[Cryptech Tech] AES SIV mode for key wrapping?

Bernd Paysan bernd at net2o.de
Tue Mar 17 21:08:59 UTC 2015


Am Dienstag, 17. März 2015, 11:53:38 schrieb Dan Harkins:
>   As a key wrapping (deterministic authenticated encryption) solution
> AES-SIV is superior to AES KEY-WRAP but AES-SIV also has a mode
> to provide "probabilistic" authenticated encryption analogous to
> traditional AEAD schemes like CCM (or GCM). The advantages it has
> over these other schemes is that AES-SIV is misuse resistant: if the
> nonce is reused you do not lose all security in the same way you do
> with CCM (or GCM).

For comparison:

In net2o, for key wrapping, I currently use Keccak duplex mode.  This strongly 
requires unique nonces for the first 128 bytes of the wrapped key, but doesn't 
have that issue for the rest of the wrapped key; which is why I first store 
the public part of the key, the nickname, and a lifetime self-signature (signs 
only the public part), and then I'm past the 128 bytes and can store the 
secret part (knowledge of the public part does *not* leak the secret part even 
when the nonces are identical).

However, I'm thinking about going to use a block cipher mode for this, because 
that will work for shorter key wrapping where no pubkey is there to get past 
the first 128 bytes.

As I'm free of all FIPS/NSA/IETF/bla constraints, I certainly want to go for a 
block cipher that has more security margin than AES; I've chosen Threefish.  
Threefish however does not have an AEAD mode proposed, and the usual AEAD 
modes available in the wild require two operations per block; that's not 
something I want.  Threefish however does have a perfectly fine (possibly 
keyed) hash mode, as it is part of SKEIN, one of the SHA-3 finalists.

The hash mode works as follows:  Each block is encrypted with a key that is 
the xor of the previous block's plaintext and cipher text.  That works for 
hashing, but it can't work for AEAD - if you output the cipher text, and the 
adversary knows the plaintext, she knows the next key - and by knowing the 
next key, Eve can reconstruct all the rest of the message.

So I've changed that: for AEAD, you start with a non-zero secret key for the 
first block.  For all further blocks, you xor pain text, cipher text, and the 
previous key to be used as next key - xoring more pseudo-random stuff into a 
new value does not make it less secure, but more so.  For the MAC, at last, 
after encryption of the last block with padding, you encrypt a zeroed block.  
The receiver doesn't need to decrpyt this block, comparison is good enough, so 
you can shorten that checksum if you don't think you need the full 512 bits of 
a Threefish block.

This mode does work with AES, too, but AES rekeying is more expensive than two 
AES operations, so if performance is an issue (e.g. for AEAD messaging), AES 
SIV is a better idea.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*



More information about the Tech mailing list