AES SIV
AES-SIV is an authenticated mode of AES which provides nonce reuse misuse resistance. Described in RFC 5297, it combines the AES-CTR (NIST SP 800-38A) mode of encryption with the AES-CMAC (NIST SP 800-38B) function for integrity. It was originally defined in the paper Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem.
A parallelized variant of AES-SIV is available in the form of the AES-PMAC-SIV function.
This section provides a more in-depth exploration of how the AES-SIV function operates.
- AES-CMAC and AES-CTR keys: K1 and K2
- Zero or more message headers: H1 through Hm
- Plaintext message: M
- Initialization vector: IV
- Ciphertext message: C
AES-SIV first computes AES-CMAC on the message headers H1 through Hm and messages under K1, computing a synthetic IV (SIV). This IV is used to perform AES-CTR encryption under K2
- AES-CMAC and AES-CTR keys: K1 and K2
- Zero or more message headers: H1 through Hm
- Initialization vector: IV
- Ciphertext message: C
- Plaintext message: M
To decrypt a message, AES-SIV first performs an AES-CTR decryption of the message under the provided synthetic IV. The message headers H1 through Hm and candidate decrypted message are
then authenticated by AES-CMAC. If the computed IV’ does not match the original one supplied, the decryption operation is aborted. Otherwise, we've authenticated the original plaintext and can return it.