Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)
RFC 5297
| Document | Type |
RFC - Informational
(October 2008; No errata)
Was draft-dharkins-siv-aes (individual in sec area)
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 5297 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Tim Polk | ||
| Send notices to | (None) | ||
Network Working Group D. Harkins
Request for Comments: 5297 Aruba Networks
Category: Informational October 2008
Synthetic Initialization Vector (SIV) Authenticated Encryption
Using the Advanced Encryption Standard (AES)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This memo describes SIV (Synthetic Initialization Vector), a block
cipher mode of operation. SIV takes a key, a plaintext, and multiple
variable-length octet strings that will be authenticated but not
encrypted. It produces a ciphertext having the same length as the
plaintext and a synthetic initialization vector. Depending on how it
is used, SIV achieves either the goal of deterministic authenticated
encryption or the goal of nonce-based, misuse-resistant authenticated
encryption.
Hawkins Informational [Page 1]
RFC 5297 SIV-AES October 2008
Table of Contents
1. Introduction ....................................................3
1.1. Background .................................................3
1.2. Definitions ................................................4
1.3. Motivation .................................................4
1.3.1. Key Wrapping ........................................4
1.3.2. Resistance to Nonce Misuse/Reuse ....................4
1.3.3. Key Derivation ......................................5
1.3.4. Robustness versus Performance .......................6
1.3.5. Conservation of Cryptographic Primitives ............6
2. Specification of SIV ............................................6
2.1. Notation ...................................................6
2.2. Overview ...................................................7
2.3. Doubling ...................................................7
2.4. S2V ........................................................8
2.5. CTR .......................................................10
2.6. SIV Encrypt ...............................................10
2.7. SIV Decrypt ...............................................12
3. Nonce-Based Authenticated Encryption with SIV ..................14
4. Deterministic Authenticated Encryption with SIV ................15
5. Optimizations ..................................................15
6. IANA Considerations ............................................15
6.1. AEAD_AES_SIV_CMAC_256 .....................................17
6.2. AEAD_AES_SIV_CMAC_384 .....................................17
6.3. AEAD_AES_SIV_CMAC_512 .....................................18
7. Security Considerations ........................................18
8. Acknowledgments ................................................19
9. References .....................................................19
9.1. Normative References ......................................19
9.2. Informative References ....................................19
Appendix A. Test Vectors ....................................... 22
A.1. Deterministic Authenticated Encryption Example ........... 22
A.2. Nonce-Based Authenticated Encryption Example ............. 23
Hawkins Informational [Page 2]
RFC 5297 SIV-AES October 2008
1. Introduction
1.1. Background
Various attacks have been described (e.g., [BADESP]) when data is
merely privacy protected and not additionally authenticated or
integrity protected. Therefore, combined modes of encryption and
authentication have been developed ([RFC5116], [RFC3610], [GCM],
[JUTLA], [OCB]). These provide conventional authenticated encryption
when used with a nonce ("a number used once") and typically accept
additional inputs that are authenticated but not encrypted,
hereinafter referred to as "associated data" or AD.
A deterministic, nonce-less, form of authenticated encryption has
been used to protect the transportation of cryptographic keys (e.g.,
[X9F1], [RFC3217], [RFC3394]). This is generally referred to as "Key
Wrapping".
This memo describes a new block cipher mode, SIV, that provides both
nonce-based authenticated encryption as well as deterministic, nonce-
less key wrapping. It contains a Pseudo-Random Function (PRF)
construction called S2V and an encryption/decryption construction,
called CTR. SIV was specified by Phillip Rogaway and Thomas
Shrimpton in [DAE]. The underlying block cipher used herein for both
S2V and CTR is AES with key lengths of 128 bits, 192 bits, or 256
Show full document text