User:Ilmari Karonen/sandbox/SIV mode

SIV mode (Synthetic Initialization Vector mode) is a block cipher mode of operation that provides authenticated encryption with "maximal misuse resistance".^[1] It was developed by Phillip Rogaway and Thomas Shrimpton in 2006 to address the key wrap problem, that is, to provide a secure and efficient algorithm for encapsulating encryption keys.^[2] Use of SIV with AES has been standardized in IETF RFC 5297.^[3]

SIV mode is based on the combination of counter mode encryption and a variant of the CMAC algorithm dubbed CMAC*. Specifically, to encrypt a message using SIV mode, CMAC* is first used to to compute a message authentication code (MAC) on the plaintext and any associated data (such as message headers), including an optional nonce. This MAC, being indistinguishable from a random bitstring by an attacker without access to the encryption key, is then used as a "synthetic initialization vector", from which the mode takes its name, for the counter mode encryption.

Cryptographic properties[edit]

SIV mode is designed to provide authenticated encryption with or without the use of a nonce. Specifically, when instantiated with a secure block cipher, SIV mode provably satisfies that following security properties:

When used with a nonce, SIV is an IND-CCA2 secure authenticated encryption scheme. This is the highest level of security generally required of an encryption scheme, and, in general terms, means that even an attacker with real-time access to a decryption oracle cannot learn *any* information about ciphertexts that they do not submit to the oracle, except for their length, and cannot forge any messages.

When used without a nonce, or with an accidentally repeated nonce, the *only* additional information leaked by SIV mode is that two identical messages will yield the same ciphertext when encrypted. This is in sharp contrast to many other block cipher modes (notably including high-performance AE modes like Galois/Counter mode) which fundamentally require unique nonces, and whose security may fail catastrophically if a nonce is ever repeated.

Features and performance[edit]

The main disadvantage of SIV mode encryption is that it requires two consecutive passes over the plaintext: one for CMAC* and one for the counter mode encryption. These two passes are inherently sequential — the actual encryption cannot begin before the MAC, which also serves as the synthetic IV, has been computed. This makes SIV mode less efficient than single-pass AE modes (such as EAX, GCM or OCB) for encrypting long data streams that cannot be efficiently buffered in memory (although such messages may still be encrypted by splitting them into more appropriately sized segments).

Like most modern authenticated encryption modes, SIV also supports "associated data", which is not encrypted (and need not even be transmitted along with the ciphertext, if it can be inferred from context), but whose integrity is also protected by the authentication mechanism. In fact, the SIV algorithm effectively treats the (optional) nonce as just one more piece of associated data.

A notable feature of SIV mode (and, specifically, of CMAC*) is that it allows the associated data to consist of multiple items, which are processed independently with CMAC to yield a list of intermediate values that are then combined into the final CMAC* output. This is convenient, as it avoids the need to unambiguously encode the associated data into a single string before processing it, but it can also provide a performance advantage if some of the associated data items (such as sender / receiver IDs) can be the same for multiple messages.

References[edit]

^ Rogaway, Phillip; Shrimpton, Thomas (20 August 2007). "The SIV Mode of Operation for Deterministic Authenticated-Encryption (Key Wrap) and Misuse-Resistant Nonce-Based Authenticated-Encryption" (PDF) (Manuscript). Draft 0.32. Retrieved 10 January 2015.
^ Rogaway, Phillip; Shrimpton, Thomas (2006). "A Provable-Security Treatment of the Key-Wrap Problem". Advances in Cryptology - EUROCRYPT 2006. Lecture Notes in Computer Science. Vol. 4004. Springer. pp. 373–390. doi:10.1007/11761679_23. ISBN 978-3-540-34546-6.
^ Harkins, D. (2008). Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES). IETF. doi:10.17487/RFC5297. RFC 5297. {{citation}}: Unknown parameter |month= ignored (help)

[siv-1] Rogaway, Phillip; Shrimpton, Thomas (20 August 2007). "The SIV Mode of Operation for Deterministic Authenticated-Encryption (Key Wrap) and Misuse-Resistant Nonce-Based Authenticated-Encryption" (PDF) (Manuscript). Draft 0.32. Retrieved 10 January 2015.

[keywrap-2] Rogaway, Phillip; Shrimpton, Thomas (2006). "A Provable-Security Treatment of the Key-Wrap Problem". Advances in Cryptology - EUROCRYPT 2006. Lecture Notes in Computer Science. Vol. 4004. Springer. pp. 373–390. doi:10.1007/11761679_23. ISBN 978-3-540-34546-6.

[rfc5297-3] Harkins, D. (2008). Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES). IETF. doi:10.17487/RFC5297. RFC 5297. {{citation}}: Unknown parameter |month= ignored (help)

[1]

[2]

[3]