AES PMAC SIV

Tony Arcieri edited this page Jan 5, 2018 · 15 revisions

AES-PMAC-SIV is a fully parallelizable variant of AES-SIV which substitutes the AES-PMAC function for integrity:

STREAM Diagram

AES-PMAC-SIV provides effectively identical security properties as the original AES-SIV construction, including nonce reuse misuse resistance, but also performs significantly better on systems which provide parallel hardware implementations of AES, namely Intel/AMD CPUs but also certain IoT devices.

Though it has not yet been described by a standards body and it is only presently available in Miscreant libraries, AES-PMAC-SIV is a compelling algorithm which retains all of the original security properties of AES-SIV according to Phil Rogaway, the cryptographer who originally designed the AES-SIV, AES-CMAC, and AES-PMAC algorithms:

The proof in the SIV paper uses generic properties of the SIV construction: you can stick in any provably-sound PRF. Quantitative results will depend on the quality of the PRF, but in the case of CMAC and PMAC, the ‘basic’ bounds are the same (within a small constant). I remember there being somewhat improved bounds for PMAC, like [Nandi, Mandal 2007], but by the time you throw in CTR, it probably doesn’t help. So, yes, effectively equivalent, as far as I know.

See Also

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.