5

Is there any functional or strong security difference beyond speed between

  1. AES-GCM-SIV with implicit fixed public IV and no additional data
  2. AES-CTR (or AES-OFB) with 128-bit IV computed per HMAC-SHA-512 on the message, included at start of ciphertext, and checked on decryption

when used with a key of the same length, 128 or 256-bit?

And if 2 was not proper deterministic symmetric authenticated encryption (when the total amount of plaintext encrypted under a given key remains well below the birthday bound), I also want to know!

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 1
    Alright, sorry, new question: any reason not to use SHA-256 for it? Are you just maxing security? Your key size is more in line with HMAC-SHA-256 and processors nowadays have accelerators for it... – Maarten Bodewes Oct 19 '20 at 08:04
  • 1
    Somewhat related: https://crypto.stackexchange.com/questions/41426/is-this-method-of-generating-initialisation-vector-for-cipher-block-chaining-sec – Ilmari Karonen Oct 19 '20 at 08:07
  • 1
    @Maarteen Bodewes: HMAC-SHA-256 only claims 128-bit security AFAIK (even truncated to 128-bit, which perhaps could help against key-recovery attacks), and I wanted to include 256-bit key in the question. If security of 2 with SHA-256 could be shown equivalent to that of AES-GCM-SIV for 256-bit key, that would be interesting. Obviously, we can hope at best 128-bit resistance to online forgery attempts. – fgrieu Oct 19 '20 at 08:07
  • 1
    Relevant papers for the AES-GCM-SIV portion of this question: first second third fourth with the last one probably having the best chances at having the desired bound(s). – SEJPM Oct 19 '20 at 10:41
  • 1
    Concretizing my previous comment: I'm pretty sure that the second construction breaks down (in terms of nonce misuse resistance) as soon as the underlying randomized counter mode would break down (HMAC is a PRF and good for way more messages than CTR could possibly have distinct nonces). If I remember correctly there were issues with AES-GCM-SIV which would bring it down (way) sooner than expected on nonce reuse though rarely enough to compensate for the occasional reuse (but not for a systematic one). – SEJPM Oct 20 '20 at 09:13

0 Answers0