Score:1

Trying to understand SIV mode

jp flag

I'm trying to wrap my head around the concept of SIV in the context of encryption. I understand the aspect of nonce misuse, etc. And I understand that the key feature for SIV is that they ensure that while encrypting the same message with the same key will reveal that it is identical, it will not reveal anything else.

In particular, using the same key on different messages will not have the catastrophic issue with nonce reuse in other system.

If I understand correctly, you can build a SIV mode of operation using:

def encrypt(msg, key):
   siv = hash_shake256(bits=192, msg)
   return xchacha20(key, siv, msg), siv

In other words, we first compute a keyed hash on the message, then use that value as the nonce for the actual encryption.

The output is the cipher text as well as the generated siv, both of them are safe to share without revealing anything to an adversary.

The security comes from the keyed hash function non reversible nature and the fact that for each msg we pass as input, we are ensured that we won't have a duplicate nonce.

  • Am I understanding things correctly?
  • Is it safe to use the same key for both keyed hash and encryption?
  • I assume actual siv usage is a bit more than just hashing the input?
kelalaka avatar
in flag
There is already HS1-SIV; [Advantages of HS1-SIV over ChaCha20-Poly1305-SIV?](https://crypto.stackexchange.com/q/33068/18298) also [Would it be safe to use the message hash as the IV in ChaCha?](https://crypto.stackexchange.com/q/59886/18298)
kelalaka avatar
in flag
I've seen a SIV mode for ChaCha, however, I couldn't find the paper.
Maarten Bodewes avatar
in flag
What I don't understand from the question is that `hash_shake256` is used over just the message, but that you talk about "security comes from the **keyed** hash function". SHAKE256 is not a keyed hash function at all, you'd use e.g. KMAC for that (this is basically the same as SHA-256 vs HMAC-SHA-256).
Maarten Bodewes avatar
in flag
Note that HS1-SIV does use a keyed hash function, and that it actually XOR's the result of that with the key before encryption. Yes, just using a plain hash is a bad idea. Anybody may know the hash, and anybody may know the ciphertext. That means that you can just flip bits in the hash output and message to get a valid result. It is absolutely required that you'd use a keyed hash.
kelalaka avatar
in flag
And note that, with XChaCha20, ChaCha20 doesn't need an SIV mode, since it has 192-bit nonces and random nonces are free from nonce collisions, never expected to see one!
SAI Peregrinus avatar
si flag
@kelalaka https://eprint.iacr.org/2020/067 may have been the paper you saw.
kelalaka avatar
in flag
@SAIPeregrinus yes, exactly, thanks.
Score:1
cn flag

Am I understanding things correctly?

SIV requires MAC, not just hash. Keyed hash can be used as MAC. However, you do not have a keyed hash in your example (but you do say keyed hash).

Is it safe to use the same key for both keyed hash and encryption?

Generally different key should be used for MAC and encryption. Although in some cases it may be fine with same key, if MAC and encryption are different enough. For example, if you use CBC-MAC and CTR both with AES, using same key is bad. SIV mode defines how you derive the keys from master key.

I assume actual siv usage is a bit more than just hashing the input?

Well, again you have to use MAC. You should check actual SIV variant for more details. For example SIV with AES (CMAC and CTR): https://datatracker.ietf.org/doc/html/rfc5297

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.