T. Iwata and Y. Seurin, “Reconsidering the Security Bound of AES-GCM-SIV”, ToSC, vol. 2017, no. 4, pp. 240–267, Dec. 2017, doi: 10.13154/tosc.v2017.i4.240-267.