3

If I use XTS-AES and treat the tweak as a nonce/IV would the result be considered nonce-misuse-resistant?

I'm thinking of something like the following AEAD-like scheme:

enc(encKey, macKey, plaintext, aad):
  tweak = ... # 128 bits, generated like an IV or nonce

pad the plaintext to handle shorter-than-16-byte inputs


as well as determine the plaintext length after decryption


a = AES-XTS(encKey, tweak, pad(plaintext))
  b = tweak || a
  return b || MAC([aad, b], macKey)

A tweak collision seems to only disclose whether the same plaintext was encrypted with the same key and the same tweak, which matches the definition of nonce-misuse-resistance I see here and differs from Rogaway's description of AES-SIV's properties in that the collision is apparent even if the AAD differs.

My motivation is looking for a nonce-misuse-resistant scheme that is NIST-approved. Having many existing implementations is also a benefit.

Community
  • 1
orip
  • 328
  • 4
  • 12

1 Answers1

5

A tweak collision seems to only disclose whether the same plaintext was encrypted with the same key and the same tweak

Actually, XTS will disclose whether related plaintexts were encrypted with the same key/tweak. Specifically, if two plaintexts had the same value for block N, then after encryption (assuming the same key/tweak), the ciphertexts would also have the same value for block N (and thus leaking the relationship between the plaintexts). This is true even if other blocks of the plaintext differ. This is leaking data beyond what is allowed for 'nonce-misuse-resistance'

poncho
  • 154,064
  • 12
  • 239
  • 382