From 7bd4e0bf3496188325fceb1085118da4024c0bfd Mon Sep 17 00:00:00 2001
From: Eli Grubb <eli@eligrubb.com>
Date: Wed, 17 Jun 2026 19:01:26 +0000
Subject: [PATCH] Add accumulated randomized tests to xaes-256-gcm

---
 .github/workflows/xaes-256-gcm.yml |  2 +-
 Cargo.lock                         | 28 +++++++++++
 xaes-256-gcm/Cargo.toml            |  1 +
 xaes-256-gcm/tests/xaes256gcm.rs   | 74 +++++++++++++++++++++++++++++-
 4 files changed, 102 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/xaes-256-gcm.yml b/.github/workflows/xaes-256-gcm.yml
index 67027fbc..25eaa242 100644
--- a/.github/workflows/xaes-256-gcm.yml
+++ b/.github/workflows/xaes-256-gcm.yml
@@ -71,5 +71,5 @@ jobs:
       - run: cargo test --target ${{ matrix.target }} --lib
       #- run: cargo test --target ${{ matrix.target }} --lib --features zeroize
       - run: cargo test --target ${{ matrix.target }} --all-features --lib
-      - run: cargo test --target ${{ matrix.target }} --all-features --release
+      - run: cargo test --target ${{ matrix.target }} --all-features --release -- --include-ignored
       - run: cargo test --target ${{ matrix.target }} --all-features --doc
diff --git a/Cargo.lock b/Cargo.lock
index 32e8b90f..6a09a6c9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -431,6 +431,16 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
+[[package]]
+name = "keccak"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e24a010dd405bd7ed803e5253182815b41bf2e6a80cc3bfc066658e03a198aa"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+]
+
 [[package]]
 name = "leb128fmt"
 version = "0.1.0"
@@ -590,6 +600,23 @@ dependencies = [
  "zmij",
 ]
 
+[[package]]
+name = "shake"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09057cb2149ad4cbd2da1e26b351f9a4c354219421229c69c3063e6f61947c4a"
+dependencies = [
+ "digest",
+ "keccak",
+ "sponge-cursor",
+]
+
+[[package]]
+name = "sponge-cursor"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a0219bd7d979d58245a4f41f695e1ac9f8befdffadd7f61f1bae9e39abc6620"
+
 [[package]]
 name = "subtle"
 version = "2.6.1"
@@ -791,6 +818,7 @@ dependencies = [
  "aes-gcm",
  "cipher",
  "hex-literal",
+ "shake",
 ]
 
 [[package]]
diff --git a/xaes-256-gcm/Cargo.toml b/xaes-256-gcm/Cargo.toml
index 071389c4..b0f5537f 100644
--- a/xaes-256-gcm/Cargo.toml
+++ b/xaes-256-gcm/Cargo.toml
@@ -25,6 +25,7 @@ aead-stream = { version = "0.6.0-rc.2", optional = true, default-features = fals
 [dev-dependencies]
 aead = { version = "0.6", features = ["dev"], default-features = false }
 hex-literal = "1"
+shake = { version = "0.1.0", default-features = false }
 
 [features]
 default = ["alloc", "getrandom"]
diff --git a/xaes-256-gcm/tests/xaes256gcm.rs b/xaes-256-gcm/tests/xaes256gcm.rs
index 62b85d7e..da1c8150 100644
--- a/xaes-256-gcm/tests/xaes256gcm.rs
+++ b/xaes-256-gcm/tests/xaes256gcm.rs
@@ -7,11 +7,12 @@ mod common;
 use aes_gcm::aead::{Aead, AeadInOut, KeyInit, Payload, array::Array};
 use common::TestVector;
 use hex_literal::hex;
-use xaes_256_gcm::Xaes256Gcm;
+use shake::{ExtendableOutput, Shake128, Update, XofReader};
+use xaes_256_gcm::{Key, Nonce, Xaes256Gcm};
 
 /// C2SP XAES-256-GCM test vectors
 ///
-/// <https://github.com/C2SP/C2SP/blob/main/XAES-256-GCM.md>
+/// <https://c2sp.org/XAES-256-GCM#test-vectors>
 const TEST_VECTORS: &[TestVector<[u8; 32], [u8; 24]>] = &[
     TestVector {
         key: &hex!("0101010101010101010101010101010101010101010101010101010101010101"),
@@ -32,3 +33,72 @@ const TEST_VECTORS: &[TestVector<[u8; 32], [u8; 24]>] = &[
 ];
 
 tests!(Xaes256Gcm, TEST_VECTORS);
+
+/// C2SP XAES-256-GCM accumulated randomized tests.
+///
+/// <https://c2sp.org/XAES-256-GCM#accumulated-randomized-tests>
+fn run_accumulated_test(iterations: usize, expected: [u8; 32]) {
+    let mut seed = Shake128::default().finalize_xof();
+    let mut digest = Shake128::default();
+
+    for _ in 0..iterations {
+        let mut key = Key::<Xaes256Gcm>::default();
+        seed.read(&mut key);
+        let mut nonce = Nonce::default();
+        seed.read(&mut nonce);
+        let mut length = [0u8; 1];
+        seed.read(&mut length);
+        let mut plaintext = vec![0u8; length[0] as usize];
+        seed.read(&mut plaintext);
+        seed.read(&mut length);
+        let mut aad = vec![0u8; length[0] as usize];
+        seed.read(&mut aad);
+
+        let cipher = Xaes256Gcm::new(&key);
+        let ciphertext = cipher
+            .encrypt(
+                &nonce,
+                Payload {
+                    msg: &plaintext,
+                    aad: &aad,
+                },
+            )
+            .unwrap();
+
+        let decrypted = cipher
+            .decrypt(
+                &nonce,
+                Payload {
+                    msg: &ciphertext,
+                    aad: &aad,
+                },
+            )
+            .unwrap();
+
+        assert_eq!(plaintext, decrypted);
+
+        digest.update(&ciphertext);
+    }
+
+    let mut reader = digest.finalize_xof();
+    let mut buf = [0u8; 32];
+    reader.read(&mut buf);
+    assert_eq!(expected, buf);
+}
+
+#[test]
+fn accumulated_randomized_10_000_iterations() {
+    run_accumulated_test(
+        10_000,
+        hex!("e6b9edf2df6cec60c8cbd864e2211b597fb69a529160cd040d56c0c210081939"),
+    );
+}
+
+#[test]
+#[ignore = "slow in debug; run with `cargo test --release -- --include-ignored`"]
+fn accumulated_randomized_1_000_000_iterations() {
+    run_accumulated_test(
+        1_000_000,
+        hex!("2163ae1445985a30b60585ee67daa55674df06901b890593e824b8a7c885ab15"),
+    );
+}