@techreport{mattsson-cfrg-aes-gcm-sst-18,
    number =    {draft-mattsson-cfrg-aes-gcm-sst-18},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/18/},
    author =    {Matt Campagna and Alexander Maximov and John Preuß Mattsson},
    title =     {{Galois Counter Mode with Strong Secure Tags (GCM-SST)}},
    pagetotal = 34,
    year =      2025,
    month =     feb,
    day =       19,
    abstract =  {This document defines the Galois Counter Mode with Strong Secure Tags (GCM-SST) Authenticated Encryption with Associated Data (AEAD) algorithm. GCM-SST can be used with any keystream generator, not just 128-bit block ciphers. The main differences from GCM are the use of an additional subkey H\_2, the derivation of fresh subkeys H and H\_2 for each nonce, and the replacement of the GHASH function with the POLYVAL function from AES-GCM-SIV. This enables truncated tags with near-ideal forgery probabilities, even against multiple forgery attacks, which are significant security improvements over GCM. GCM-SST is designed for security protocols with replay protection and addresses the strong industry demand for fast encryption with minimal overhead and high security. This document registers several instances of GCM-SST using Advanced Encryption Standard (AES) and Rijndael-256.},
}