C. AES

Cake-AES is a general-purpose symmetric encryption mode built on top of 256-bit AESGCM and SHA-512 with the following features: • Support for incremental encryption of long messages (theoretically, up to 2109 bytes) • Support for incremental, authenticated, random-access decryption of long messages • A single long-lived key can encrypt a very high number of ciphertexts, by using large 24-byte nonces • Nonces are internally generated, reducing the likelihood of nonce misuse • Ciphertexts commit to both the key and (indirectly) the message By contrast, AES-GCM and ChaCha20-Poly1305 both use 12-byte nonces, and have a message size limit of 64 GiB and 256 GiB respectively. While both support random-access decryption, the full message must be decrypted to be authenticated. Cake-AES private keys are 32-byte strings generated uniformly at random. At a high level, Cake-AES derives a one-time key by hashing the private key with the nonce, breaks the plaintext into 16 KiB chunks, and encrypts each chunk with AES-GCM and a positionbased nonce. Below, we describe in more depth how to encrypt and decrypt data using Cake-AES.