Skip to content
This repository has been archived by the owner. It is now read-only.

AES SIV

Tony Arcieri edited this page Dec 21, 2017 · 6 revisions

AES-SIV is an authenticated mode of AES which provides nonce reuse misuse resistance. Described in RFC 5297, it combines the AES-CTR (NIST SP 800-38A) mode of encryption with the AES-CMAC (NIST SP 800-38B) function for integrity. It was originally defined in the paper Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem.

A parallelized variant of AES-SIV is available in the form of the AES-PMAC-SIV function.

This section provides a more in-depth exploration of how the AES-SIV function operates.

Encryption

Inputs:

  • AES-CMAC and AES-CTR keys: K1 and K2
  • Zero or more message headers: H1 through Hm
  • Plaintext message: M

Outputs:

  • Initialization vector: IV
  • Ciphertext message: C

Description:

AES-SIV first computes AES-CMAC on the message headers H1 through Hm and messages under K1, computing a synthetic IV (SIV). This IV is used to perform AES-CTR encryption under K2

Decryption

Inputs:

  • AES-CMAC and AES-CTR keys: K1 and K2
  • Zero or more message headers: H1 through Hm
  • Initialization vector: IV
  • Ciphertext message: C

Outputs:

  • Plaintext message: M

Description:

To decrypt a message, AES-SIV first performs an AES-CTR decryption of the message under the provided synthetic IV. The message headers H1 through Hm and candidate decrypted message are then authenticated by AES-CMAC. If the computed IV’ does not match the original one supplied, the decryption operation is aborted. Otherwise, we've authenticated the original plaintext and can return it.

See Also