Join Log in
Score:0
Hern avatar Crypto

Is my domain separation in stream cipher and MAC accepted?

is flag
Hern

I would like to implement domain separation in encryption/decryption along with MAC.

The encryption algorithms consists of XChaCha20,XSalsa20,SM4 From China and MAC algorithms consist of HMAC-SHA512 and Poly1305.

Some proposed the following for domain separation encryption and decryption.

  1. Have 2 variables, EKey and MKey.
  2. Create 2 new variables, NewEKey and NewMKey.
  3. NewEKey = Blake2B(EKey,MKey) [Keyed Hash]
  4. NewMKey = Blake2B(NewEKey,MKey) [Keyed Hash]

Are there any security issues if NewEKey and NewMKey were used for encryption and computing MAC instead of just using EKey and MKey? How would an actual secure domain separation in encryption and MAC computation works?

67
0 + 8
samuel-lucas6 avatar
bs flag
samuel-lucas6
I did an [answer](https://crypto.stackexchange.com/a/101613/102678) on this a while ago. What you're doing sounds overcomplicated. Domain separation is normally just changing a KDF info/context string, slicing a larger hash output in half, or similar.
0
Reply
Hern avatar
is flag
Hern
I don't have the time to read the answer in detail. However, in normal KDF situation, isn't it like putting all eggs in one basket? As breaking 1 key is all it needs to know the encryption and MAC key?
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
That's how key derivation is performed in practice. If you look at AEAD schemes, they derive the MAC key from the encryption key as well.
0
Reply
Hern avatar
is flag
Hern
I have a rough look at the paper you created and submitted. Is it really that good of an idea to just use the input key and derive 2 keys from it? I think that it might not be ideal as brute forcing that corresponding input key kinda renders both the derived keys useless and might pose a security issue.
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
That's common practice. Look at real protocols and existing AEAD schemes if you don't believe me. There's no security issue because a 128- or 256-bit key cannot be brute forced, even by a future quantum computer. You're being concerned about something that you don't need to worry about. It's even fine to use the same key for encryption and authentication as long as the two algorithms are sufficiently unrelated (e.g. AES and HMAC). For committing security, deriving two keys from the same key or using a single key is required.
0
Reply
Hern avatar
is flag
Hern
H(EncryptionKey|MACKey|Nonce|CipherText|EncryptionKeyLength|MACKeyLength|NonceLength|CipherTextLength) By using Blake2B to hash this value and put this corresponding value into a MAC algorithm, can this be good or it's a unnecessary operation?
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
That's unnecessarily overcomplicated.
0
Reply
Hern avatar
is flag
Hern
I think .. I use digital signature to apply for key commitment and just use 2 keys in parameters instead of KDF them. That might be the easiest and most understandable from my point of view.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.