< draft-dharkins-siv-aes-04.txt   draft-dharkins-siv-aes-05.txt >
Internet Engineering Task Force D. Harkins, Ed. Internet Engineering Task Force D. Harkins
Internet-Draft Aruba Networks Internet-Draft Aruba Networks
Intended status: Standards Track June 11, 2008 Intended status: Informational June 26, 2008
Expires: December 13, 2008 Expires: December 28, 2008
SIV Authenticated Encryption using AES SIV Authenticated Encryption using AES
draft-dharkins-siv-aes-04 draft-dharkins-siv-aes-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 13, 2008. This Internet-Draft will expire on December 28, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This memo describes SIV, a block cipher mode of operation. SIV takes This memo describes SIV (Synthetic Initialization Vector), a block
a key, a plaintext, and multiple variable-length octet strings which cipher mode of operation. SIV takes a key, a plaintext, and multiple
will be authenticated but not encrypted. It produces a ciphertext variable-length octet strings which will be authenticated but not
having the same length as the plaintext and a synthetic encrypted. It produces a ciphertext having the same length as the
initialization vector. Depending on how it is used, SIV achieves plaintext and a synthetic initialization vector. Depending on how it
either the goal of deterministic authenticated-encryption or the goal is used, SIV achieves either the goal of deterministic authenticated-
of nonce-based, misuse-resistant authenticated-encryption. encryption or the goal of nonce-based, misuse-resistant
authenticated-encryption.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.1. Key Wrapping . . . . . . . . . . . . . . . . . . . . . 4 1.3.1. Key Wrapping . . . . . . . . . . . . . . . . . . . . . 4
1.3.2. Resistance to Nonce Misuse/Reuse . . . . . . . . . . . 4 1.3.2. Resistance to Nonce Misuse/Reuse . . . . . . . . . . . 4
1.3.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 5 1.3.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 5
skipping to change at page 2, line 28 skipping to change at page 2, line 28
2.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3. Doubling . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Doubling . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. S2V . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4. S2V . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5. CTR . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5. CTR . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6. SIV Encrypt . . . . . . . . . . . . . . . . . . . . . . . 10 2.6. SIV Encrypt . . . . . . . . . . . . . . . . . . . . . . . 10
2.7. SIV Decrypt . . . . . . . . . . . . . . . . . . . . . . . 12 2.7. SIV Decrypt . . . . . . . . . . . . . . . . . . . . . . . 12
3. Nonce-based Authenticated Encryption with SIV . . . . . . . . 14 3. Nonce-based Authenticated Encryption with SIV . . . . . . . . 14
4. Deterministic Authenticated Encryption with SIV . . . . . . . 15 4. Deterministic Authenticated Encryption with SIV . . . . . . . 15
5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 15 5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
6.1. AEAD_AES_SIV_CMAC_256 . . . . . . . . . . . . . . . . . . 16 6.1. AEAD_AES_SIV_CMAC_256 . . . . . . . . . . . . . . . . . . 17
6.2. AEAD_AES_SIV_CMAC_384 . . . . . . . . . . . . . . . . . . 16 6.2. AEAD_AES_SIV_CMAC_384 . . . . . . . . . . . . . . . . . . 17
6.3. AEAD_AES_SIV_CMAC_512 . . . . . . . . . . . . . . . . . . 17 6.3. AEAD_AES_SIV_CMAC_512 . . . . . . . . . . . . . . . . . . 17
7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . . 19 9.2. Informative References . . . . . . . . . . . . . . . . . . 19
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 20 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21
A.1. Deterministic Authenticated Encryption Example . . . . . . 20 A.1. Deterministic Authenticated Encryption Example . . . . . . 21
A.2. Nonce-based Authenticated Encryption Example . . . . . . . 22 A.2. Nonce-based Authenticated Encryption Example . . . . . . . 22
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . . . 25 Intellectual Property and Copyright Statements . . . . . . . . . . 25
1. Introduction 1. Introduction
1.1. Background 1.1. Background
Various attacks have been described (e.g. [BADESP]) when data is Various attacks have been described (e.g. [BADESP]) when data is
merely privacy-protected and not additionally authenticated or merely privacy-protected and not additionally authenticated or
skipping to change at page 6, line 37 skipping to change at page 6, line 37
pad(X) pad(X)
indicates padding of string X, len(X) < 128, out to 128 bits by indicates padding of string X, len(X) < 128, out to 128 bits by
the concatenation of a single bit of 1 followed by as many 0 bits the concatenation of a single bit of 1 followed by as many 0 bits
as are necessary. as are necessary.
leftmost(A,n) leftmost(A,n)
the n most significant bits of A. the n most significant bits of A.
rightmost(A,n) rightmost(A,n)
the n least significatn bits of A. the n least significant bits of A.
A || B A || B
means concatenation of string A with string B. means concatenation of string A with string B.
A xor B A xor B
is the exclusive OR operation on two equal length strings, A and is the exclusive OR operation on two equal length strings, A and
B. B.
A xorend B A xorend B
where len(A) >= len(B), means xoring a string B onto the end of where len(A) >= len(B), means xoring a string B onto the end of
skipping to change at page 16, line 23 skipping to change at page 16, line 23
limits the benefit SIV offers for dealing in a natural fashion with limits the benefit SIV offers for dealing in a natural fashion with
AD consisting of multiple distinct components. Therefore when it is AD consisting of multiple distinct components. Therefore when it is
required to access SIV through the interface defined in [RFC5116] it required to access SIV through the interface defined in [RFC5116] it
is necessary to marshall multiple AD inputs into a single string (see is necessary to marshall multiple AD inputs into a single string (see
Section 1.1) prior to invoking SIV. Note that this requirement is Section 1.1) prior to invoking SIV. Note that this requirement is
not unique to SIV. All cipher modes using [RFC5116] MUST similarly not unique to SIV. All cipher modes using [RFC5116] MUST similarly
marshall multiple AD inputs into a single string and any technique marshall multiple AD inputs into a single string and any technique
used for any other AEAD mode (e.g. a scatter/gather technique) can be used for any other AEAD mode (e.g. a scatter/gather technique) can be
used with SIV. used with SIV.
[RFC5116] requires AEAD algorithm specifications to include maximal
limits to the amount of plaintext, the amount of associated data, and
the size of a nonce that the AEAD algorithm can accept.
SIV uses AES in counter mode and the security guarantees of SIV would
be lost if the counter was allowed to repeat. Since the counter is
128 bits, a limit to the amount of plaintext that can be safely
protected by a single invocation of SIV is 2^128 blocks. Multiple
invocations of SIV with the same key, though, can increase the
possibility of distinct invocations having overlapping counter-space
so the limit on the amount of plaintext that can be safely protected
by SIV is set at 2^64 blocks.
To prevent the possibility of collisions [CMAC] recommends that no
more than 2^48 invocations be made to CMAC with the same key. This
is not a limit on the amount of data that can be passed to CMAC
though. There is no practical limit to the amount of data that can
be made to a single invocation of CMAC, and likewise there is no
practical limit to the amount of associated data or nonce material
that can be passed to SIV.
A collision in the output of S2V would mean the same counter would be
used with different plaintext in counter mode. This would void the
security guarantees of SIV. The "Birthday Paradox" (see [APPCRY])
would imply that no more than 2^64 distinct invocations to SIV be
made with the same key. It is prudent to follow the example of
[CMAC] though and further limit the number of distinct invocations of
SIV using the same key to 2^48. Note that [RFC5116] does not provide
a variable to describe this limit.
6.1. AEAD_AES_SIV_CMAC_256 6.1. AEAD_AES_SIV_CMAC_256
The AES-SIV-CMAC-256 AEAD algorithm works as specified in Section 2.6 The AES-SIV-CMAC-256 AEAD algorithm works as specified in Section 2.6
and Section 2.7. The input and output lengths for AES-SIV-CMAC-256 and Section 2.7. The input and output lengths for AES-SIV-CMAC-256
as defined by [RFC5116] are: as defined by [RFC5116] are:
K_LEN is 32 octets. K_LEN is 32 octets.
P_MAX is unlimited. P_MAX is 2^68 octets.
A_MAX is unlimited. A_MAX is unlimited.
N_MIN is 1 octet. N_MIN is 1 octet.
N_MAX is unlimited. N_MAX is unlimited.
C_MAX is unlimited. C_MAX is 2^68 + 16 octets.
The security implications of nonce re-use and/or mis-use are The security implications of nonce re-use and/or mis-use are
described in Section 1.3.2. described in Section 1.3.2.
6.2. AEAD_AES_SIV_CMAC_384 6.2. AEAD_AES_SIV_CMAC_384
The AES-SIV-CMAC-384 AEAD algorithm works as specified in Section 2.6 The AES-SIV-CMAC-384 AEAD algorithm works as specified in Section 2.6
and Section 2.7. The input and output lengths for AES-SIV-CMAC-384 and Section 2.7. The input and output lengths for AES-SIV-CMAC-384
as defined by [RFC5116] are: as defined by [RFC5116] are:
K_LEN is 48 octets. K_LEN is 48 octets.
P_MAX is unlimited. P_MAX is 2^68 octets.
A_MAX is unlimited. A_MAX is unlimited.
N_MIN is 1 octet. N_MIN is 1 octet.
N_MAX is unlimited. N_MAX is unlimited.
C_MAX is unlimited. C_MAX is 2^68 + 16 octets.
The security implications of nonce re-use and/or mis-use are The security implications of nonce re-use and/or mis-use are
described in Section 1.3.2. described in Section 1.3.2.
6.3. AEAD_AES_SIV_CMAC_512 6.3. AEAD_AES_SIV_CMAC_512
The AES-SIV-CMAC-512 AEAD algorithm works as specified in Section 2.6 The AES-SIV-CMAC-512 AEAD algorithm works as specified in Section 2.6
and Section 2.7. The input and output lengths for AES-SIV-CMAC-512 and Section 2.7. The input and output lengths for AES-SIV-CMAC-512
as defined by [RFC5116] are: as defined by [RFC5116] are:
K_LEN is 64 octets. K_LEN is 64 octets.
P_MAX is unlimited. P_MAX is 2^68 octets.
A_MAX is unlimited. A_MAX is unlimited.
N_MIN is 1 octet. N_MIN is 1 octet.
N_MAX is unlimited. N_MAX is unlimited.
C_MAX is unlimited. C_MAX is 2^68 + 16 octets.
The security implications of nonce re-use and/or mis-use are The security implications of nonce re-use and/or mis-use are
described in Section 1.3.2. described in Section 1.3.2.
7. Security Considerations 7. Security Considerations
SIV provides privacy in the sense that the output of SIV-Encrypt is SIV provides confidentiality in the sense that the output of SIV-
indistinguishable from a random string of bits. It provides Encrypt is indistinguishable from a random string of bits. It
authenticity in the sense that an attacker is unable to construct a provides authenticity in the sense that an attacker is unable to
string of bits that will return other than FAIL when input to SIV- construct a string of bits that will return other than FAIL when
Decrypt. A proof of the security of SIV with an "all in one" notion input to SIV-Decrypt. A proof of the security of SIV with an "all in
of security for an authenticated encryption scheme is provided in one" notion of security for an authenticated encryption scheme is
[DAE]. provided in [DAE].
SIV provides deterministic "key wrapping" when the plaintext contains SIV provides deterministic "key wrapping" when the plaintext contains
data that is unpredictable to an adversary (for instance, a data that is unpredictable to an adversary (for instance, a
cryptographic key). Even when this key is made available to an cryptographic key). Even when this key is made available to an
attacker the output of SIV-Encrypt is indistinguishable from random attacker the output of SIV-Encrypt is indistinguishable from random
bits. Similarly, even when this key is made available to an bits. Similarly, even when this key is made available to an
attacker, she is unable to construct a string of bits that when input attacker, she is unable to construct a string of bits that when input
to SIV-Decrypt will return anything other than FAIL. to SIV-Decrypt will return anything other than FAIL.
When the nonce used in the nonce-based authenticated encryption mode When the nonce used in the nonce-based authenticated encryption mode
skipping to change at page 19, line 6 skipping to change at page 19, line 31
of SIV, thereby confirming the correctness of the test vectors. of SIV, thereby confirming the correctness of the test vectors.
9. References 9. References
9.1. Normative References 9.1. Normative References
[CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: The CMAC Mode for Authentication", NIST Special Operation: The CMAC Mode for Authentication", NIST Special
Pulication 800-38B, May 2005. Pulication 800-38B, May 2005.
[DAE] Rogaway, P. and T. Shrimpton, "Deterministic Authenticated
Encryption, A Provable-Security Treatment of the Key-Wrap
Problem", September 2006.
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods and Techniques", NIST Special Operation: Methods and Techniques", NIST Special
Pulication 800-38A, 2001 edition. Pulication 800-38A, 2001 edition.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, January 2008.
9.2. Informative References 9.2. Informative References
[APPCRY] Menezes, A., van Oorshot, P., and S. Vanstone, "Handbook
of Applied Cryptography", CRC Press Series on Discrete
Mathematics and Its Applications, 1996.
[BADESP] Bellovin, S., "Problem Areas for the IP Security [BADESP] Bellovin, S., "Problem Areas for the IP Security
Protocols", July 1996. Protocols", July 1996.
[CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter With [CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter With
CBC-MAC (CCM)", June 2002. CBC-MAC (CCM)", June 2002.
[DAE] Rogaway, P. and T. Shrimpton, "Deterministic Authenticated
Encryption, A Provable-Security Treatment of the Key-Wrap
Problem", Advances in Cryptology -- EUROCRYPT '06 St.
Petersburg, Russia, 2006.
[GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of
Operation (GCM)". Operation (GCM)".
[JUTLA] Jutla, C., "Encryption Modes With Almost Free Message [JUTLA] Jutla, C., "Encryption Modes With Almost Free Message
Integrity", Proceedings of the International Conference on Integrity", Proceedings of the International Conference on
the Theory and Application of Cryptographic Techniques: the Theory and Application of Cryptographic Techniques:
Advances in Cryptography. Advances in Cryptography.
[OCB] Korvetz, T. and P. Rogaway, "The OCB Authenticated [OCB] Korvetz, T. and P. Rogaway, "The OCB Authenticated
Encryption Algorithm", Encryption Algorithm",
skipping to change at page 24, line 10 skipping to change at page 24, line 43
output output
------ ------
IV || C: IV || C:
7bdb6e3b 432667eb 06f4d14b ff2fbd0f 7bdb6e3b 432667eb 06f4d14b ff2fbd0f
cb900f2f ddbe4043 26601965 c889bf17 cb900f2f ddbe4043 26601965 c889bf17
dba77ceb 094fa663 b7a3f748 ba8af829 dba77ceb 094fa663 b7a3f748 ba8af829
ea64ad54 4a272e9c 485b62a3 fd5c0d ea64ad54 4a272e9c 485b62a3 fd5c0d
Author's Address Author's Address
Dan Harkins (editor) Dan Harkins
Aruba Networks Aruba Networks
Email: dharkins@arubanetworks.com Email: dharkins@arubanetworks.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
 End of changes. 21 change blocks. 
39 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/