Reference: Advances in Cryptology -- EUROCRYPT 2006, Lecture Notes in Computer Science, vol. 4004, Springer, pp. 373-390, 2006.
Standards bodies have been addressing the key-wrap problem, a
cryptographic goal that has never received a provable-security treatment.
In response, we provide one, giving definitions, constructions, and proofs.
We suggest that key-wrap's goal is security
in the sense of deterministic authenticated-encryption (DAE), a notion
that we put forward.
We also provide an alternative notion, a pseudorandom injection (PRI),
which we prove to be equivalent.
We provide a DAE construction, SIV, analyze its concrete security,
develop a blockcipher-based instantiation of it,
and suggest that the method makes a desirable alternative to
the schemes of the X9.102 draft standard.
The construction incorporates a method to
turn a PRF that operates on a string into
an equally efficient PRF that operates on a vector of strings,
a problem of independent interest.
Finally, we consider IV-based authenticated-encryption (AE) schemes that
are maximally forgiving of repeated IVs,
a goal we formalize as misuse-resistant AE.
We show that a DAE scheme with a vector-valued header, such as SIV,
directly realizes this goal.
History: Paper was retitled in Sept 2006 "Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem"; the proceedings version of the paper is instead titled "A Provable-Security Treatment of the Key-Wrap Problem". The current version is from Aug 2007.
Availability: pdf or ps
Reference: Manuscript, Aug 2007.
Description:: Three-page specification document defining the SIV scheme that is found in the paper above.
The SIV mode of operation specifies a way for using a blockcipher to encrypt.
Encryption under SIV takes as input a key, a plaintext, and
a header, the header being a sequence of zero or more strings.
It produces, deterministically, an associated ciphertext.
The ciphertext protects the privacy of the
plaintext and the authenticity of both the ciphertext and header.
SIV can be based on an arbitrary blockcipher, such as AES or TDEA.
Depending on how it is used, SIV solves both
the key-wrap problem (deterministic authenticated-encryption)
and the problem of conventional (two-pass, nonce-based) authenticated-encryption.
This document is a compact specification for SIV mode;
the theory underlying it is described in
A provable-security treatment of the key-wrap problem,
Rogaway and Shrimpton, Eurocrypt 2006.
History: This is draft 0.32 of the spec, from Aug 2007.
Availability: pdf or ps
Rogaway's home page.