Join Log in
Score:2
avatar Crypto

Is using CFB in SIV secure?

cn flag
LightBit

Is SIV mode variant equally secure, if you replace CTR mode encryption with full-block CFB mode encryption?

CFB seems to be safe with predictable IV: Is using a predictable IV with CFB mode safe or not?

But is it safe with Encrypt-and-MAC like construction as SIV?

81
1 + 5
cfb
siv
Maarten Bodewes avatar
in flag
Maarten Bodewes
I don't know if it matters much, but do you have a specific MAC(-like) construction in mind? By itself CFB doesn't produce an authentication tag that can double as synthetic IV.
0
Reply
cn flag
LightBit
SIV usualy has CMAC.
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
SIV usually also uses two separate keys (although they define those as one key, yuk). In that case the synthetic IV / tag would be fully differentiated from the cipher. This is why I'm asking, as otherwise we may have to assume MAC's that use the same keyed permutation and may possibly interfere with the security of CFB.
0
Reply
cn flag
LightBit
Yes, keys must be different for MAC and encryption. Problem is I don't know why SIV is secure while other Encrypt-and-MAC usually aren't. Maybe it is because IV is unprotected by MAC and you can change IV, which does not work in SIV because it is MAC at the same time. Am I right?
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
You can see the 4 points about encrypt-and-MAC [here](https://crypto.stackexchange.com/a/205/1172). CFB is a stream mode so there shouldn't be any errors during decryption (e.g. padding oracle attacks should not be possible). Of course you should not use the plaintext without verifying but that's always the case. Completely repeated messages would of course show up, but that's an expected outcome. Otherwise I think it should be similar to CTR except that you cannot parallelize encryption.
1
Reply
Score:0
avatar Crypto
cn flag
LightBit

I have found this IETF expired draft.

It says:

E must be a length-preserving semantically-secure encryption scheme.

Also considering comments. I believe CFB or OFB can also be used in SIV.

ECB or CBC (without ciphertext stealing) would not be secure, because of padding which can cause errors while decrypting (not length-preserving).

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.