13

I am invesigating the AES-SIV (rfc 5297) based block cipher. The construction of the S2V is lying on the AES-CMAC and dbl and XOR operation. Given a AAD the size of L and in the 128bit block operation, I have some concern that if the L<16bytes, the initial block with all 0s input is not more than an PRF function to generate the "IV" for the second block operation. My question is whether S2V operation to construct the SIV COULD be reduced to less random due to L<16bytes and in turn defeat the design purpose of Synthesize the IV from packet header. Also it occurs to me AES-SIV need more time and memory to carry out the operation compared to AES-GCM or CCM.

Michael
  • 1,509
  • 10
  • 19
user7453
  • 131
  • 1
  • 4

1 Answers1

9

The synthesized IV does not need to be random.

AES-SIV is a deterministic authenticated encryption mode: it can be used without any nonce when it is not a concern if the attacker can tell that the same message is being transmitted (under the same key) multiple times. Privacy and authentication are still guaranteed.

SIV recommends to use a nonce (more precisely, to include it as the second-last string passed to S2V) to cover that scenario. If you do and fail to keep it unique, the effects are still not catastrophic as with modes like GCM and CCM, where privacy is severely compromised.

Typically, keeping a nonce is not easy and it is more practical to use random data, counting on the fact that - by using sufficient randomness - it is sufficiently unlikely to get the same value twice.

To summarize, with SIV:

  • Short AAD is not a concern if you don't care about the attacker learning when you send the same message twice.
  • If you have the concern above, a short AAD is still OK if it contains a true nonce like a short monotonic counter
  • If you have the concern above, a short AAD may be a problem if you use randomness as a nonce. The specification recommends to use at least 16 bytes: using less than that should be carefully vetted.

You are right that SIV is not very efficient. The price to pay to have robustness against nonce-reuse is that SIV is a non-online 2-pass mode. You need to have the whole message in memory to start encryption (unlike GCM) and the plaintext is processed twice (unlike OCB). SIV was proposed as a key-wrapping mode though when keys are typically very small.

SquareRootOfTwentyThree
  • 1,755
  • 12
  • 17