Cryptography Forum                                               P. PhamInternet-Draft                                                 L. PrabelIntended status: Standards Track                                  S. SunExpires: 13 December 2025                                         Huawei                                                            11 June 2025            The Fast Software Authenticated Encryption HiAE                        draft-pham-cfrg-hiae-00Abstract   This document describes the high throughput authenticated encryption   algorithm HiAE designed for new wireless generation 6G and data   transimission applications.About This Document   This note is to be removed before publishing as an RFC.   The latest revision of this draft can be found at   https://example.com/LATEST.  Status information for this document may   be found at https://datatracker.ietf.org/doc/draft-pham-cfrg-hiae/.   Discussion of this document takes place on the Cryptography Forum   Working Group mailing list (mailto:jose@ietf.org), which is archived   at https://mailarchive.ietf.org/arch/browse/jose/.  Subscribe at   https://www.ietf.org/mailman/listinfo/jose/.   Source for this draft and an issue tracker can be found at   https://github.com/USER/REPO.Status of This Memo   This Internet-Draft is submitted in full conformance with the   provisions of BCP 78 and BCP 79.   Internet-Drafts are working documents of the Internet Engineering   Task Force (IETF).  Note that other groups may also distribute   working documents as Internet-Drafts.  The list of current Internet-   Drafts is at https://datatracker.ietf.org/drafts/current/.   Internet-Drafts are draft documents valid for a maximum of six months   and may be updated, replaced, or obsoleted by other documents at any   time.  It is inappropriate to use Internet-Drafts as reference   material or to cite them other than as "work in progress."   This Internet-Draft will expire on 13 December 2025.Pham, et al.            Expires 13 December 2025                [Page 1]Internet-Draft                    HiAE                         June 2025Copyright Notice   Copyright (c) 2025 IETF Trust and the persons identified as the   document authors.  All rights reserved.   This document is subject to BCP 78 and the IETF Trust's Legal   Provisions Relating to IETF Documents (https://trustee.ietf.org/   license-info) in effect on the date of publication of this document.   Please review these documents carefully, as they describe your rights   and restrictions with respect to this document.  Code Components   extracted from this document must include Revised BSD License text as   described in Section 4.e of the Trust Legal Provisions and are   provided without warranty as described in the Revised BSD License.Table of Contents   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3     2.1.  Notations . . . . . . . . . . . . . . . . . . . . . . . .   4     2.2.  The Round Function  . . . . . . . . . . . . . . . . . . .   4   3.  Algorithm Description . . . . . . . . . . . . . . . . . . . .   5     3.1.  Specification . . . . . . . . . . . . . . . . . . . . . .   5       3.1.1.  Initialization  . . . . . . . . . . . . . . . . . . .   6       3.1.2.  Processing the Associated Data  . . . . . . . . . . .   6       3.1.3.  Encryption  . . . . . . . . . . . . . . . . . . . . .   7       3.1.4.  Finalization  . . . . . . . . . . . . . . . . . . . .   7     3.2.  HiAE Algorithm  . . . . . . . . . . . . . . . . . . . . .   7   4.  Settings Specifications . . . . . . . . . . . . . . . . . . .   8     4.1.  Authenticated Encryption  . . . . . . . . . . . . . . . .   8     4.2.  Authenticated Decryption  . . . . . . . . . . . . . . . .   9   5.  Setting as a Stream Cipher  . . . . . . . . . . . . . . . . .  10   6.  Setting as a Message Authentication Code  . . . . . . . . . .  11   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  12     7.1.  Classic Setting . . . . . . . . . . . . . . . . . . . . .  12     7.2.  Quantum Setting . . . . . . . . . . . . . . . . . . . . .  12     7.3.  Attacks Considerations  . . . . . . . . . . . . . . . . .  12   8.  Implementation Consideration  . . . . . . . . . . . . . . . .  13   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13   10. Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  13     10.1.  Test Vector 1  . . . . . . . . . . . . . . . . . . . . .  13     10.2.  Test Vector 2  . . . . . . . . . . . . . . . . . . . . .  14     10.3.  Test Vector 3  . . . . . . . . . . . . . . . . . . . . .  16     10.4.  Test Vector 4  . . . . . . . . . . . . . . . . . . . . .  16     10.5.  Test Vector 5  . . . . . . . . . . . . . . . . . . . . .  18     10.6.  Test Vector 6  . . . . . . . . . . . . . . . . . . . . .  19     10.7.  Test Vector 7  . . . . . . . . . . . . . . . . . . . . .  21     10.8.  Test Vector 8  . . . . . . . . . . . . . . . . . . . . .  22     10.9.  Test Vector 9  . . . . . . . . . . . . . . . . . . . . .  24Pham, et al.            Expires 13 December 2025                [Page 2]Internet-Draft                    HiAE                         June 2025     10.10. Test Vector 10 . . . . . . . . . . . . . . . . . . . . .  25   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  27     11.1.  Normative References . . . . . . . . . . . . . . . . . .  27     11.2.  Informative References . . . . . . . . . . . . . . . . .  27   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  281.  Introduction   Many recent cryptographic designs have utilized SIMD instructions to   achieve high performance, particularly on x86 platforms using AES-NI   [AES-NI].  AES-NI has become the foundation for many recent high-   speed (authenticated) encryption algorithms like AEGIS [AEGIS],   SNOW-V [SNOW-V], and Rocca-S [ROCCA-S], which are tailored to take   advantage of the parallelism and efficiency offered by these   instructions.  However, these designs often neglect the architectural   differences between x86 and ARM, where SIMD instructions are   implemented via NEON rather than AES-NI.  This oversight results in   inconsistent performance when deploying these algorithms on ARM-based   devices, which dominate mobile and embedded systems.  The transition   to 6G, with its demand for ultra-high data rates and reliance on   software-defined networks (SDN) or Cloud Radio Access Networks (Cloud   RAN), further emphasizes the need for cryptographic algorithms   optimized for diverse platforms.  While some existing designs achieve   remarkable performance on x86—reaching or exceeding 100 Gbps—these   same algorithms often perform suboptimally on ARM platforms due to   differences in SIMD instruction sets and hardware support for AES   round functions.  This gap highlights the pressing need for a unified   approach that ensures high and consistent performance across both   architectures.   Addressing this challenge requires rethinking cryptographic design to   leverage the unique capabilities of each platform while maintaining   compatibility and efficiency.  This motivates our work in developing   a cross-platform cryptographic HiAE that achieves competitive   performance on both x86 and ARM architectures, meeting the stringent   demands of 6G systems.2.  Conventions and Definitions   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and   "OPTIONAL" in this document are to be interpreted as described in   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all   capitals, as shown here.Pham, et al.            Expires 13 December 2025                [Page 3]Internet-Draft                    HiAE                         June 2025   The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,   “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and   “OPTIONAL” in this document are to be interpreted as described in   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all   capitals, as shown here.2.1.  Notations   AESL(x): AESL(x) = MixColumns o SubBytes o ShiftRows(x), of AES   operations [FIPS-AES].   a ^ b: The bitwise exclusive OR operation between a and b.   S: The internal state, composed of 16 blocks, i.e. S = (S[0], S[1],   ..., S[15]), where S[i] (0 <= i <= 15) are blocks and S[0] is the   first block.  The i-th state block at round r is defined as S^r[i].   N: A 128-bit nonce.   AD_i: A 128-bit associated data block.   M_i: A 128-bit message block.   C_i: A 128-bit ciphertext block.   const_0: A 128-bit constant, represented in hexadecimal as   0x3243f6a8885a308d313198a2e0370734.   const_1: A 128-bit constant, represented in hexadecimal as   0x4a4093822299f31d0082efa98ec4e6c8.   X || 0^*: A 128-bit block string of the concatenation of X and the   complement of zeros.   |M|: the length in bit of the string M.   Truncate(x, l): Output the upper bits of x with length l.2.2.  The Round Function   The input of the round function UpdateFunction(S,X) of HiAE consists   of the state S and a data block X.  If denoting the output by Snew,   Snew:=UpdateFunction(S,X) can be defined as follows:Pham, et al.            Expires 13 December 2025                [Page 4]Internet-Draft                    HiAE                         June 2025   Snew[15] = AESL(S[0] ^ S[1]) ^ AESL(S[13]) ^ X,   Snew[14] = S[15],   Snew[13] = S[14],   Snew[12] = S[13] ^ X,   Snew[11] = S[12],   Snew[10] = S[11],   Snew[9] = S[10],   Snew[8] = S[9],   Snew[7] = S[8],   Snew[6] = S[7],   Snew[5] = S[6],   Snew[4] = S[5],   Snew[3] = S[4],   Snew[2] = S[3] ^ X,   Snew[1] = S[2],   Snew[0] = S[1]3.  Algorithm Description   In this section, we describe the specification of our design.3.1.  Specification   HiAE is structured into four phases: initialization, processing of   associated data, encryption, and finalization.  HiAE has a 2048-bit   state, made of sixteen 128-bit blocks S_0||S_1||...||S_{15}. The   parameters for this algorithm, that are consistent with the   definition in [RFC5116], Section 4, are defined as:   *  K_LEN (key length): 32 bytes (256 bits).   *  P_MAX (maximum length of the plaintext): 2^61 - 1 bytes (2^64 - 8      bits).   *  A_MAX (maximum length of the associated data): 2^61 - 1 bytes      (2^64 - 8 bits).   *  N_MIN (minimum nonce lentgh) = N_MAX (maximum nonce length) = 16      bytes (128 bits).   *  C_MAX (maximum ciphertext length) = P_MAX + tag length = (2^61 -      1) + 16 bytes (2^64 - 8 + 128 bits).Pham, et al.            Expires 13 December 2025                [Page 5]Internet-Draft                    HiAE                         June 2025   In more details, HiAE takes as input a 256-bit key K = K_0||K_1, a   128-bit nounce N, the associated data AD, and the message M.   The output includes the ciphertext C where |C| = |M| and a 128-bit   tag T.  Initially, AD and M are padded with 0 to ensure their lengths   are multiples of 128 as Pad(AD) = AD||0* = AD_0|| ... ||   AD_{|AD|/128-1} and Pad(M) = M||0* = M_0|| ... || M_{|M|/128-1}.   The encryption and authentication process are described below.3.1.1.  Initialization   First, the state is loaded with (N, K_0, K_1) as follow:     S[0] = const_0,     S[1] = K_1,     S[2] = N,     S[3] = const_0,     S[4] = ZERO(128),     S[5] = N ^ K_0,     S[6] = ZERO(128),     S[7] = const_1,     S[8] = N ^ K_1,     S[9] = ZERO(128),     S[10] = K_1,     S[11] = const_0,     S[12] = const_1,     S[13] = K_1,     S[14] = ZERO(128),     S[15] = const_0 ^ const_1.   Next, the state is updated with 32 UpdateFunction(S, const_0), then   XORed with the key one more:     S[9] = S[9] ^ K_0,     S[13] = S[13] ^ K_1.3.1.2.  Processing the Associated Data   Following initialization, the associated data AD is used to update   the state as:      for i = 0 to |AD|/128 - 1:         S = UpdateFunction(S, AD_i)      end for   This phase is skipped if the associated data is empty.Pham, et al.            Expires 13 December 2025                [Page 6]Internet-Draft                    HiAE                         June 20253.1.3.  Encryption   At each step of the encryption, a 128-bit message block is used to   update the state, and M_i is then encrypted to produce C_i following,   and skipped the phase if the message is empty.      for i = 0 to |M|/128 - 1:         C_i = AESL(S[0] ^ S[1]) ^ S[9] ^ M_i         S = UpdateFunction(S, M_i)      end for3.1.4.  Finalization   After encrypting all the message blocks, the state is updated again   with the lengths of associated data and message as:      for i = 0 to 31:         S = UpdateFunction(S, |AD||||M|)      end for   then the authentication tag is generated as:      T = S[0] ^ S[1] ^ ... ^ S[15].3.2.  HiAE Algorithm   A pseudo algorithm of HiAE is described in the following.   HiAE Algorithm. The internal structures of HiAE are:      procedure Initialization(N, K_0, K_1)         S[0] = const_0,         S[1] = K_1,         S[2] = N,         S[3] = const_0,         S[4] = ZERO(128),         S[5] = N ^ K_0,         S[6] = ZERO(128),         S[7] = const_1,         S[8] = N ^ K_1,         S[9] = ZERO(128),         S[10] = K_1,         S[11] = const_0,         S[12] = const_1,         S[13] = K_1,         S[14] = ZERO(128),         S[15] = const_0 ^ const_1.         for i = 0 to 31 doPham, et al.            Expires 13 December 2025                [Page 7]Internet-Draft                    HiAE                         June 2025            S <-- UpdateFunction(S, const_0)         end for         S[9] = S[9] ^ K_0,         S[13] = S[13] ^ K_1         return S      procedure ProcessAD(S, Pad(AD))         d = |AD|/128         for i = 0 to d - 1 do            S <-- UpdateFunction(S, AD_i)         end for         return S      procedure Encryption(S, Pad(M), C)         m = |M|/128         for i = 0 to m - 1 do            C_i <-- AESL(S[0] ^ S[1]) ^ S[9] ^ M_i            S <-- UpdateFunction(S, M_i)         end for         return S      procedure Decryption(S, Pad(C), M)         c = |C|/128         for i = 0 to c - 1 do            M_i <-- AESL(S[0] ^ S[1]) ^ S[9] ^ C_i            S <-- UpdateFunction(S, M_i)         end for         return S      procedure Finalization(S, |AD|, |M|)         for i = 0 to 31 do            S <-- UpdateFunction(S, |AD|, |M|)         end for         T = 0         for i = 0 to 15 do            T = T ^ S[i]         end for         return T4.  Settings Specifications4.1.  Authenticated Encryption   Encrypt(msg, ad, key, nonce)   The Encrypt function encrypts a message and returns the ciphertext   along with an authentication tag that confirms the integrity and   authenticity of both the message and any associated data, if present.Pham, et al.            Expires 13 December 2025                [Page 8]Internet-Draft                    HiAE                         June 2025   Security:   *  For a specific key, the nonce MUST NEVER be reused under any      circumstances, as doing so could enable an attacker to reconstruct      the internal state.   *  The key MUST be selected randomly from a uniform distribution.   Inputs:   *  msg: the message to be encrypted (its length MUST not exceed      P_MAX).   *  ad: the associated data to authenticate (its length MUST not      exceed A_MAX).   *  key: the encryption key (256 bits).   *  nonce: the public nonce.   Outputs:   *  ct: the ciphertext.   *  tag: the authentication tag.   Process:   K = K_1||K_2   S = 0   ct = {}   S = Initialization(nonce, K_1, K_2)   S = ProcessAD(S, Pad(AD))   S = Encryption(S, Pad(msg), ct)   ct = Truncate(ct, |msg|)   tag = Finalization(S, |ad|, |msg|)   return ct and tag4.2.  Authenticated Decryption   Decrypt(ct, tag, ad, key, nonce)   The Decrypt function decrypts the ciphertext, checks the validity of   the authentication tag, and returns the message if the tag is   verified successfully, or an error if the tag verification fails.   Security:Pham, et al.            Expires 13 December 2025                [Page 9]Internet-Draft                    HiAE                         June 2025   *  If tag verification fails, the scheme MUST NOT output the      decrypted ciphertext.   Inputs:   *  ct: the ciphertext to decrypt (its length MUST NOT exceed C_MAX).   *  tag: the authentication tag.   *  ad: the associated data to authenticate (its length MUST NOT      exceed A_MAX).   *  key: the encryption key.   *  nonce: the public nonce.   Outputs:   *  Either the decrypted message msg or an error indicating that the      authentication tag is invalid for the provided inputs.   Process:   K = K_1||K_2   S = 0   msg = {}   S = Initialization(nonce, K_1, K_2)   S = ProcessAD(S, Pad(AD))   S = Decryption(S, Pad(ct), msg)   expected_tag = Finalization(S, |ad|, |msg|)   If tag != expected_tag:      erase msg      erase expected_tag      return "verification failed" error   else:      msg = Truncate(msg, |ct|)      return msg5.  Setting as a Stream Cipher   Keystream(len, key, nonce)   The Stream function generates a keystream of variable length by   expanding a key and, optionally, a nonce.   Inputs:   *  len: Desired length of the keystream in bits.Pham, et al.            Expires 13 December 2025               [Page 10]Internet-Draft                    HiAE                         June 2025   *  key: The HiAE encryption key.   *  nonce: The HiAE nonce.  If not provided, it defaults to N_MAX      bytes of zeros.   Outputs:   *  keystream: The resulting keystream.   Process:   if len == 0:      return {}   else:      K = K_1||K_2      S = 0      keystream = {}      S = Initialization(nonce, K_1, K_2)      msg = Zero(len)      S = Encryption(S, Pad(msg), keystream)      return keystream   The process of generating the keystream is equivalent to encrypting a   zero-filled message of length len.6.  Setting as a Message Authentication Code   HiAE can also be used to construct a Message Authentication Code   (MAC), taking a key, nonce, and data as input, and producing a   128-bit authentication tag as output.   Mac(data, key, nonce)   Security:   *  This is the only function where reusing the same (key, nonce) pair      with different input data is permitted.   *  HiAE-based MACs MUST NOT be used as hash functions, as a known key      allows for easy construction of inputs that cause state      collisions.   *  Unlike MACs built on cryptographic hashes, HiAE-generated tags      MUST NOT be used for key derivation, since they are not guaranteed      to be uniformly random.   Inputs:Pham, et al.            Expires 13 December 2025               [Page 11]Internet-Draft                    HiAE                         June 2025   *  data: The data to be authenticated (MUST NOT exceed A_MAX in      length).   *  key: The secret key.   *  nonce: The public nonce.   Output:   *  tag: The resulting authentication tag.   Process:   K = K_1||K_2   S = 0   S = Initialization(nonce, K_1, K_2)   S = ProcessAD(S, Pad(data))   tag = Finalization(S, |data|, 0)   return tag7.  Security Considerations7.1.  Classic Setting   HiAE provides 256-bit security against key recovery and state   recovery attacks, along with 128-bit security for integrity against   forgery attempts.  It is important to note that the encryption   security assumes the attacker cannot successfully forge messages   through repeated trials.   Related to the keystream bias attacks, our analysis shows that at   least 150-bit security is guaranteed by HiAE.   Finally, we claim that HiAE is secure in the key-commiting attacks,   and we do not claim its security in the everything-commiting setting.7.2.  Quantum Setting   HiAE targets a secuirty strength of 128 bits against key recovery   attacks and forgery attacks in quantum setting.  We do not claim   security against online superposition queries to the cryptographic   oracle attacks, as such attacks are highly impractical in real-world   applications.7.3.  Attacks Considerations   HiAE is secure against the following attacks:Pham, et al.            Expires 13 December 2025               [Page 12]Internet-Draft                    HiAE                         June 2025  1. Key-Recovery Attack: 256-bit security against key-recovery attacks.  2. Differential Attack: 256-bit security against differential attacks in the initialization phase.  3. Forgery Attack: 128-bit security against forgery attacks.  4. Integral Attack: Secure against integral attacks.  5. State-recovery Attack:      * Guess-and-Determine Attack: The time complexity of the guess-and-determine attack cannot be lower than 2^{256}.      * Algebraic Attack: The system of equations to recover HiAE states cannot be solved with time complexity 2^{256}.  6. The Linear Bias: at least 150-bit security against a statistical attack.  7. Key-committing attacks: Secure in the FROB, CMT1, and CMT2 models.  8. Everything-committing attacks: We do not claim the security of HiAE in CMT3 model.   The details of the crytanalysis can be found in the paper [HiAE].8.  Implementation Consideration   HiAE is designed to balance the performance of XOR and AES-NI   instructions across both ARM and x86 architectures, while being   optimized to push performance to its limits.   A complete list of known implementations and integrations is   available at https://github.com/Concyclics/HiAE, including reference   implementations of HiAE as AEAD Encryption and Decryption, and HiAE-   MAC.  A comprehensive comparison of HiAE's performance with other   high-throughput authenticated encryption schemes on ARM and x86   architectures is also provided.9.  IANA Considerations   TBD.10.  Test Vectors10.1.  Test Vector 1Pham, et al.            Expires 13 December 2025               [Page 13]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   plaintext =   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   ciphertext =   ff9fcccf03188954a27c74821b76332b   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   b8b9c9d3c888935e4a78de02ec329bc8   66053c77fdabe930f273adc0175802ca   31b645d1958afc28806843a671347301   130d23a94f3adee985fb2e60f0d5d024   tag =   66346519818b4cb2919e61b5f6c28a9b10.2.  Test Vector 2   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =Pham, et al.            Expires 13 December 2025               [Page 14]Internet-Draft                    HiAE                         June 2025   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   plaintext =   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   979332e85de4c697d53b3cede5413265   ba71ce552bee963a090cd113e32d597b   c08b631e7029b54564f132493264afec   d67d41016bd73b74e30c87c739e042fa   6ca518dccfcd2133be537df0b72cdc8d   a91d8e14f5c988d8d6109f0ff0e1095c   87213856ee5989acac069c643278f1db   9680ef8b4978631f88032f78e438d56b   5a0dc148674bf513519177840a695fa0   e94f2b32c78e524f9181c776b99ce113   aaa35c11ee51243fe29cc3ec05238cee   72b72039467288d7f34f4dadec2fc096   d21ca7c06dcbff5067c33c6ce6c95a58   ciphertext =   17cd9eac8632514382d4cfc2d93954a2   e3464bd599563524543140c972f65260   453d8f2975609fc41960b20ac522fa73   ff9fcccf03188954a27c74821b76332b   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   b8b9c9d3c888935e4a78de02ec329bc8   66053c77fdabe930f273adc0175802ca   31b645d1958afc28806843a671347301   130d23a94f3adee985fb2e60f0d5d024   dab94f8fd41ccfef27898e5581c4add2   05d3ac44b51df43854cb6a10292ea986   c9725ea6db27695f7ec1c31299e24f8b   e1d44953afb66707179cf873e94a273d   e5fb369ae0314013560e3c597fda5178   c254cf457d3dde55441267fda2145ad5Pham, et al.            Expires 13 December 2025               [Page 15]Internet-Draft                    HiAE                         June 2025   2a16fbb2d9fa63c6ce8f2175086e5a9d   da2089bc5890f2c7ed81d8049e491035   e0cff5abf178e1dfbbcd1ab7ec47ea8d   854419a04f9f8cdd1542c27da97c30e0   bea2f4a7710d72346e0c7369202692ba   5a43850d5a349d4410155f2bc700a655   d2aa57ab9cfa6dd2db0918c4a43a8628   tag =   6bcf434bcbf11824fb40e01ba502335810.3.  Test Vector 3   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   plaintext =   2dd674f9e8227ab7a555fb3588ee61c4   ciphertext =   66053c77fdabe930f273adc0175802ca   tag =   153ba395e9a447f2b34a717dc1608d8a10.4.  Test Vector 4Pham, et al.            Expires 13 December 2025               [Page 16]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   plaintext =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   979332e85de4c697d53b3cede5413265   ba71ce552bee963a090cd113e32d597b   c08b631e7029b54564f132493264afec   d67d41016bd73b74e30c87c739e042fa   6ca518dccfcd2133be537df0b72cdc8d   a91d8e14f5c988d8d6109f0ff0e1095c   87213856ee5989acac069c643278f1db   9680ef8b4978631f88032f78e438d56b   5a0dc148674bf513519177840a695fa0   e94f2b32c78e524f9181c776b99ce113   aaa35c11ee51243fe29cc3ec05238cee   72b72039467288d7f34f4dadec2fc096   d21ca7c06dcbff5067c33c6ce6c95a58   807b91c6ed199ee168eb8e541a4eeaec   6b91acd85dac28c46f6531552e8badae   ciphertext =   d716f4983b0025a57cd4c3c3c94a146d   6cb665a4a5f33032ae3f86dc1a6caed0   5243a1cd70688710da9b9bf9b1e32092   17cd9eac8632514382d4cfc2d93954a2   e3464bd599563524543140c972f65260   453d8f2975609fc41960b20ac522fa73   ff9fcccf03188954a27c74821b76332bPham, et al.            Expires 13 December 2025               [Page 17]Internet-Draft                    HiAE                         June 2025   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   b8b9c9d3c888935e4a78de02ec329bc8   66053c77fdabe930f273adc0175802ca   31b645d1958afc28806843a671347301   130d23a94f3adee985fb2e60f0d5d024   dab94f8fd41ccfef27898e5581c4add2   05d3ac44b51df43854cb6a10292ea986   c9725ea6db27695f7ec1c31299e24f8b   e1d44953afb66707179cf873e94a273d   e5fb369ae0314013560e3c597fda5178   c254cf457d3dde55441267fda2145ad5   2a16fbb2d9fa63c6ce8f2175086e5a9d   da2089bc5890f2c7ed81d8049e491035   e0cff5abf178e1dfbbcd1ab7ec47ea8d   854419a04f9f8cdd1542c27da97c30e0   bea2f4a7710d72346e0c7369202692ba   5a43850d5a349d4410155f2bc700a655   d2aa57ab9cfa6dd2db0918c4a43a8628   98f538a011f96f60e25662c66df7ccd1   73615cfed071632089825c791163fabe   tag =   250f1f5bdd8d05be98306b42474e7ee310.5.  Test Vector 5Pham, et al.            Expires 13 December 2025               [Page 18]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   plaintext =   979332e85de4c697d53b3cede5413265   ba71ce552bee963a090cd113e32d597b   c08b631e7029b54564f132493264afec   d67d41016bd73b74e30c87c739e042fa   6ca518dccfcd2133be537df0b72cdc8d   a91d8e14f5c988d8d6109f0ff0e1095c   87213856ee5989acac069c643278f1db   ciphertext =   dab94f8fd41ccfef27898e5581c4add2   05d3ac44b51df43854cb6a10292ea986   c9725ea6db27695f7ec1c31299e24f8b   e1d44953afb66707179cf873e94a273d   e5fb369ae0314013560e3c597fda5178   c254cf457d3dde55441267fda2145ad5   2a16fbb2d9fa63c6ce8f2175086e5a9d   tag =   2e9d4b892ecf8d1c1726d6b2d00a7fb310.6.  Test Vector 6Pham, et al.            Expires 13 December 2025               [Page 19]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   plaintext =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   979332e85de4c697d53b3cede5413265   ba71ce552bee963a090cd113e32d597b   c08b631e7029b54564f132493264afec   d67d41016bd73b74e30c87c739e042fa   6ca518dccfcd2133be537df0b72cdc8d   a91d8e14f5c988d8d6109f0ff0e1095c   87213856ee5989acac069c643278f1db   9680ef8b4978631f88032f78e438d56b   5a0dc148674bf513519177840a695fa0   ciphertext =   d716f4983b0025a57cd4c3c3c94a146d   6cb665a4a5f33032ae3f86dc1a6caed0   5243a1cd70688710da9b9bf9b1e32092   17cd9eac8632514382d4cfc2d93954a2   e3464bd599563524543140c972f65260   453d8f2975609fc41960b20ac522fa73   ff9fcccf03188954a27c74821b76332b   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   b8b9c9d3c888935e4a78de02ec329bc8   66053c77fdabe930f273adc0175802ca   31b645d1958afc28806843a671347301Pham, et al.            Expires 13 December 2025               [Page 20]Internet-Draft                    HiAE                         June 2025   130d23a94f3adee985fb2e60f0d5d024   dab94f8fd41ccfef27898e5581c4add2   05d3ac44b51df43854cb6a10292ea986   c9725ea6db27695f7ec1c31299e24f8b   e1d44953afb66707179cf873e94a273d   e5fb369ae0314013560e3c597fda5178   c254cf457d3dde55441267fda2145ad5   2a16fbb2d9fa63c6ce8f2175086e5a9d   da2089bc5890f2c7ed81d8049e491035   e0cff5abf178e1dfbbcd1ab7ec47ea8d   tag =   7f6026d8e7d0296dc37f52bad0aa964f10.7.  Test Vector 7Pham, et al.            Expires 13 December 2025               [Page 21]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   plaintext =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   ciphertext =   d716f4983b0025a57cd4c3c3c94a146d   6cb665a4a5f33032ae3f86dc1a6caed0   5243a1cd70688710da9b9bf9b1e32092   17cd9eac8632514382d4cfc2d93954a2   e3464bd599563524543140c972f65260   453d8f2975609fc41960b20ac522fa73   ff9fcccf03188954a27c74821b76332b   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   tag =   2b84d89eac778e1f6e02938d6bbc644010.8.  Test Vector 8   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086Pham, et al.            Expires 13 December 2025               [Page 22]Internet-Draft                    HiAE                         June 2025   42a31b5359f0b6cde45f36566024017d   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   plaintext =   979332e85de4c697d53b3cede5413265   ba71ce552bee963a090cd113e32d597b   c08b631e7029b54564f132493264afec   d67d41016bd73b74e30c87c739e042fa   6ca518dccfcd2133be537df0b72cdc8d   a91d8e14f5c988d8d6109f0ff0e1095c   87213856ee5989acac069c643278f1db   9680ef8b4978631f88032f78e438d56b   5a0dc148674bf513519177840a695fa0   e94f2b32c78e524f9181c776b99ce113   aaa35c11ee51243fe29cc3ec05238cee   72b72039467288d7f34f4dadec2fc096   d21ca7c06dcbff5067c33c6ce6c95a58   807b91c6ed199ee168eb8e541a4eeaec   6b91acd85dac28c46f6531552e8badae   063e75f45713d5bffe631419b1fe051c   90b2f5ed5e1db1cd82e222b06ecf5f74   0dd46864e73d23e5a037fe5236046ec6   b663b3148164e1034703b4b5d21329df   e79243cecf66b3709eb2c2d4b6309a6c   944d8015b16118f864ccad36dfd715c6   69589438be48a85cfa6a30b09bca1c2f   179c44c9fd5cc161296f970846accfaf   0463e7c2ab901fa5fa4f55951a71c431   0d08fa0a65bc6b8e2b029671ae6520b2   c907757497941a92e36f27fde1ec2fee   f429f959e564e710677e8115e3a1c8ac   a93d2140d13bd2b4aafab28be6e17ada   ciphertext =   dab94f8fd41ccfef27898e5581c4add2   05d3ac44b51df43854cb6a10292ea986   c9725ea6db27695f7ec1c31299e24f8b   e1d44953afb66707179cf873e94a273dPham, et al.            Expires 13 December 2025               [Page 23]Internet-Draft                    HiAE                         June 2025   e5fb369ae0314013560e3c597fda5178   c254cf457d3dde55441267fda2145ad5   2a16fbb2d9fa63c6ce8f2175086e5a9d   da2089bc5890f2c7ed81d8049e491035   e0cff5abf178e1dfbbcd1ab7ec47ea8d   854419a04f9f8cdd1542c27da97c30e0   bea2f4a7710d72346e0c7369202692ba   5a43850d5a349d4410155f2bc700a655   d2aa57ab9cfa6dd2db0918c4a43a8628   98f538a011f96f60e25662c66df7ccd1   73615cfed071632089825c791163fabe   5d64c6912c9df6ab0a4ef97b5c848cf4   226172cb26dde45b1f5803b51dcabeb9   088430aafd7ef86f75d161db607b6eae   a93ceff57bee877b8035f081f17fbb0d   38b5258ed3c2a25dd7f1776207e7882d   8321b0f1fb6ef6360616c06945f42035   e069001b5d20b6a1d7573e53fe89cb61   b9dc3e6e4b5b17875550ff2f639fd370   e7b89d24db4613bc1dfdc4c06a62a515   f1c7df93c4ad8596e9016ba98137814d   0dcc3f39306d2a4743d05b429d2b669a   d09ac2f2320653fa84e24a3fc456bb65   2d74782e4d8e7b2412a0c2daeb48db4a   tag =   ed4dacb2fbaa31ca4633509cef1c92fb10.9.  Test Vector 9Pham, et al.            Expires 13 December 2025               [Page 24]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   plaintext =   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   ciphertext =   17cd9eac8632514382d4cfc2d93954a2   e3464bd599563524543140c972f65260   453d8f2975609fc41960b20ac522fa73   ff9fcccf03188954a27c74821b76332b   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   b8b9c9d3c888935e4a78de02ec329bc8   66053c77fdabe930f273adc0175802ca   31b645d1958afc28806843a671347301   130d23a94f3adee985fb2e60f0d5d024   tag =   a538e4a016862a323841ecbef9855b1d10.10.  Test Vector 10Pham, et al.            Expires 13 December 2025               [Page 25]Internet-Draft                    HiAE                         June 2025   key =   90bbc6ec798423365146306759d6812e   37c3740df539834052bd1f46f57d5785   nonce =   381d72b1a195e7f3dc185a35eedb6326   associated data =   9fd7339411b6d56373f4a9697200eeaa   1d605cbff643b2d25b0c074ae76a7086   42a31b5359f0b6cde45f36566024017d   plaintext =   855d3c7ba0ee4dfcfa5446e2beb66800   598353b273097f5869b5aec9daaf465f   0c83daad7127a96c7bef4e39a5b63afe   3a8db0ad97300500e5b4c9bf630f1e70   92f81d041fc6709ab5bed45a740e58ae   9b085c323861321e15fbdd790bfce99d   f406a114cc11ae81cf82db449033f22c   3b4e5e74b09192c58c6f3e976b273560   2dd674f9e8227ab7a555fb3588ee61c4   3cc038ec51cab2dd39f075a518aa0545   80793f689bb920400f1b769709d75b46   979332e85de4c697d53b3cede5413265   ba71ce552bee963a090cd113e32d597b   c08b631e7029b54564f132493264afec   d67d41016bd73b74e30c87c739e042fa   6ca518dccfcd2133be537df0b72cdc8d   a91d8e14f5c988d8d6109f0ff0e1095c   87213856ee5989acac069c643278f1db   9680ef8b4978631f88032f78e438d56b   5a0dc148674bf513519177840a695fa0   e94f2b32c78e524f9181c776b99ce113   aaa35c11ee51243fe29cc3ec05238cee   72b72039467288d7f34f4dadec2fc096   d21ca7c06dcbff5067c33c6ce6c95a58   ciphertext =   17cd9eac8632514382d4cfc2d93954a2   e3464bd599563524543140c972f65260   453d8f2975609fc41960b20ac522fa73   ff9fcccf03188954a27c74821b76332b   d2490761f9d3e3be14613e91ab0af720   cc63177cc72a63eea503bed4cb70b0c4   2d38551b47b7bbda52f23374a4feea06   b8b9c9d3c888935e4a78de02ec329bc8   66053c77fdabe930f273adc0175802caPham, et al.            Expires 13 December 2025               [Page 26]Internet-Draft                    HiAE                         June 2025   31b645d1958afc28806843a671347301   130d23a94f3adee985fb2e60f0d5d024   dab94f8fd41ccfef27898e5581c4add2   05d3ac44b51df43854cb6a10292ea986   c9725ea6db27695f7ec1c31299e24f8b   e1d44953afb66707179cf873e94a273d   e5fb369ae0314013560e3c597fda5178   c254cf457d3dde55441267fda2145ad5   2a16fbb2d9fa63c6ce8f2175086e5a9d   da2089bc5890f2c7ed81d8049e491035   e0cff5abf178e1dfbbcd1ab7ec47ea8d   854419a04f9f8cdd1542c27da97c30e0   bea2f4a7710d72346e0c7369202692ba   5a43850d5a349d4410155f2bc700a655   d2aa57ab9cfa6dd2db0918c4a43a8628   tag =   6bcf434bcbf11824fb40e01ba502335811.  References11.1.  Normative References   [FIPS-AES] National Institute of Standards and Technology (NIST),              "Advanced encryption standard (AES)", November 2001,              <https://nvlpubs.nist.gov/nistpubs/FIPS/              NIST.FIPS.197.pdf>.   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate              Requirement Levels", BCP 14, RFC 2119,              DOI 10.17487/RFC2119, March 1997,              <https://www.rfc-editor.org/rfc/rfc2119>.   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,              <https://www.rfc-editor.org/rfc/rfc5116>.   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.11.2.  Informative References   [AEGIS]    Preneel, B., "AEGIS: A Fast Authenticated Encryption              Algorithm (v1.1)", 2016,              <https://competitions.cr.yp.to/round3/aegisv11.pdf>.Pham, et al.            Expires 13 December 2025               [Page 27]Internet-Draft                    HiAE                         June 2025   [AES-NI]   Gueron, S., "Intel Advanced Encryption Standard (AES) New              Instructions Set", 2010,              <https://www.intel.com/content/dam/doc/white-paper/              advanced-encryption-standard-new-instructions-set-              paper.pdf>.   [HiAE]     Wu, S., "HiAE: A High-Throughput Authenticated Encryption              Algorithm for Cross-Platform Efficiency", 2025,              <https://eprint.iacr.org/2025/377.pdf>.   [NIST-LWC] National Institute of Standards and Technology (NIST),              "NIST Lightweight Cryptography (LWC)", 2025,              <https://csrc.nist.gov/projects/lightweight-cryptography>.   [ROCCA-S]  Takeuchi, N., "An Ultra-High Throughput AES-Based              Authenticated Encryption Scheme for 6G: Design and              Implementation", 2024,              <https://doi.org/10.1007/978-3-031-50594-2_12>.   [SNOW-V]   Yang, J., "An Ultra-High Throughput AES-Based              Authenticated Encryption Scheme for 6G: Design and              Implementation", 2024,              <https://doi.org/10.13154/tosc.v2019.i3.1-42>.Authors' Addresses   Phuong Pham   Huawei   Email: pham.phuong@huawei.com   Lucas Prabel   Huawei   Email: lucas.prabel@huawei.com   Sun Shuzhou   Huawei   Email: sunshuzhou@huawei.comPham, et al.            Expires 13 December 2025               [Page 28]