October 4, 2023
John Preuß Mattsson - Ericsson
This document defines the Galois Counter Mode with Secure Short Tags (GCM-SST) Authenticated Encryption with Associated Data (AEAD) algorithm. GCM-SST can be used with any keystream generator. Thus GCM-SST is a mode of operation of the Advanced Encryption Standard (AES). The main differences compared to GCM is that GCM-SST uses an additional subkey 𝑄, that fresh subkeys 𝐻 and 𝑄 are derived for each nonce, and that the POLYVAL function from AESGCM- SIV is used instead of GHASH. This enables short tags with forgery probabilities close to ideal.
The Third NIST Workshop on Block Cipher Modes of Operation