0

I would like to implement domain separation in encryption/decryption along with MAC.

The encryption algorithms consists of XChaCha20,XSalsa20,SM4 From China and MAC algorithms consist of HMAC-SHA512 and Poly1305.

Some proposed the following for domain separation encryption and decryption.

  1. Have 2 variables, EKey and MKey.
  2. Create 2 new variables, NewEKey and NewMKey.
  3. NewEKey = Blake2B(EKey,MKey) [Keyed Hash]
  4. NewMKey = Blake2B(NewEKey,MKey) [Keyed Hash]

Are there any security issues if NewEKey and NewMKey were used for encryption and computing MAC instead of just using EKey and MKey? How would an actual secure domain separation in encryption and MAC computation works?

Hern
  • 159
  • 1
  • 10
  • I did an answer on this a while ago. What you're doing sounds overcomplicated. Domain separation is normally just changing a KDF info/context string, slicing a larger hash output in half, or similar. – samuel-lucas6 Mar 19 '23 at 13:01
  • I don't have the time to read the answer in detail. However, in normal KDF situation, isn't it like putting all eggs in one basket? As breaking 1 key is all it needs to know the encryption and MAC key? – Hern Mar 20 '23 at 02:22
  • That's how key derivation is performed in practice. If you look at AEAD schemes, they derive the MAC key from the encryption key as well. – samuel-lucas6 Mar 20 '23 at 07:59
  • I have a rough look at the paper you created and submitted. Is it really that good of an idea to just use the input key and derive 2 keys from it? I think that it might not be ideal as brute forcing that corresponding input key kinda renders both the derived keys useless and might pose a security issue. – Hern Mar 20 '23 at 09:13
  • That's common practice. Look at real protocols and existing AEAD schemes if you don't believe me. There's no security issue because a 128- or 256-bit key cannot be brute forced, even by a future quantum computer. You're being concerned about something that you don't need to worry about. It's even fine to use the same key for encryption and authentication as long as the two algorithms are sufficiently unrelated (e.g. AES and HMAC). For committing security, deriving two keys from the same key or using a single key is required. – samuel-lucas6 Mar 20 '23 at 18:20
  • H(EncryptionKey|MACKey|Nonce|CipherText|EncryptionKeyLength|MACKeyLength|NonceLength|CipherTextLength)

    By using Blake2B to hash this value and put this corresponding value into a MAC algorithm, can this be good or it's a unnecessary operation?

     – Hern Mar 21 '23 at 00:27
  • That's unnecessarily overcomplicated. – samuel-lucas6 Mar 21 '23 at 18:19
  • I think .. I use digital signature to apply for key commitment and just use 2 keys in parameters instead of KDF them. That might be the easiest and most understandable from my point of view. – Hern Mar 22 '23 at 00:53

0 Answers0