Skip to content

AES SIV

Tony Arcieri edited this page Dec 21, 2017 · 6 revisions

AES-SIV is an authenticated mode of AES which provides nonce reuse misuse resistance. Described in RFC 5297, it combines the AES-CTR (NIST SP 800-38A) mode of encryption with the AES-CMAC (NIST SP 800-38B) function for integrity. It was originally defined in the paper Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem.

A parallelized variant of AES-SIV is available in the form of the AES-PMAC-SIV function.

This section provides a more in-depth exploration of how the AES-SIV function operates.

Encryption

Inputs:

  • AES-CMAC and AES-CTR keys: K1 and K2
  • Zero or more message headers: H1 through Hm
  • Plaintext message: M

Outputs:

  • Initialization vector: IV
  • Ciphertext message: C

Description:

AES-SIV first computes AES-CMAC on the message headers H1 through Hm and messages under K1, computing a synthetic IV (SIV). This IV is used to perform AES-CTR encryption under K2

Decryption

Inputs:

  • AES-CMAC and AES-CTR keys: K1 and K2
  • Zero or more message headers: H1 through Hm
  • Initialization vector: IV
  • Ciphertext message: C

Outputs:

  • Plaintext message: M

Description:

To decrypt a message, AES-SIV first performs an AES-CTR decryption of the message under the provided synthetic IV. The message headers H1 through Hm and candidate decrypted message are then authenticated by AES-CMAC. If the computed IV’ does not match the original one supplied, the decryption operation is aborted. Otherwise, we've authenticated the original plaintext and can return it.

See Also

You can’t perform that action at this time.