diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
index 4190359..822f374 100644
--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
@@ -1,3 +1,5 @@
+#include "debug.h"
+
 #include <stdint.h>
 #include <string.h>
 
@@ -38,40 +40,61 @@ static void _compute_round_tweakeys(
     uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
 )
 {
+    fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS);
+
     uint8_t TK[TWEAKEY_BYTES];
     tweakey_state_init(TK, key, tweak);
     tweakey_state_extract(TK, 0, RTK[0]);
 
+    fprintf(DUMP, "    0\n");
+    debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8);
+
     for (uint8_t i=1; i<ROUNDS; i++)
     {
+        fprintf(DUMP, "    %zu\n", (size_t)i);
+
         tweakey_state_update(TK);
+        debug_dump_buffer("TK", TWEAK_BYTES, TK, 8);
         tweakey_state_extract(TK, i, RTK[i]);
+        debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[i], 8);
     }
 }
 
 
 static void _nonlinear_layer(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES])
 {
+    fprintf(DUMP, "        nonlinear layer\n");
+
+    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
+
     uint8_t F[ROUND_TWEAKEY_BYTES];
     for (size_t j=0; j<ROUND_TWEAKEY_BYTES; j++)
     {
         F[j] = X[j] ^ RTK[j];
     }
 
+    debug_dump_buffer("Xj XOR RTKj", sizeof(F), F, 12);
+
     for (size_t j=0; j<ROUND_TWEAKEY_BYTES; j++)
     {
         F[j] = S[F[j]];
     }
 
+    debug_dump_buffer("F (post-S-box)", sizeof(F), F, 12);
+
     for (size_t j=0; j<8; j++)
     {
         size_t dest_j = 15-j;
         X[dest_j] ^= F[j];
     }
+
+    debug_dump_buffer("X (post-XOR)", BLOCK_BYTES, X, 12);
 }
 
 static void _linear_layer(uint8_t X[BLOCK_BYTES])
 {
+    fprintf(DUMP, "        linear layer\n");
+
     X[15] ^= X[1];
     X[15] ^= X[2];
     X[15] ^= X[3];
@@ -86,6 +109,8 @@ static void _linear_layer(uint8_t X[BLOCK_BYTES])
     X[11] ^= X[7];
     X[10] ^= X[7];
     X[9]  ^= X[7];
+
+    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
 }
 
 static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
@@ -95,6 +120,8 @@ static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
         return;
     }
 
+    fprintf(DUMP, "        permutation layer\n");
+
     uint8_t X_old[BLOCK_BYTES];
     memcpy(X_old, X, BLOCK_BYTES);
 
@@ -104,6 +131,8 @@ static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
     {
         X[pi[j]] = X_old[j];
     }
+
+    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
 }
 
 static void _one_round_egfn(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
@@ -127,11 +156,15 @@ void lilliput_tbc_encrypt(
     uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
     _compute_round_tweakeys(key, tweak, RTK);
 
+    fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS);
+
     for (uint8_t i=0; i<ROUNDS-1; i++)
     {
+        fprintf(DUMP, "    round %zu\n", (size_t)i);
         _one_round_egfn(X, RTK[i], PERMUTATION_ENCRYPTION);
     }
 
+    fprintf(DUMP, "    round %zu\n", (size_t)(ROUNDS-1));
     _one_round_egfn(X, RTK[ROUNDS-1], PERMUTATION_NONE);
 
     memcpy(ciphertext, X, BLOCK_BYTES);
diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
index 761ec53..39251a7 100644
--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
@@ -1,3 +1,5 @@
+#include "debug.h"
+
 #include <stdint.h>
 #include <string.h>
 
@@ -32,10 +34,16 @@ void tweakey_state_extract(
 
     for (const uint8_t *lane=TK; lane<TK+TWEAKEY_BYTES; lane+=LANE_BYTES)
     {
+        fprintf(DUMP, "        XORing lane %zu/%zu\n", 1+(size_t)((lane-TK)/LANE_BYTES), (size_t)LANES_NB);
+        debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
+        debug_dump_buffer("lane[j]", LANE_BYTES, lane, 12);
+
         for (size_t j=0; j<LANE_BYTES; j++)
         {
             round_tweakey[j] ^= lane[j];
         }
+
+        debug_dump_buffer("=> RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
     }
 
     round_tweakey[0] ^= round_constant;
@@ -44,6 +52,8 @@ void tweakey_state_extract(
 
 static void _permute_state(uint8_t TK[TWEAKEY_BYTES])
 {
+    fprintf(DUMP, "        permuting TK\n");
+
     uint8_t TK_old[TWEAKEY_BYTES];
     memcpy(TK_old, TK, TWEAKEY_BYTES);
 
@@ -54,12 +64,19 @@ static void _permute_state(uint8_t TK[TWEAKEY_BYTES])
             TK[j+h[k]] = TK_old[j+k];
         }
     }
+
+    debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK_old, 12);
+    debug_dump_buffer("TKi", TWEAKEY_BYTES, TK, 12);
 }
 
 static void _multiply_state(uint8_t TK[TWEAKEY_BYTES])
 {
+    fprintf(DUMP, "        multiplying TK\n");
+
     /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */
 
+    debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK, 12);
+
     for (size_t j=1; j<LANES_NB; j++)
     {
         const uint8_t *P_lane = P[j-1];
@@ -70,6 +87,8 @@ static void _multiply_state(uint8_t TK[TWEAKEY_BYTES])
             TK[offset] = P_lane[TK[offset]];
         }
     }
+
+    debug_dump_buffer("TKi", TWEAKEY_BYTES, TK, 12);
 }
 
 void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES])