Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

Phillip Rogaway and Thomas Shrimpton

Abstract

Standards bodies have been addressing the key-wrap problem, a cryptographic goal that has never received a provable-security treatment. In response, we provide one, giving definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated- encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE.We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

Note: retitled 9/06

Available format(s)
Publication info
Published elsewhere. An abridged version appeared at Eurocrypt 2006. This is the full version.
Keywords
Authenticated encryptioncryptographic definitionscryptographic standardskey wrapping
Contact author(s)
teshrim @ cs pdx edu
History
2007-08-20: last of 7 revisions
See all versions
Short URL
https://ia.cr/2006/221

CC BY

BibTeX

@misc{cryptoeprint:2006/221,
author = {Phillip Rogaway and Thomas Shrimpton},
title = {Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem},
howpublished = {Cryptology ePrint Archive, Paper 2006/221},
year = {2006},
note = {\url{https://eprint.iacr.org/2006/221}},
url = {https://eprint.iacr.org/2006/221}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.