21, 2016               [Page 89]