AES-GCM-SIV implementations (128 and 256 bit)
C Assembly Makefile
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


AES-GCM-SIV implementations (128 and 256 bit)

Code implementations that correspond to the CFRG submission "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption".

The specification draftwas posted on Authors:

Shay Gueron, University of Haifa and Intel Corporation

Adam Langley, Google

Yehuda Lindell, Bar Ilan University

Additional information

The AES-GCM-SIV specification was described in:
• S. Gueron, A. Langley and Y. Lindell. AES-GCM-SIV: Specification and Analysis. Cryptology ePrint Archive, Report 2017/168, 2017. (

The scientific justification behind the AES-GCM-SIV mode of operation is detailed in the following papers:

• S. Gueron and Y. Lindell. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. In the 22nd ACM CCS, pages 109-119, 2015. (

• S. Gueron and Y. Lindell. Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation. In the 24th ACM CCS, pages 1019-1036, 2017. (

Software License

Copyright (c) 2016, Shay Gueron

Permission to use this code for AES-GCM-SIV is granted.