Link to this headingAES-GCM-SIV

  • Better nonce Reuse resistance

AES-GCM-SIV derives two distinct keys from the nonce and key, then uses POLYVAL (which is related to [GHASH](/Crypto/Hash Functions/GHASH)) over the AAD and message with the first key to generate the tag. Then the tag used to derive a series of AES inputs that, when encrypted with the second key, are XORed with the blocks of the message (basically counter mode). (MAC then Encrypt)

https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html
https://news.ycombinator.com/item?id=19693434

It is very similar to [AES](/Crypto/Symmetric Encryption/AES)-[SIV](/Crypto/Symmetric Encryption/Block Ciphers/SIV) but instead of CMAC it uses [GCM](/Crypto/Symmetric Encryption/Block Ciphers/GCM).

Link to this headingImplementation

message = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" #Generate the GCM Key using the encryption_key and null data auth_key = aes.ecb_encryption(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") gmac = GMAC(auth_key) # IV is 96 bytes iv = bytes.fromhex("000000000000000000000000") #Encrypt plaintext in Counter Mode ciphertext = aes.ctr_encryption(iv, message) #Use the IV as Additional authenticated data (AAD) #So if the iv changes then the tag changes tag_iv = gmac.digest(b"", ciphertext) #Then Encrypt the new data with the tag = aes.ctr_encryption(tag_iv, tag) print(f"auth_key: {auth_key.hex()}, tag_iv: {tag_iv.hex()}, iv: {iv.hex()}, ciphertext: {ciphertext.hex()}, tag: {tag.hex()}") #auth_key: aa1908ba6ab97a18ea6349b72eb1ba15, tag_iv: 00000000000000000000000000000000, iv: 000000000000000000000000, ciphertext: aa1908ba6ab97a18ea6349b72eb1ba15, tag: d387e6b9293ead8758976e85dd9e064b