SIV misuse-resistant AEAD

E437869

SIV misuse-resistant AEAD is a cryptographic scheme designed to provide authenticated encryption that remains secure even when nonces are misused or repeated.

All labels observed (2)

Label Occurrences
AES-GCM-SIV 1
SIV misuse-resistant AEAD canonical 1

How this entity was disambiguated

Statements (48)

Predicate Object
instanceOf authenticated encryption with associated data scheme
misuse-resistant AEAD scheme
advantageOver traditional AEAD when nonces are repeated
basedOn block cipher primitive
pseudorandom function
comparedTo standard AEAD modes like AES-GCM
component PRF-based synthetic IV computation
counter-mode encryption or similar stream-like encryption
definedIn RFC 5297 NERFINISHED
designFeature computes IV as a function of key, plaintext, and associated data
does not require unique nonces for security guarantees
encryption becomes deterministic for fixed key, plaintext, and associated data
hasMode AES-GCM-SIV NERFINISHED
AES-SIV NERFINISHED
hasProperty deterministic encryption
nonce-misuse resistant
provides ciphertext integrity
provides plaintext authenticity
resists nonce reuse attacks on confidentiality
resists nonce reuse attacks on integrity
supports associated data
introducedBy Phillip Rogaway NERFINISHED
Thomas Shrimpton NERFINISHED
introducedInPublication Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem NERFINISHED
introducedInYear 2006
limitation ciphertexts are not semantically secure against multi-target attacks if plaintexts repeat
determinism can reveal equality of plaintexts under same key and associated data
relatedConcept deterministic authenticated encryption
key wrap algorithms
nonce-based AEAD
requires secret key
unique key for security proofs
securityGoal authenticated encryption under nonce misuse
confidentiality of plaintext
integrity of associated data
integrity of ciphertext
securityModel IND-CPA-like confidentiality under nonce misuse
INT-CTXT-like integrity under nonce misuse
provable security under standard cryptographic assumptions
standardizedAs AES-GCM-SIV in RFC 8452 NERFINISHED
AES-SIV in RFC 5297 NERFINISHED
tradeOff higher computational cost than non-misuse-resistant AEAD
useCase environments where nonce uniqueness cannot be reliably guaranteed
key wrapping
protocols with weak or stateful nonce management
storage encryption
usesConstruction MAC-then-encrypt style design
synthetic IV

How these facts were elicited

Referenced by (2)

Full triples — surface form annotated when it differs from this entity's canonical label.

Phillip Rogaway notableWork SIV misuse-resistant AEAD
CFRG standardized SIV misuse-resistant AEAD
this entity surface form: AES-GCM-SIV