[Cryptech Tech] AES SIV mode for key wrapping?

Paul Lambert paul at marvell.com
Tue Mar 17 16:43:09 UTC 2015





>SIV is seeing almost no uptake.  AES KEY-WRAP is preferred.

Uptake and technical value are not the same.

First, AES-SIV is being introduced into other non-IETF forums.

Second, AES-SIV is much more efficient that AES KEY-WRAP.

AES-SIV is also nonce insensitive.  A very nice property for an AEAD
cipher.


Paul


>
>Russ
>
>
>On Mar 17, 2015, at 5:36 AM, Rob Austein wrote:
>
>> So our roadmap (under construction, but also under discussion today)
>> lists AES as a requirement for key wrapping for HSM backup.
>> Specifically, it lists SIV mode, which is one I hadn't heard of until
>> now.  RFC 5297 is interesting, but I'm not competent to have an
>> opinion on crypto at this level.
>> 
>> Crypto guys (Russ, PeterG, etc), please confirm that SIV is the mode
>> we should be using for this, or tell us what we should use instead.
>> 
>> Is SIV also an appropriate mode to use for the encrypted key store
>> within the HSM?
>> _______________________________________________
>> Tech mailing list
>> Tech at cryptech.is
>> https://lists.cryptech.is/listinfo/tech
>
>_______________________________________________
>Tech mailing list
>Tech at cryptech.is
>https://lists.cryptech.is/listinfo/tech



More information about the Tech mailing list