Internet-Draft GCM-SST July 2026
Campagna, et al. Expires 4 January 2027 [Page]
Workgroup:
Crypto Forum
Internet-Draft:
draft-mattsson-cfrg-aes-gcm-sst-latest
Published:
Intended Status:
Informational
Expires:
Authors:
M. Campagna
Amazon Web Services
A. Maximov
Ericsson
J. Preuß Mattsson
Ericsson

Galois Counter Mode with Strong Secure Tags (GCM-SST)

Abstract

This document defines Galois Counter Mode with Strong Secure Tags (GCM-SST), an Authenticated Encryption with Associated Data (AEAD) algorithm that addresses several weaknesses of GCM. GCM-SST can be used with any keystream generator, not only 128-bit block ciphers. Main differences from GCM are the introduction of a second authentication subkey H2, per-nonce derivation of both H and H2, and stricter usage limits. Together, these changes yield authentication tags with near-ideal forgery probabilities, including reforgeability resistance. All registered instances have an expected number of forgeries E(F) ≈ v / 2t, a property that GCM is far from providing. GCM-SST is designed for security protocols with replay protection such as TLS, QUIC, SRTP, and PDCP, and provides hardware and software performance comparable to GCM. This document registers nine AEAD algorithm instances using AES and Rijndael-256 in counter mode, with tag lengths of 48, 96, and 112 bits. GCM-SST has been standardized by 3GPP for use with SNOW 5G, AES-256, and ZUC-256.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://emanjon.github.io/draft-mattsson-cfrg-aes-gcm-sst/draft-mattsson-cfrg-aes-gcm-sst.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/.

Discussion of this document takes place on the Crypto Forum Research Group mailing list (mailto:cfrg@irtf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cfrg. Subscribe at https://www.ietf.org/mailman/listinfo/cfrg/.

Source for this draft and an issue tracker can be found at https://github.com/emanjon/draft-mattsson-cfrg-aes-gcm-sst.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 4 January 2027.

Table of Contents

1. Introduction

1.1. Background and Motivation

AES in Galois Counter Mode (AES-GCM) [GCM] is a widely deployed Authenticated Encryption with Associated Data (AEAD) algorithm [RFC5116], valued for its performance in hardware and software, and its provable security. During NIST standardization, Ferguson identified two weaknesses in GCM's authentication function [Ferguson]. The first significantly increases the forgery probability. The second allows recovery of the authentication subkey H upon a successful forgery, enabling arbitrary subsequent forgeries, a property known as reforgeability failure. Both weaknesses affect all tag lengths, but are especially damaging with short tags.

Nyberg et al. [Nyberg] showed that small, theoretically grounded changes would mitigate these weaknesses, but NIST instead imposed ad hoc restrictions for short tags. Mattsson et al. [Mattsson] later showed that attackers can nearly always observe whether a forgery succeeded, contradicting NIST's assumptions. NIST is now planning to remove support for tags shorter than 96 bits [Revise], but has not addressed the underlying authentication weaknesses. A third weakness is that GCM does not impose sufficiently strict limits on the number of invocations and the lengths of plaintext and associated data. Even with 96-bit tags, AES-GCM [GCM] offers only a forgery probability of 2-39, and with 128-bit tags in QUIC [RFC9001], the expected number of forgeries, E(F), is worse than that of an ideal 65-bit MAC. Reforgeability resistance is a core design criterion in modern AEAD schemes [Reforge][AEZ].

Short tags are widely used: 32-bit tags are standard in most radio link layers including 5G [Sec5G], 64-bit tags are very common in IoT transport and application layers, and 32-, 64-, and 80-bit tags appear frequently in media encryption. Audio packets are small, numerous, and ephemeral, making them highly sensitive to cryptographic overhead; since each packet typically encodes only 20 ms of audio, forgery of individual packets is and barely noticeable. Due to its weaknesses, GCM is typically not used with short tags, forcing a choice between the overhead of unnecessarily long tags [I-D.ietf-moq-transport] and much slower constructions such as AES-CTR with HMAC [RFC3711][RFC9605]. Short tags are also useful in packets whose payloads are secured at higher layers, in protocols where security is given by the sum of tag lengths, and in constrained radio networks where low bandwidth limits forgery attempts. For all these applications, it is essential that the MAC behaves ideally: the forgery probability should be ≈ 1 / 2t, where t is the tag length in bits, even after many encryptions, many forgery attempts, and a successful forgery. CCM [RFC5116] achieves near-ideal probabilities with short tags but at a performance penalty relative to GCM.

1.2. Galois Counter Mode with Strong Secure Tags (GCM-SST)

This document defines GCM with Strong Secure Tags (GCM-SST), an AEAD algorithm that addresses these weaknesses. GCM-SST can be used with any keystream generator, not only 128-bit block ciphers. The differences from GCM [GCM] are: the introduction of a second authentication subkey H2, per-nonce derivation of H and H2, stricter usage limits, fixed-length deterministic nonces, and the replacement of GHASH with POLYVAL [RFC8452]. Together, these changes yield truncated tags with near-ideal forgery probabilities, even against multiple forgery attacks, and provide nonce-misuse resilience. GCM-SST is designed for use in security protocols with replay protection such as TLS [RFC8446], QUIC [RFC9000], SRTP [RFC3711], and PDCP [PDCP]. In unicast settings with replay protection, GCM-SST's authentication tag behaves as an ideal MAC with full reforgeability resistance. Compared to Poly1305 [RFC8439] and GCM [RFC5116], GCM-SST achieves stronger integrity with less overhead. Its hardware and software performance is comparable to GCM; in software, the two additional AES invocations are offset by POLYVAL's advantage over GHASH on little-endian architectures. GCM-SST preserves GCM's additive encryption structure, enabling efficient implementations on modern processors [GCM-Update][Gueron].

This document also registers GCM-SST instances using AES [AES] and Rijndael with 256-bit keys and blocks (Rijndael-256) [Rijndael] in counter mode, with tag lengths of 48, 96, and 112 bits. These instances address the strong industry demand for fast authenticated encryption with minimal overhead and strong security. All registered instances achieve an expected number of forgeries E(F) ≈ v / 2t, where v is the number of forgery attempts, matching the behavior of an ideal MAC. This is a property expected of a modern AEAD but one that GCM does not provide. Rijndael-256 is already standardized by 3GPP for authentication and key generation [Milenage-256] and is planned for NIST standardization [AES-WIDE]. On modern x86 platforms with AES-NI and VAES instructions, Rijndael-256 performs efficiently [Drucker]. Compared to AEGIS [I-D.irtf-cfrg-aegis-aead], AES-GCM-SST offers substantially higher throughput in dedicated hardware while retaining the advantage of being a mode of operation for AES.

GCM-SST was originally developed by ETSI SAGE and subsequently standardized by 3GPP for use with SNOW 5G [NCA4], AES-256 [NCA5], and ZUC-256 [NCA6] in 3GPP TS 35.240–35.248. Security proofs for GCM-SST in single- and multi-key settings are provided by Inoue et al. [Inoue] and Naito et al. [Naito].

Section 3 specifies GCM-SST, Section 4 registers AEAD algorithms using AES and Rijndael-256, and Section 5 discusses security considerations.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The following notation is used in the document:

3. Galois Counter Mode with Strong Secure Tags (GCM-SST)

This section defines the GCM-SST AEAD algorithm following the recommendations of Nyberg et al. [Nyberg]. GCM-SST is defined with a general interface so that it can be used with any keystream generator, not only a 128-bit block cipher.

GCM-SST adheres to the AEAD interface defined in [RFC5116]. The encryption function takes four variable-length byte string parameters: a secret key K, a nonce N, associated data A, and a plaintext P. The keystream generator is instantiated with K and N. The keystream MAY depend on P and A. The minimum and maximum lengths of all parameters depend on the keystream generator.

The keystream generator produces a keystream Z consisting of 128-bit chunks. The first three chunks Z[0], Z[1], and Z[2] are used as authentication subkeys H and H2, and masking subkey M, respectively. The subsequent chunks Z[3], Z[4], ..., Z[n + 2] are used to encrypt the plaintext.

In place of GHASH [GCM], GCM-SST uses the POLYVAL function from AES-GCM-SIV [RFC8452], which yields more efficient software implementations on little-endian architectures. GHASH and POLYVAL can be defined in terms of one another, as shown in [RFC8452]. The subkeys H and H2 are field elements used as inputs to POLYVAL, while the subkey M is used for the final masking of the tag.

Both the encryption and decryption functions are defined only on inputs comprising a whole number of bytes. Figures illustrating the GCM-SST encryption and decryption functions can be found in [Campagna].

For every computational procedure specified in this document, a conforming implementation MAY replace the given steps with any mathematically equivalent steps, provided the output is correct for every valid input.

3.1. Authenticated Encryption Function

The encryption function Encrypt(K, N, A, P) encrypts a plaintext and returns the ciphertext together with an authentication tag that verifies the authenticity of both the plaintext and associated data, if provided.

Prerequisites and security requirements:

  • The key MUST be chosen uniformly at random.

  • For a given key, each nonce MUST be unique; random nonces MUST NOT be used.

  • Each key MUST be restricted to a single tag length t.

  • Supported input and output lengths MUST be defined.

Inputs:

  • Key K (variable-length byte string)

  • Nonce N (variable-length byte string)

  • Associated data A (variable-length byte string)

  • Plaintext P (variable-length byte string)

Outputs:

  • Ciphertext ct (variable-length byte string)

  • tag (a byte string of length t / 8)

Steps:

  1. If the lengths of K, N, A, P are not supported, return an error and abort

  2. Instantiate the keystream generator with K and N

  3. Let H = Z[0], H2 = Z[1], M = Z[2]

  4. Let ct = P ⊕ truncate(Z[3:n + 2], len(P))

  5. Let S = zeropad(A) || zeropad(ct)

  6. Let L = LE64(len(ct)) || LE64(len(A))

  7. Let X = POLYVAL(H, S[0], S[1], ...)

  8. Let full_tag = POLYVAL(H2, X ⊕ L) ⊕ M

  9. Let tag = truncate(full_tag, t)

  10. Return (ct, tag)

The encoding of L aligns with existing implementations of GCM.

3.2. Authenticated Decryption Function

The decryption function Decrypt(K, N, A, ct, tag) decrypts a ciphertext, verifies that the authentication tag is correct, and returns the plaintext on success or an error otherwise.

Prerequisites and security requirements:

  • The calculation of the plaintext P (step 10) MAY be done in parallel with tag verification (steps 3–9). If tag verification fails, the plaintext P MUST NOT be given as output.

  • Each key MUST be restricted to a single tag length t.

  • Supported input and output lengths MUST be defined.

Inputs:

  • Key K (variable-length byte string)

  • Nonce N (variable-length byte string)

  • Associated data A (variable-length byte string)

  • Ciphertext ct (variable-length byte string)

  • tag (a byte string of length t / 8)

Outputs:

  • Plaintext P (variable-length byte string), or an error indicating that the authentication tag is invalid for the given inputs.

Steps:

  1. If the lengths of K, N, A, or ct are not supported, or if len(tag) ≠ t, return an error and abort

  2. Instantiate the keystream generator with K and N

  3. Let H = Z[0], H2 = Z[1], M = Z[2]

  4. Let S = zeropad(A) || zeropad(ct)

  5. Let L = LE64(len(ct)) || LE64(len(A))

  6. Let X = POLYVAL(H, S[0], S[1], ...)

  7. Let full_tag = POLYVAL(H2, X ⊕ L) ⊕ M

  8. Let expected_tag = truncate(full_tag, t)

  9. If tag ≠ expected_tag, return an error and abort

  10. Let P = ct ⊕ truncate(Z[3:n + 2], len(ct))

  11. If N fails replay protection, return an error and abort

  12. Return P

The comparison of tag and expected_tag in step 9 MUST be performed in constant time to prevent information leakage about the position of the first mismatched byte. For a given key, a plaintext MUST NOT be returned unless it is certain that no plaintext has previously been returned for the same nonce. Replay protection MAY be performed either before step 1 or during step 11. Protocols with nonce-hiding mechanisms [Bellare19], such as QUIC [RFC9001], implement replay protection after decryption to mitigate timing side-channel attacks. If tag validation or replay protection fails, intermediate values such as H, H2, M, Z, P, X, full_tag, and expected_tag MUST be destroyed (zeroized).

3.3. Encoding (ct, tag) Tuples

Applications MAY store the ciphertext and the authentication tag in separate structures or encode both as a single byte string C. In the latter case, the tag MUST immediately follow the ciphertext ct:

  • C = ct || tag .

3.4. Usage Limits

Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy

  • E(F) ≈ v / 2t ,

for all permitted invocation counts, plaintext lengths, associated data lengths, and tag lengths. This is how users expect MAC algorithms to behave, i.e., the behavior of an ideal MAC. Usage limits for a GCM-SST instance MUST be chosen to achieve this property in unicast settings with replay protection, and are therefore more restrictive than the corresponding limits for GCM [RFC5116].

To ensure that v / 2t dominates the integrity advantage [Inoue] for all permitted plaintext and associated data lengths, an instance MUST ensure:

  • ℓ ≪ 2128 - t .

This ensures that the term v ⋅ ℓ / 2128 is negligible. If the keystream generator is a Pseudo-Random Function (PRF), this condition is sufficient to satisfy E(F) ≈ v / 2t. If the keystream generator is a Pseudo-Random Permutation (PRP) in counter mode, it is sufficient to satisfy E(F) ≈ δ ⋅ v / 2t, where δ is the Bernstein bound factor [Bernstein][Iwata].

Instances using a block cipher in counter mode MUST ensure:

  • Q_MAX ⋅ P_MAX ≤ 2b/2-5 ⋅ b / 8 .

This aligns with the European [ACM] recommendation of limiting the number of block-cipher invocations to 2b/2-5. In addition to ensuring δ ≈ 1, the requirement establishes a minimum complexity for distinguishing attacks and an upper bound on the fraction of plaintext bits recoverable by an attacker. This ensures that an attacker cannot recover more than ≈ 0.0007 bits across all plaintexts [Entropy] and that δ ⪅ 1.0005.

To align with zero-trust principles and minimize the impact of key compromise, protocols using GCM-SST SHOULD enforce rekeying well before reaching the cryptographic limits. Modern guidance recommends rekeying via ephemeral key exchange providing Forward Secrecy (FS) and Post-Compromise Security (PCS) after 1 hour or 230–237 bytes [RFC4253][ANSSI].

4. AES and Rijndael-256 in GCM-SST

This section defines instantiations of GCM-SST using AES and Rijndael-256.

4.1. AES-GCM-SST

When GCM-SST is instantiated with AES (AES-GCM-SST), the keystream generator is AES in counter mode

  • Z[i] = ENC(K, N || BE32(i)) ,

where ENC is the AES Cipher function [AES]. The use of big-endian counters aligns with existing AES counter mode implementations.

4.2. Rijndael-GCM-SST

When GCM-SST is instantiated with Rijndael-256 (Rijndael-GCM-SST), the keystream generator is Rijndael-256 in counter mode

  • Z[2i] = ENC(K, N || BE32(i))[0] ,

  • Z[2i+1] = ENC(K, N || BE32(i))[1] ,

where ENC is the Rijndael-256 Cipher function [Rijndael].

4.3. AEAD Instances and Constraints

Nine AEAD algorithm instances are defined below, following the format of [RFC5116]. These instances use AES-GCM-SST or Rijndael-GCM-SST with tag lengths of 48, 96, or 112 bits.

Table 1: AEAD Algorithm Instances for AES-GCM-SST and Rijndael-GCM-SST
Name K_LEN (bytes) P_MAX = A_MAX (bytes) Tag length t (bits)
AEAD_AES_128_GCM_SST_6 16 236 - 48 48
AEAD_AES_128_GCM_SST_12 16 232 96
AEAD_AES_128_GCM_SST_14 16 216 112
AEAD_AES_256_GCM_SST_6 32 236 - 48 48
AEAD_AES_256_GCM_SST_12 32 232 96
AEAD_AES_256_GCM_SST_14 32 216 112
AEAD_RIJNDAEL_GCM_SST_6 32 237 - 48 48
AEAD_RIJNDAEL_GCM_SST_12 32 232 96
AEAD_RIJNDAEL_GCM_SST_14 32 216 112

The following parameters apply to all the instances:

  • N_MIN = N_MAX (minimum and maximum nonce length) is 12 bytes for AES-GCM-SST and 28 bytes for Rijndael-GCM-SST.

  • C_MAX (maximum ciphertext length, including the tag) is P_MAX + t / 8 bytes.

  • Q_MAX (maximum number of encryption function invocations) is 232 for AES-GCM-SST and 264 for Rijndael-GCM-SST.

  • V_MAX (maximum number of decryption function invocations) is 254 for AES-GCM-SST and 2118 for Rijndael-GCM-SST.

Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy

  • E(F) ≈ v / 2t ,

for all permitted invocation counts, plaintext lengths, associated data lengths, and tag lengths. This is how users expect MAC algorithms to behave, i.e., the behavior of an ideal MAC. The limits specified for AES-GCM-SST and Rijndael-GCM-SST are chosen to achieve this property in unicast settings with replay protection and are therefore more restrictive than the corresponding limits for GCM in [RFC5116].

To ensure that v / 2t is the dominant term in the integrity advantage [Inoue] for all permitted plaintext and associated data lengths, this document sets:

  • P_MAX = A_MAX = min(2128 - t, 232 ⋅ b / 8 - 48) ,

where b is the block size in bits. This ensures that the integrity advantage is ≈ δ ⋅ v / 2t.

For AES, the 128-bit block size implies that achieving δ ≈ 1 requires balancing the constraints on Q_MAX and P_MAX. To ensure that the Bernstein bound factor [Bernstein][Iwata] satisfies δ ≈ 1, protocols using AES-GCM-SST MUST enforce stricter limits on Q_MAX and/or P_MAX such that:

  • Q_MAX ⋅ P_MAX / 16 ⪅ 259 .

For Rijndael-256, the 256-bit block size already guarantees δ ≈ 1. Protocols employing Rijndael-GCM-SST MAY impose stricter limits on P_MAX, A_MAX, Q_MAX, and V_MAX.

In addition to bounding δ, the Q_MAX and P_MAX constraints establish a minimum complexity for distinguishing attacks and an upper bound on the fraction of plaintext bits recoverable by an attacker. This aligns with the European [ACM] recommendation of limiting the number of block-cipher invocations to 2b/2-5. This ensures that an attacker cannot recover more than ≈ 0.0007 bits across all plaintexts [Entropy] and that δ ⪅ 1.0005.

To align with zero-trust principles and minimize the impact of key compromise, protocols using GCM-SST SHOULD enforce rekeying well before reaching the cryptographic limits. Modern guidance recommends rekeying via ephemeral key exchange providing Forward Secrecy (FS) and Post-Compromise Security (PCS) after 1 hour or 230–237 bytes [RFC4253][ANSSI].

5. Security Considerations

GCM-SST introduces a second authentication subkey H2, alongside the subkey H. The inclusion of H2 enables truncated tags with forgery probabilities close to ideal. Both H and H2 are derived for each nonce, which significantly decreases the probability of multiple successful forgeries. These changes are based on proven theoretical constructions and follow the recommendations in [Nyberg]. Inoue et al. [Inoue] prove that GCM-SST achieves its v / 2t design goal in the single-key setting, and that it provides nonce-misuse resilience [NMRL]. Because the subkeys in GCM-SST are derived independently per nonce, any confidentiality or integrity advantage an adversary gains against one nonce, whether through nonce misuse or a successful forgery attempt, does not carry over to a different, fresh nonce: GCM-SST recovers its full security as soon as such a nonce is no longer in use. Naito et al. [Naito] derive a tighter single-key bound and further prove that GCM-SST achieves its v / 2t design goal in the multi-key setting, including when combined with nonce randomization and nonce-based key derivation.

GCM-SST is designed for use in security protocols with replay protection. Each key MUST be chosen uniformly at random. GCM-SST MUST be used in a nonce-respecting setting: for a given key, a nonce MUST be used at most once in the encryption function and at most once in a successful decryption function call. The nonce MAY be public or predictable. It can be a counter, the output of a permutation, or a generator with a long period. The reuse of nonces in successful encryption and decryption function calls enables universal forgery, as demonstrated by [Joux], [Lindell], and [Inoue], and so GCM-SST MUST be used with replay protection. Additionally, GCM-SST MUST NOT be used with random nonces: besides reducing the efficiency of replay protection, they introduce a nonce-collision probability that degrades security bounds. Implementations SHOULD add randomness to the nonce by XORing a unique number such as a sequence number with a per-key random secret salt of the same length as the nonce. This significantly improves security against precomputation and multi-key attacks [Bellare17] and is implemented, for example, in SRTP [RFC3711], TLS 1.3 [RFC8446], OSCORE [RFC8613], and [Ascon]. By increasing the nonce length from 96 bits to 224 bits, Rijndael-GCM-SST can offer significantly greater security against precomputation and multi-key attacks compared to AES-GCM-SST. GCM-SST does not aim for full nonce-misuse resistance [NMR]. Like GCM, it derives its keystream in a single pass, avoiding the two-pass, non-online structure that nonce-misuse-resistant algorithms require. NIST is addressing nonce-misuse resistance through the planned Accordions [Accordions].

Unless otherwise specified, formulas for the expected number of forgeries apply to unicast scenarios.

5.1. Integrity

The GCM-SST tag length t SHOULD NOT be smaller than 32 bits and cannot be larger than 128 bits. Let ℓ = (P_MAX + A_MAX) / 16 + 1. When ℓ ≪ 2128 - t, the forgery probability is ≈ 1 / 2t [Nyberg][Inoue]. The tags in the AEAD algorithms listed in Section 4.3 therefore achieve near-ideal forgery probabilities. This is a significant improvement over GCM [GCM], where the forgery probability is bounded by ⪅ δ ⋅ ℓ / 2t [GCM][Iwata]. For a graph of the forgery probability assuming δ ≈ 1, see Fig. 3 in [Inoue]. For 128-bit tags and long messages, the forgery probability of GCM-SST is no longer ideal and becomes comparable to that of GCM. In GCM-SST, the full_tag is independent of t unless the application explicitly incorporates t into the keystream or the nonce.

The expected number of forgeries depends on the keystream generator. For block ciphers in counter mode, it is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy

  • E(F) ≈ v / 2t ,

where v is the number of forgery attempts. Following the constraints in Section 4.3, AES-GCM-SST and Rijndael-GCM-SST achieve this ideal. AES-GCM-SST significantly outperforms AES-GCM [GCM], for which the expected number of forgeries (assuming deterministic 96-bit nonces) is bounded by:

  • E(F) ⪅ δ ⋅ v2 ⋅ ℓ / 2t+1 .

For further details on the integrity advantages and expected number of forgeries for GCM and GCM-SST, see [Iwata], [Niwa], [Inoue], [Naito], and [Multiple]. BSI states that an ideal MAC with a 96-bit tag length is considered acceptable for most applications [BSI], a requirement that GCM-SST with 96-bit tags satisfies when ℓ ⪅ 232 and δ ≈ 1. Achieving a comparable level of security with GCM, CCM, or Poly1305 is nearly impossible.

5.2. Confidentiality

The confidentiality offered by GCM-SST against passive attackers depends on the keystream generator. For block ciphers in counter mode, it is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. For AES-GCM-SST, the confidentiality is equal to AES-GCM [GCM]. Regardless of key length, an attacker can mount a distinguishing attack with a complexity of approximately 2129 / σ, where σ ⪅ P_MAX ⋅ Q_MAX / 16 is the total plaintext length measured in 128-bit chunks. In contrast, the confidentiality offered by Rijndael-GCM-SST against passive attackers is significantly higher. The complexity of distinguishing attacks for Rijndael-GCM-SST is approximately 2258 / σ. McGrew [Impossible] and Leurent and Sibleyras [Difference] demonstrate that for block ciphers in counter mode, an attacker with partial knowledge of the plaintext can execute plaintext-recovery attacks against counter mode with roughly the same complexity (up to logarithmic factors) as distinguishing attacks. However, Preuß Mattsson [Entropy] demonstrated that an attacker cannot recover more than ≈ σ2 / 2b bits of the plaintext. Given the constraints outlined in Section 4.3, an attacker cannot recover more than 0.0007 bits of AES-GCM-SST plaintexts.

While Rijndael-256 in counter mode can provide high confidentiality for plaintexts much larger than 237 bytes, GHASH and POLYVAL do not offer adequate integrity for long plaintexts. To ensure robust integrity for long plaintexts, an AEAD mode would need to replace POLYVAL with a MAC that has better security properties, such as a Carter-Wegman MAC in a larger field [Maximov][Degabriele] or other alternatives such as [SMAC].

The confidentiality offered by GCM-SST against active attackers is directly linked to the forgery probability. Depending on the protocol and application, forgeries can significantly compromise privacy, in addition to affecting integrity and authenticity. It MUST be assumed that attackers always receive feedback on the success or failure of their forgery attempts. Therefore, attacks on integrity, authenticity, and confidentiality MUST all be carefully evaluated when selecting an appropriate tag length.

5.3. Weak Keys

In general, there is a very small possibility in GCM-SST that either or both of the subkeys H and H2 are zero, so-called weak keys. If H is zero, the authentication tag depends only on the length of P and A and not on their content. If H2 is zero, the authentication tag does not depend on P and A. Due to the masking with M, there are no obvious ways to detect this condition for an attacker, and the specification admits this possibility rather than complicating implementations with additional checks and regeneration of values. In AES-GCM-SST, H and H2 are generated with a permutation on different inputs, so H and H2 cannot both be zero.

5.4. Replay Protection

The details of the replay protection mechanism are determined by the security protocol utilizing GCM-SST. If the nonce includes a sequence number, it can be used for replay protection. Alternatively, a separate sequence number can be used, provided there is a one-to-one mapping between sequence numbers and nonces. The choice of a replay protection mechanism depends on factors such as the expected degree of packet reordering, as well as protocol and implementation details. For examples of replay protection mechanisms, see [RFC4303] and [RFC6479]. Implementing replay protection by requiring ciphertexts to arrive in order and terminating the connection if a single decryption fails is NOT RECOMMENDED, as this approach reduces robustness and availability and exposes the system to denial-of-service attacks [Robust].

5.5. Comparison with ChaCha20-Poly1305 and AES-GCM

Table 2 compares the integrity of GCM-SST, ChaCha20-Poly1305 [RFC8439], and AES-GCM [RFC5116] in unicast security protocols with replay protection. In both Poly1305 and GCM, the forgery probability depends on ℓ; in GCM, it additionally involves the Bernstein bound factor δ. GCM-SST requires δ ≈ 1, a property that GCM does not mandate. Furthermore, GCM provides no reforgeability resistance, which substantially increases the expected number of forgeries. See [Procter], [Iwata], and [Multiple] for further details.

Table 2: Comparison of integrity among GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast security protocols with replay protection. v is the number of forgery attempts, ℓ is the maximum length of plaintext and associated data, measured in 128-bit chunks. The GCM values assume δ ≈ 1; when this condition does not hold, the GCM values are worse than those shown.
Name Tag length (bytes) Forgery probability before first forgery Forgery probability after first forgery Expected number of forgeries
GCM_SST_14 14 1 / 2112 1 / 2112 v / 2112
GCM_SST_12 12 1 / 296 1 / 296 v / 296
POLY1305 16 ℓ / 2103 ℓ / 2103 v ⋅ ℓ / 2103
GCM 16 ℓ / 2128 1 v2 ⋅ ℓ / 2129

Table 3 compares the integrity of GCM-SST, ChaCha20-Poly1305 [RFC8439], and AES-GCM [RFC5116] in unicast QUIC [RFC9000][RFC9001], a security protocol with mandatory replay protection, and where the combined size of plaintext and associated data is less than ≈ 216 bytes (ℓ ≈ 212). GCM_SST_14 and GCM_SST_12 provide better integrity than ChaCha20-Poly1305 [RFC8439] and AES-GCM [RFC5116], while also reducing overhead by 2–4 bytes. For GCM-SST and ChaCha20-Poly1305, the expected number of forgeries is linear in v when replay protection is employed. ChaCha20-Poly1305 achieves a security level equivalent to that of an ideal MAC with a length of 91 bits. For AES-GCM, replay protection does not mitigate reforgeries, the expected number of forgeries grows quadratically with v, and GCM provides significantly worse integrity than GCM-SST and ChaCha20-Poly1305 unless v is kept very small. With v = 252 as allowed for AES-GCM in QUIC [RFC9001], the expected number of forgeries for AES-GCM exceeds that of an ideal 65-bit MAC.

Table 3: Comparison of integrity among GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast QUIC, where the maximum packet size is 65536 bytes. The GCM values assume δ ≈ 1; when this condition does not hold, the GCM values are worse than those shown.
Name Tag length (bytes) Forgery probability before first forgery Forgery probability after first forgery Expected number of forgeries
GCM_SST_14 14 1 / 2112 1 / 2112 v / 2112
GCM_SST_12 12 1 / 296 1 / 296 v / 296
POLY1305 16 1 / 291 1 / 291 v / 291
GCM 16 1 / 2116 1 v2 / 2117

Table 4 compares the confidentiality of Rijndael-GCM-SST, AES-256-GCM-SST, SNOW 5G-GCM-SST, and ChaCha20-Poly1305 [RFC8439], all of which use 256-bit keys, against passive attackers. The confidentiality of block ciphers in counter mode is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. While plaintext-recovery attacks on block ciphers in counter mode have a complexity similar to distinguishing attacks, the attacker cannot recover more than ≈ σ2 / 2b bits of the plaintexts [Entropy].

Table 4: Comparison of confidentiality against passive attackers among Rijndael-GCM-SST, SNOW 5G-GCM-SST, ChaCha20-Poly1305, and AES-256-GCM-SST. σ is the total plaintext length measured in 128-bit chunks.
Name Key size (bits) Complexity of distinguishing attacks
CHACHA20_POLY1305 256 2256
SNOW_5G_GCM_SST 256 2256
RIJNDAEL_GCM_SST 256 ≈ 2258 / σ
AES_256_GCM_SST 256 ≈ 2129 / σ

5.6. Multicast and Broadcast

While GCM-SST offers stronger security properties than GCM for a given tag length in multicast or broadcast contexts, it does not behave exactly like an ideal MAC. With an ideal MAC, a successful forgery against one recipient allows the attacker to reuse the same forgery against all other recipients. In contrast, with GCM, a successful forgery against one recipient enables the attacker to generate an unlimited number of new forgeries for all recipients.

With GCM-SST, a few successful forgeries against a few recipients allow the attacker to create one new forgery for all other recipients. While the total number of forgeries in GCM-SST matches that of an ideal MAC, the diversity of these forgeries is higher. To achieve one distinct forgery per recipient with an ideal MAC, the attacker would need to send on average 2t forgery attempts to each recipient. In one-to-many scenarios with replay protection and r recipients, the expected number of distinct forgeries is ≈ v ⋅ r / 2t.

6. IANA Considerations

IANA is requested to assign the algorithm names listed in the first column of Table 1 to the "AEAD Algorithms" registry under the registry group "Authenticated Encryption with Associated Data (AEAD) Parameters", with this document as the reference.

7. References

7.1. Normative References

[AES]
"Advanced Encryption Standard (AES)", NIST Federal Information Processing Standards Publication 197, , <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5116]
McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, , <https://www.rfc-editor.org/rfc/rfc5116>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8452]
Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption", RFC 8452, DOI 10.17487/RFC8452, , <https://www.rfc-editor.org/rfc/rfc8452>.
[Rijndael]
Joan Daemen and Vincent Rijmen, "AES Proposal: Rijndael", , <https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf>.

7.2. Informative References

[Accordions]
NIST, "NIST Launches Development of Cryptographic Accordions", , <https://csrc.nist.gov/pubs/sp/800/197/a/iprd>.
[ACM]
"Agreed Cryptographic Mechanisms", , <https://certification.enisa.europa.eu/document/download/a845662b-aee0-484e-9191-890c4cfa7aaa_en>.
[AES-WIDE]
NIST, "NIST Proposes to Standardize a Wider Variant of AES", , <https://csrc.nist.gov/pubs/sp/800/197/iprd>.
[AEZ]
Viet Tung Hoang, Ted Krovetz, and Phillip Rogaway, "Robust Authenticated-Encryption: AEZ and the Problem that it Solves", , <https://eprint.iacr.org/2014/793.pdf>.
[ANSSI]
"Recommendations for securing networks with IPsec", , <https://messervices.cyber.gouv.fr/documents-guides/NT_IPsec_EN.pdf>.
[Ascon]
Meltem Sönmez Turan, Kerry A McKay, Donghoon Chang, Jinkeon Kang, and John Kelsey, "Ascon-Based Lightweight Cryptography Standards for Constrained Devices", NIST Special Publication 800-232 Initial Public Draft, , <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.ipd.pdf>.
[Bellare17]
Bellare, M. and B. Tackmann, "The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3", , <https://eprint.iacr.org/2016/564.pdf>.
[Bellare19]
Mihir Bellare, Ruth Ng, and Björn Tackmann, "Nonces are Noticed: AEAD Revisited", , <https://eprint.iacr.org/2019/624.pdf>.
[Bernstein]
Daniel J Bernstein, "Stronger Security Bounds for Permutations", , <https://cr.yp.to/antiforgery/permutations-20050323.pdf>.
[BSI]
"Cryptographic Mechanisms Recommendations and Key Lengths", BSI Technical Guideline TR-02102-1, , <https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html>.
[Campagna]
Campagna, M., Maximov, A., and J. Preuß Mattsson, "Galois Counter Mode with Strong Secure Tags (GCM-SST)", , <https://csrc.nist.gov/csrc/media/Events/2023/third-workshop-on-block-cipher-modes-of-operation/documents/accepted-papers/Galois%20Counter%20Mode%20with%20Secure%20Short%20Tags.pdf>.
[Degabriele]
Degabriele, J., Gilcher, J., Govinden, J., and K. Paterson, "SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields", , <https://doi.org/10.3929/ethz-b-000654260>.
[Difference]
Gaëtan Leurent and Ferdinand Sibleyras, "The Missing Difference Problem, and Its Applications to Counter Mode Encryption", , <https://link.springer.com/chapter/10.1007/978-3-319-78375-8_24>.
[Drucker]
Nir Drucker and Shay Gueron, "Software Optimization of Rijndael for Modern x86-64 Platforms", , <https://rd.springer.com/chapter/10.1007/978-3-030-97652-1_18>.
[EIA3]
ETSI SAGE, "128-EEA3 and 128-EIA3 Specification", , <https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2019/05/EEA3_EIA3_specification_v1_8.pdf>.
[Entropy]
Preuß Mattsson, J., "Collision-Based Attacks on Block Cipher Modes - Exploiting Collisions and Their Absence", , <https://eprint.iacr.org/2024/1111.pdf>.
[Ferguson]
Ferguson, N., "Authentication weaknesses in GCM", , <https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/Ferguson2.pdf>.
[GCM]
Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST Special Publication 800-38D, , <https://doi.org/10.6028/NIST.SP.800-38D>.
[GCM-Update]
McGrew, D. and J. Viega, "GCM Update", , <https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/gcm-update.pdf>.
[Gueron]
Gueron, S., "Constructions based on the AES Round and Polynomial Multiplication that are Efficient on Modern Processor Architectures", , <https://csrc.nist.gov/csrc/media/Presentations/2023/constructions-based-on-the-aes-round/images-media/sess-5-gueron-bcm-workshop-2023.pdf>.
[I-D.ietf-moq-transport]
Nandakumar, S., Vasiliev, V., Swett, I., and A. Frindell, "Media over QUIC Transport", Work in Progress, Internet-Draft, draft-ietf-moq-transport-18, , <https://datatracker.ietf.org/doc/html/draft-ietf-moq-transport-18>.
[I-D.irtf-cfrg-aegis-aead]
Denis, F. and S. Lucas, "The AEGIS Family of Authenticated Encryption Algorithms", Work in Progress, Internet-Draft, draft-irtf-cfrg-aegis-aead-18, , <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-aegis-aead-18>.
[Impossible]
David McGrew, "Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes", , <https://eprint.iacr.org/2012/623.pdf>.
[Inoue]
Akiko Inoue, Ashwin Jha, Bart Mennink, and Kazuhiko Minematsu, "Generic Security of GCM-SST", , <https://eprint.iacr.org/2024/1928.pdf>.
[Iwata]
Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu, "Breaking and Repairing GCM Security Proofs", , <https://eprint.iacr.org/2012/438.pdf>.
[Joux]
Joux, A., "Authentication Failures in NIST version of GCM", , <https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf>.
[Lindell]
Lindell, Y., "Comment on AES-GCM-SST", , <https://mailarchive.ietf.org/arch/browse/cfrg/?gbt=1&index=cWpv0QgX2ltkWhtd3R9pEW7E1CA>.
[Mattsson]
Mattsson, J. and M. Westerlund, "Authentication Key Recovery on Galois/Counter Mode (GCM)", , <https://eprint.iacr.org/2015/477.pdf>.
[Maximov]
Maximov, A. and H. Sjöberg, "On Fast Multiplication in Binary Finite Fields and Optimal Primitive Polynomials over GF(2)", , <https://eprint.iacr.org/2017/889.pdf>.
[Milenage-256]
3GPP, "Specification of the MILENAGE-256 algorithm set", , <https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4244>.
[Multiple]
David McGrew and Scott Fluhrer, "Multiple Forgery Attacks Against Message Authentication Codes", , <https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/multi-forge-01.pdf>.
[Naito]
Yusuke Naito, Yu Sasaki, and Takeshi Sugawara, "The Multi-user Security of GCM-SST and Further Enhancements", , <https://doi.org/10.1007/978-3-032-08124-7_3>.
[NCA4]
3GPP, "Specification of the Snow 5G based 256-bits algorithm set", , <https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4220>.
[NCA5]
3GPP, "Specification of the AES based 256-bits algorithm set", , <https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4221>.
[NCA6]
3GPP, "Specification of the ZUC based 256-bits algorithm set", , <https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4224>.
[Niwa]
Yuichi Niwa, Keisuke Ohashi, Kazuhiko Minematsu, and Tetsu Iwata, "GCM Security Bounds Reconsidered", , <https://eprint.iacr.org/2015/214.pdf>.
[NMR]
Rogaway, P. and T. Shrimpton, "Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem", , <https://eprint.iacr.org/2006/221.pdf>.
[NMRL]
Ashur, T., Dunkelman, O., and A. Luykx, "Boosting Authenticated Encryption Robustness with Minimal Modifications", , <https://doi.org/10.1007/978-3-319-63697-9_1>.
[Nyberg]
Nyberg, K., Gilbert, H., and M. Robshaw, "Galois MAC with forgery probability close to ideal", , <https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/general-comments/papers/Nyberg_Gilbert_and_Robshaw.pdf>.
[PDCP]
3GPP TS 38 323, "NR; Packet Data Convergence Protocol (PDCP) specification", , <https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3196>.
[Procter]
Gordon Procter, "A Security Analysis of the Composition of ChaCha20 and Poly1305", , <https://eprint.iacr.org/2014/613.pdf>.
[Reforge]
Christian Forler, Eik List, Stefan Lucks, and Jakob Wenzel, "Reforgeability of Authenticated Encryption Schemes", , <https://eprint.iacr.org/2017/332.pdf>.
[Revise]
NIST, "Announcement of Proposal to Revise SP 800-38D", , <https://csrc.nist.gov/news/2023/proposal-to-revise-sp-800-38d>.
[RFC3711]
Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, , <https://www.rfc-editor.org/rfc/rfc3711>.
[RFC4253]
Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, , <https://www.rfc-editor.org/rfc/rfc4253>.
[RFC4303]
Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, , <https://www.rfc-editor.org/rfc/rfc4303>.
[RFC6479]
Zhang, X. and T. Tsou, "IPsec Anti-Replay Algorithm without Bit Shifting", RFC 6479, DOI 10.17487/RFC6479, , <https://www.rfc-editor.org/rfc/rfc6479>.
[RFC8439]
Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 8439, DOI 10.17487/RFC8439, , <https://www.rfc-editor.org/rfc/rfc8439>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/rfc/rfc8446>.
[RFC8613]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, , <https://www.rfc-editor.org/rfc/rfc8613>.
[RFC9000]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, , <https://www.rfc-editor.org/rfc/rfc9000>.
[RFC9001]
Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure QUIC", RFC 9001, DOI 10.17487/RFC9001, , <https://www.rfc-editor.org/rfc/rfc9001>.
[RFC9605]
Omara, E., Uberti, J., Murillo, S. G., Barnes, R., Ed., and Y. Fablet, "Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media", RFC 9605, DOI 10.17487/RFC9605, , <https://www.rfc-editor.org/rfc/rfc9605>.
[Robust]
Fischlin, M., Günther, F., and C. Janson, "Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3", , <https://link.springer.com/article/10.1007/s00145-023-09489-9>.
[Sec5G]
3GPP TS 33 501, "Security architecture and procedures for 5G System", , <https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169>.
[SMAC]
Wang, D., Maximov, A., Ekdahl, P., and T. Johansson, "A new stand-alone MAC construct called SMAC", , <https://eprint.iacr.org/2024/819>.
[SNOW-Axn]
Wang, D., Maximov, A., Ekdahl, P., and T. Johansson, "Pushing to the limits: SNOW-Axn – a fast AEAD stream cipher in aggregated mode", , <https://cic.iacr.org/p/3/1/31/pdf>.
[SNOW-Vi]
Ekdahl, P., Johansson, T., Maximov, A., and J. Yang, "SNOW-Vi: an extreme performance variant of SNOW-V for lower grade CPUs", , <https://eprint.iacr.org/2021/236>.
[UIA2]
ETSI SAGE, "UEA2 and UIA2 Specification", , <https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2019/05/uea2uia2d1v21.pdf>.

Appendix A. AES-GCM-SST Test Vectors

A.1. AES-GCM-SST Test #1 (128-bit key)

         K = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f }
         N = { 30 31 32 33 34 35 36 37 38 39 3a 3b }
         H = { 22 ce 92 da cb 50 77 4b ab 0d 18 29 3d 6e ae 7f }
       H_2 = { 03 13 63 96 74 be fa 86 4d fa fb 80 36 b7 a0 3c }
         M = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d d0 ef c2 b9 }

Case #1a

         A = { }
         P = { }
         L = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d d0 ef c2 b9 }
       tag = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d }
        ct = { }

Case #1b

         A = { 40 41 42 43 44 }
         P = { }
         L = { 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 }
  full_tag = { 7f f3 cb a4 d5 f3 08 a5 70 4e 2f d5 f2 3a e8 f9 }
       tag = { 7f f3 cb a4 d5 f3 08 a5 70 4e 2f d5 }
        ct = { }

Case #1c

         A = { }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b }
         L = { 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { f8 de 17 85 fd 1a 90 d9 81 8f cb 7b 44 69 8a 8b }
       tag = { f8 de 17 85 fd 1a 90 d9 81 8f cb 7b }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd }

Case #1d

         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e }
         L = { f8 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 }
  full_tag = { 93 43 56 14 0b 84 48 2c d0 14 c7 40 7e e9 cc b6 }
       tag = { 93 43 56 14 0b 84 48 2c d0 14 c7 40 }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd 53 49 5c e1
               7d c0 cb c7 85 a7 a9 20 db 42 28 ff 63 32 10 }

Case #1e

         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 }
         L = { 88 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 }
  full_tag = { f8 50 b7 97 11 43 ab e9 31 5a d7 eb 3b 0a 16 81 }
       tag = { f8 50 b7 97 11 43 ab e9 31 5a d7 eb }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd 53 49 5c e1
               7d }

A.2. AES-GCM-SST Test #2 (128-bit key)

         K = { 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb }
         N = { 9a 50 ee 40 78 36 fd 12 49 32 f6 9e }
         A = { 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b
               13 0d }
         P = { ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22
               f6 22 91 9d }
         H = { 2d 6d 7f 1c 52 a7 a0 6b f2 bc bd 23 75 47 03 88 }
       H_2 = { 3b fd 00 96 25 84 2a 86 65 71 a4 66 e5 62 05 92 }
         M = { 9e 6c 98 3e e0 6c 1a ab c8 99 b7 8d 57 32 0a f5 }
         L = { a0 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 }
  full_tag = { 45 03 bf b0 96 82 39 b3 67 e9 70 c3 83 c5 10 6f }
       tag = { 45 03 bf b0 96 82 }
        ct = { b8 65 d5 16 07 83 11 73 21 f5 6c b0 75 45 16 b3
               da 9d b8 09 }

A.3. AES-GCM-SST Test #3 (256-bit key)

         K = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f }
         N = { 30 31 32 33 34 35 36 37 38 39 3a 3b }
         H = { 3b d9 9f 8d 38 f0 2e a1 80 96 a4 b0 b1 d9 3b 1b }
       H_2 = { af 7f 54 00 16 aa b8 bc 91 56 d9 d1 83 59 cc e5 }
         M = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec 12 99 3e 68 }

Case #3a

         A = { }
         P = { }
         L = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec 12 99 3e 68 }
       tag = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec }
        ct = { }

Case #3b

         A = { 40 41 42 43 44 }
         P = { }
         L = { 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 }
  full_tag = { 63 ac ca 4d 20 9f b3 90 28 ff c3 17 04 01 67 61 }
       tag = { 63 ac ca 4d 20 9f b3 90 28 ff c3 17 }
        ct = { }

Case #3c

         A = { }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b }
         L = { 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { e1 de bf fd 5f 3a 85 e3 48 bd 6f cc 6e 62 10 90 }
       tag = { e1 de bf fd 5f 3a 85 e3 48 bd 6f cc }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 }

Case #3d

         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e }
         L = { f8 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 }
  full_tag = { c3 5e d7 83 9f 21 f7 bb a5 a8 a2 8e 1f 49 ed 04 }
       tag = { c3 5e d7 83 9f 21 f7 bb a5 a8 a2 8e }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 84 de 10 51
               33 11 7e 17 58 b5 ed d0 d6 5d 68 32 06 bb ad }

Case #3e

         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 }
         L = { 88 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 }
  full_tag = { 49 7c 14 77 67 a5 3d 57 64 ce fd 03 26 fe e7 b5 }
       tag = { 49 7c 14 77 67 a5 3d 57 64 ce fd 03 }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 84 de 10 51
               33 }

A.4. AES-GCM-SST Test #4 (256-bit key)

         K = { 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb
               b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 b3 12 }
         N = { 9a 50 ee 40 78 36 fd 12 49 32 f6 9e }
         A = { 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b
               13 0d }
         P = { ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22
               f6 22 91 9d }
         H = { 13 53 4b f7 8a 91 38 fd f5 41 65 7f c2 39 55 23 }
       H_2 = { 32 69 75 a3 3a ff ae ac af a8 fb d1 bd 62 66 95 }
         M = { 59 48 44 80 b6 cd 59 06 69 27 5e 7d 81 4a d1 74 }
         L = { a0 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 }
  full_tag = { c4 a1 ca 9a 38 c6 73 af bf 9c 73 49 bf 3c d5 4d }
       tag = { c4 a1 ca 9a 38 c6 73 af bf 9c 73 49 bf 3c }
        ct = { b5 c2 a4 07 f3 3e 99 88 de c1 2f 10 64 7b 3d 4f
               eb 8f f7 cc }

Appendix B. Compatibility with 3GPP Algorithms

The integrity part of GCM-SST was originally developed by ETSI SAGE, under the name Mac5G, following a request from 3GPP. Mac5G follows the same structural approach as the integrity algorithms used for SNOW 3G [UIA2] and ZUC [EIA3].

3GPP has standardized GCM-SST for use with SNOW 5G [NCA4], AES-256 [NCA5], and ZUC-256 [NCA6] in 3GPP TS 35.240–35.248. These AEAD algorithms are designated as NCA4, NCA5, and NCA6, respectively. GCM-SST, as specified in this document, is fully compatible with the SNOW 5G-based NCA4 and the ZUC-256-based NCA6. The AES-based NCA5 differs only in its subkey generation but is otherwise identical. The NCA algorithms support bit-aligned associated data and plaintext inputs, whereas this specification is restricted to byte-aligned inputs. They also provide more detailed specifications for nonce construction based on 3GPP protocol requirements. SNOW 5G is functionally equivalent to SNOW-Vi [SNOW-Vi], except that the finite-state machine (FSM) adders have been changed from 32-bit to 16-bit operations to increase the complexity of correlation attacks while also improving implementation efficiency [SNOW-Axn].

The version of GCM-SST specified in this document imposes stricter security considerations and constraints than the ETSI SAGE specifications for the NCA algorithms. This document recommends that 3GPP adopt the additional security measures described herein.

Change Log

This section is to be removed before publishing as an RFC.

Changes from -18 to -19:

Acknowledgments

The authors thank Richard Barnes, Thomas Bellebaum, Patrik Ekdahl, Scott Fluhrer, Russ Housley, Eric Lagergren, Yehuda Lindell, Kazuhiko Minematsu, Santeri Paavolainen, Sini Ruohomaa, Erik Thormarker, and Magnus Westerlund for their valuable comments and feedback. Some of the formatting and text follow the conventions of [I-D.irtf-cfrg-aegis-aead].

Authors' Addresses

Matthew Campagna
Amazon Web Services
Canada
Alexander Maximov
Ericsson
Sweden
John Preuß Mattsson
Ericsson
Sweden