Score:0

Is my domain separation in stream cipher and MAC accepted?

is flag

I would like to implement domain separation in encryption/decryption along with MAC.

The encryption algorithms consists of XChaCha20,XSalsa20,SM4 From China and MAC algorithms consist of HMAC-SHA512 and Poly1305.

Some proposed the following for domain separation encryption and decryption.

  1. Have 2 variables, EKey and MKey.
  2. Create 2 new variables, NewEKey and NewMKey.
  3. NewEKey = Blake2B(EKey,MKey) [Keyed Hash]
  4. NewMKey = Blake2B(NewEKey,MKey) [Keyed Hash]

Are there any security issues if NewEKey and NewMKey were used for encryption and computing MAC instead of just using EKey and MKey? How would an actual secure domain separation in encryption and MAC computation works?

samuel-lucas6 avatar
bs flag
I did an [answer](https://crypto.stackexchange.com/a/101613/102678) on this a while ago. What you're doing sounds overcomplicated. Domain separation is normally just changing a KDF info/context string, slicing a larger hash output in half, or similar.
Hern avatar
is flag
I don't have the time to read the answer in detail. However, in normal KDF situation, isn't it like putting all eggs in one basket? As breaking 1 key is all it needs to know the encryption and MAC key?
samuel-lucas6 avatar
bs flag
That's how key derivation is performed in practice. If you look at AEAD schemes, they derive the MAC key from the encryption key as well.
Hern avatar
is flag
I have a rough look at the paper you created and submitted. Is it really that good of an idea to just use the input key and derive 2 keys from it? I think that it might not be ideal as brute forcing that corresponding input key kinda renders both the derived keys useless and might pose a security issue.
samuel-lucas6 avatar
bs flag
That's common practice. Look at real protocols and existing AEAD schemes if you don't believe me. There's no security issue because a 128- or 256-bit key cannot be brute forced, even by a future quantum computer. You're being concerned about something that you don't need to worry about. It's even fine to use the same key for encryption and authentication as long as the two algorithms are sufficiently unrelated (e.g. AES and HMAC). For committing security, deriving two keys from the same key or using a single key is required.
Hern avatar
is flag
H(EncryptionKey|MACKey|Nonce|CipherText|EncryptionKeyLength|MACKeyLength|NonceLength|CipherTextLength) By using Blake2B to hash this value and put this corresponding value into a MAC algorithm, can this be good or it's a unnecessary operation?
samuel-lucas6 avatar
bs flag
That's unnecessarily overcomplicated.
Hern avatar
is flag
I think .. I use digital signature to apply for key commitment and just use 2 keys in parameters instead of KDF them. That might be the easiest and most understandable from my point of view.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.