%% You should probably cite draft-mattsson-cfrg-aes-gcm-sst-16 instead of this revision. @techreport{mattsson-cfrg-aes-gcm-sst-07, number = {draft-mattsson-cfrg-aes-gcm-sst-07}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/07/}, author = {Matt Campagna and Alexander Maximov and John Preuß Mattsson}, title = {{Galois Counter Mode with Secure Short Tags (GCM-SST)}}, pagetotal = 23, year = , month = , day = , abstract = {This document defines the Galois Counter Mode with Secure Short Tags (GCM-SST) Authenticated Encryption with Associated Data (AEAD) algorithm. GCM-SST can be used with any keystream generator, not just 128-bit block ciphers. The main differences from GCM are the use of an additional subkey Q, the derivation of fresh subkeys H and Q for each nonce, and the replacement of the GHASH function with the POLYVAL function from AES-GCM-SIV. This enables truncated tags with near-ideal forgery probabilities, even against multiple forgery attacks. GCM-SST is designed for unicast security protocols with replay protection and addresses the strong industry demand for fast encryption with secure short tags. This document registers several instances of GCM-SST using Advanced Encryption Standard (AES) and Rijndael-256-256.}, }