Questions tagged [siv]
SIV (Synthetic Initialization Vector) is a two-pass AEAD block cipher mode of operation described in RFC 5297. It can be used either for key-wrap (nonce-less deterministic authenticated encryption) or, with a nonce, for conventional authenticated encryption with maximal tolerance of nonce reuse.
29
questions
5
votes
1
answer
264
views
What best to put in unused nonce bytes when using AES-GCM-SIV
I want to use AES-GCM-SIV for authenticated encryption of messages in my protocol.
Since it is a wireless protocol I want to transmit as few bytes as possible. For successful decryption I need to ...
0
votes
1
answer
361
views
ChaCha20-Poly1305 and AES-GCM-SIV output size
Background information:
I need to encrypt 168bit messages, the ciphertext should, preferably, match the plaintext size. Message Authentication and Integrity is not a must, but a really important ...
1
vote
1
answer
182
views
Deterministic salt for KDF
What would be recommended way to make deterministic password based file encryption?
I can use SIV mode, but KDF (like Argon) takes salt for which I could use SIV tag, but I cannot make it because I ...
3
votes
1
answer
149
views
Signal's Key Wrap: is it safe and is it custom?
The iOS version of Signal application (not the protocol) includes a form of key wrap that I've never seen elsewhere: SHA256-HMAC-SIV.
It's used to encrypt your master key with your ...
2
votes
1
answer
1k
views
Beyond birthday bound security in AES-GCM-SIV
AES-GCM-SIV takes a 96 bit nonce, like the original GCM. The RFC states that "it is RECOMMENDED to use this scheme with randomly chosen nonces". It uses the random nonce to generate per-...
1
vote
1
answer
217
views
Trying to understand SIV mode
I'm trying to wrap my head around the concept of SIV in the context of encryption. I understand the aspect of nonce misuse, etc. And I understand that the key feature for SIV is that they ensure that ...
2
votes
1
answer
132
views
Is using CFB in SIV secure?
Is SIV mode variant equally secure, if you replace CTR mode encryption with full-block CFB mode encryption?
CFB seems to be safe with predictable IV: Is using a predictable IV with CFB mode safe or ...
1
vote
1
answer
206
views
Ignoring the TAG of the AEAD-SIV encryption
I am working with personal data that contain Identifying attributes such as a player ID and i need to prepare the data for analysis purposes, therefore i need to pseudoanonymize the data beforehand. ...
1
vote
1
answer
1k
views
Where is the SIV in AES-GCM-SIV?
This is my understanding of Synthentic IVs
You have 2 keys $K_1$ & $K_2$.
$F$ is a PRF
Instead of choosing a separate IV, you instead generate the IV from the PlainText.
$IV = F(K_1, m)$
$c = E(...
5
votes
0
answers
572
views
Is AES-GCM-SIV with fixed IV deterministic authenticated encryption?
Is there any functional or strong security difference beyond speed between
AES-GCM-SIV with implicit fixed public IV and no additional data
AES-CTR (or AES-OFB) with 128-bit IV computed per HMAC-SHA-...
10
votes
0
answers
319
views
Are there any weak nonce-misuse resistant encryption scheme?
Nonce-misuse resistance seems to have two standard notions:
The stronger notion: this reveals nothing unless the exact same nonce is used to encrypt the exact same message twice. In this case, the ...
1
vote
0
answers
157
views
Why does a "never-repeating" nonce limit a key to safely encrypt only a single block?
This questions comes from a section outlined in RFC 5297 on SIV-AES. The paragraph in particular outlines the idea of a never repeating nonce vs an "almost always" non-repeating nonce.
If ...
0
votes
0
answers
622
views
Can I Achieve Deterministic Encryption Using AES-GCM with Nonce = HMAC [ message ]
I would like to implement a deterministic encryption scheme within .NET. From the following post it is established using AES-SIV mode is appropriate. As AES-SIV mode is not implemented within the ...
5
votes
1
answer
1k
views
How to Implement Deterministic Encryption Safely in .NET
I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, ...
2
votes
1
answer
910
views
AES-PMAC-SIV AE algorithm
AES-SIV is a very robust and safe algorithm but performance isn't great. AES-PMAC-SIV, should provide a great parallelization, increasing performance and ensuring the same robustness. Indications of ...