@techreport{mattsson-cfrg-aes-gcm-sst-03,
    number =    {draft-mattsson-cfrg-aes-gcm-sst-03},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/03/},
    author =    {Matt Campagna and Alexander Maximov and John Preuß Mattsson},
    title =     {{Galois Counter Mode with Secure Short Tags (GCM-SST)}},
    pagetotal = 18,
    year =      2024,
    month =     mar,
    day =       16,
    abstract =  {This document defines the Galois Counter Mode with Secure Short Tags (GCM-SST) Authenticated Encryption with Associated Data (AEAD) algorithm. GCM-SST can be used with any keystream generator, not just a block cipher. The main differences compared to GCM {[}GCM{]} is that GCM-SST uses an additional subkey Q, that fresh subkeys H and Q are derived for each nonce, and that the POLYVAL function from AES- GCM-SIV is used instead of GHASH. This enables short tags with forgery probabilities close to ideal. This document also registers several instances of Advanced Encryption Standard (AES) with Galois Counter Mode with Secure Short Tags (AES-GCM-SST). This document is the product of the Crypto Forum Research Group.},
}