datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)
RFC 5297

Document type: RFC - Informational (October 2008)
Was draft-dharkins-siv-aes (individual in sec area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5297 (Informational)
Responsible AD: Tim Polk
Send notices to: dharkins@arubanetworks.com, draft-dharkins-siv-aes@tools.ietf.org

Network Working Group                                         D. Harkins
Request for Comments: 5297                                Aruba Networks
Category: Informational                                     October 2008

    Synthetic Initialization Vector (SIV) Authenticated Encryption
              Using the Advanced Encryption Standard (AES)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This memo describes SIV (Synthetic Initialization Vector), a block
   cipher mode of operation.  SIV takes a key, a plaintext, and multiple
   variable-length octet strings that will be authenticated but not
   encrypted.  It produces a ciphertext having the same length as the
   plaintext and a synthetic initialization vector.  Depending on how it
   is used, SIV achieves either the goal of deterministic authenticated
   encryption or the goal of nonce-based, misuse-resistant authenticated
   encryption.

Hawkins                      Informational                      [Page 1]
RFC 5297                        SIV-AES                     October 2008

Table of Contents

   1. Introduction ....................................................3
      1.1. Background .................................................3
      1.2. Definitions ................................................4
      1.3. Motivation .................................................4
           1.3.1. Key Wrapping ........................................4
           1.3.2. Resistance to Nonce Misuse/Reuse ....................4
           1.3.3. Key Derivation ......................................5
           1.3.4. Robustness versus Performance .......................6
           1.3.5. Conservation of Cryptographic Primitives ............6
   2. Specification of SIV ............................................6
      2.1. Notation ...................................................6
      2.2. Overview ...................................................7
      2.3. Doubling ...................................................7
      2.4. S2V ........................................................8
      2.5. CTR .......................................................10
      2.6. SIV Encrypt ...............................................10
      2.7. SIV Decrypt ...............................................12
   3. Nonce-Based Authenticated Encryption with SIV ..................14
   4. Deterministic Authenticated Encryption with SIV ................15
   5. Optimizations ..................................................15
   6. IANA Considerations ............................................15
      6.1. AEAD_AES_SIV_CMAC_256 .....................................17
      6.2. AEAD_AES_SIV_CMAC_384 .....................................17
      6.3. AEAD_AES_SIV_CMAC_512 .....................................18
   7. Security Considerations ........................................18
   8. Acknowledgments ................................................19
   9. References .....................................................19
      9.1. Normative References ......................................19
      9.2. Informative References ....................................19
   Appendix A.  Test Vectors  ....................................... 22
     A.1.  Deterministic Authenticated Encryption Example ........... 22
     A.2.  Nonce-Based Authenticated Encryption Example ............. 23

Hawkins                      Informational                      [Page 2]
RFC 5297                        SIV-AES                     October 2008

1.  Introduction

1.1.  Background

   Various attacks have been described (e.g., [BADESP]) when data is
   merely privacy protected and not additionally authenticated or
   integrity protected.  Therefore, combined modes of encryption and
   authentication have been developed ([RFC5116], [RFC3610], [GCM],
   [JUTLA], [OCB]).  These provide conventional authenticated encryption
   when used with a nonce ("a number used once") and typically accept
   additional inputs that are authenticated but not encrypted,
   hereinafter referred to as "associated data" or AD.

   A deterministic, nonce-less, form of authenticated encryption has
   been used to protect the transportation of cryptographic keys (e.g.,
   [X9F1], [RFC3217], [RFC3394]).  This is generally referred to as "Key
   Wrapping".

   This memo describes a new block cipher mode, SIV, that provides both
   nonce-based authenticated encryption as well as deterministic, nonce-
   less key wrapping.  It contains a Pseudo-Random Function (PRF)
   construction called S2V and an encryption/decryption construction,

[include full document text]