2006 | OriginalPaper | Chapter
A Provable-Security Treatment of the Key-Wrap Problem
Authors : Phillip Rogaway, Thomas Shrimpton
Published in: Advances in Cryptology - EUROCRYPT 2006
Publisher: Springer Berlin Heidelberg
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
We give a provable-security treatment for the
key-wrap problem
, providing definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of
deterministic authenticated-encryption
(DAE), a notion that we put forward. We also provide an alternative notion, a
pseudorandom injection
(PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as
misuse-resistant AE
. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.