Support for the development of lightweight implementations of authenticated ciphers:

VHDL code for the lightweight PreProcessor, PostProcessor, Header/Tag FIFO, Top-Level Unit, etc., in the folder $ROOT/hardware/AEAD/src_rtl_lw
VHDL code for the lightweight dummy1 authenticated cipher, with the three different values of the PDI, SDI, and DO port widths (8, 16, and 32 bits), in the folder $ROOT/hardware/lw_examples

Improved support for the development of high-speed implementations of authenticated ciphers:
- Revised VHDL code for the high-speed PreProcessor, PostProcessor, Top-Level Unit, etc., in the folder $ROOT/hardware/AEAD/src_rtl_hs, taking into account experiences with the implementation of multiple Round 2 and Round 3 CAESAR Candidates, including changes, such as
Improved support for experimental testing using FPGA boards, in applications with intermittent availability of input sources and output destinations.

Added reference implementations of all previously missing Round 2 and Round 3 CAESAR candidates to the folder $ROOT/software/CAESAR, based on SUPERCOP, release 20171020
Modified and extended examples of the test vector generating scripts located in the folder $ROOT/software/aeadtvgen/examples

The authors would like to express special gratitude to the colleagues from Technische Universitat Munchen (TUM), Germany - Michael Tempelmeier and Fabrizio De Santis - for reporting multiple problems related to practical experimental testing of CAESAR candidate cores and for validating several example cores developed using the new Development Package.

Modified the implementation of the dummy1 authenticated cipher by eliminating the use of the Length Segment.
Modified the implementation of the dummy2 authenticated cipher by taking into account the new format of the Length Segment, recommended in the Addendum to the CAESAR Hardware API v1.0.
Added support for Two-Pass CipherCore.
Added support for PAD_STYLE = 2 (ICEPOLE padding rule).
Updated the universal testbench, hardware/AEAD/src_tb/AEAD_TB.vhd, to make it compatible with designs for which w < 32.

Improved and extended help of aeadtvgen (test vector generator).
Introduced the following modifications to the arguments of aeadtvgen, in support of the changes recommended in the Addendum to the CAESAR Hardware API v1.0:

Added the --offline option. This option automatically adds the Length segment as the first segment in the input to the hardware cipher core. The exact format of the length segment is described in the aforementioned Addendum.
Removed the --len_format option.

Introduced the following additional modifications to the arguments of aeadtvgen:

Added the --gen_custom_mode option to specify the type of data to be generated when using --gen_custom.
Added the --ciph_exp_noext option. This option indicates that the reference ciphertext expansion algorithm does not automatically add an extra ciphertext block when the message size is a multiple of a block size. Note: This option needs to be specified, for example, for AES-COPA.
Fixed --gen_custom 'decrypt' parameter. It was previously deasserted when set to True and asserted when set to False.
Fixed the implementation of the --gen_single option.
Fixed the implementation of the --add_partial option.

Set the reserved bits in the instructions for AEAD (being a part of test vectors generated by aeadtvgen) to 0.
Improved dummyN.py scripts located in software/aeadtvgen/examples to make them more readable and easier to use.
Revised dummy1.py and dummy2.py scripts by eliminating the len segment in --msg_format, and adding the option -offline in dummy2.py.

Fixed a problem that appeared when the public message number size was larger than the data (message/ciphertext) block size, DBLK_SIZE, e.g., public message number size = 128 and DBLK_SIZE = 64.
Fixed a problem related to ciphers supporting the padding mode in which an extra block of padding is added when the size of AD/Message is a non-zero multiple of a block size (generic values: PAD_AD > 2 and/or PAD_D > 2). The problem appeared, in particular, when AD and/or Message were divided into multiple segments.
Fixed a problem that appeared for G_W > G_SW.
Fixed an inconsistency with the Implementer's Guide, Figure 5.3, related to the behavior of the key_update signal. key_update was deactivated prematurely, before the clock cycle with the active values of key_valid and key_ready.
Improved the performance of the registered mode of the PreProcessor.

Fixed a bug in the generation of test vectors, resulting in the misplacement of the tag segment in the expected output from authenticated encryption. This bug appeared as a result of the -msg_format option, for ciphers in which the tag segment should be located before the AD/ciphertext segment in the input to decryption.