diff --git a/doc/AES-GMAC-SIV.png b/doc/AES-GMAC-SIV.png
index 1099653a7..5d8cae33e 100644
Binary files a/doc/AES-GMAC-SIV.png and b/doc/AES-GMAC-SIV.png differ
diff --git a/node/AES.hpp b/node/AES.hpp
index 8621322ae..f86db33d3 100644
--- a/node/AES.hpp
+++ b/node/AES.hpp
@@ -251,7 +251,7 @@ public:
 			_gmac(k0),
 			_ctr(k1) {}
 
-		/*
+		/**
 		 * Initialize AES-GMAC-SIV
 		 *
 		 * @param iv IV in network byte order (byte order in which it will appear on the wire)
@@ -265,6 +265,29 @@ public:
 			_gmac.init(reinterpret_cast<const uint8_t *>(_iv));
 		}
 
+		/**
+		 * Process AAD (additional authenticated data) that is not being encrypted
+		 *
+		 * This must be called prior to update1, finish1, etc. if there is AAD to include
+		 * in the MAC that is not included in the plaintext.
+		 *
+		 * @param aad Additional authenticated data
+		 * @param len Length of AAD in bytes
+		 */
+		ZT_INLINE void aad(const void *const aad,unsigned int len) noexcept
+		{
+			_gmac.update(aad,len);
+			len &= 0xfU;
+			if (len != 0)
+				_gmac.update(Utils::ZERO256,16 - len);
+		}
+
+		/**
+		 * First pass plaintext input function
+		 *
+		 * @param input Plaintext chunk
+		 * @param len Length of plaintext chunk
+		 */
 		ZT_INLINE void update1(const void *const input,const unsigned int len) noexcept
 		{
 			_gmac.update(input,len);
@@ -282,6 +305,15 @@ public:
 			_ctr.init(reinterpret_cast<const uint8_t *>(_iv),_output);
 		}
 
+		/**
+		 * Second pass plaintext input function
+		 *
+		 * The same plaintext must be fed in the second time in the same order,
+		 * though chunk boundaries do not have to be the same.
+		 *
+		 * @param input Plaintext chunk
+		 * @param len Length of plaintext chunk
+		 */
 		ZT_INLINE void update2(const void *const input,const unsigned int len) noexcept
 		{
 			_ctr.crypt(input,len);