Trying to understand SIV mode

Question

I'm trying to wrap my head around the concept of SIV in the context of encryption. I understand the aspect of nonce misuse, etc. And I understand that the key feature for SIV is that they ensure that while encrypting the same message with the same key will reveal that it is identical, it will not reveal anything else.

In particular, using the same key on different messages will not have the catastrophic issue with nonce reuse in other system.

If I understand correctly, you can build a SIV mode of operation using:

def encrypt(msg, key):
   siv = hash_shake256(bits=192, msg)
   return xchacha20(key, siv, msg), siv

In other words, we first compute a keyed hash on the message, then use that value as the nonce for the actual encryption.

The output is the cipher text as well as the generated siv, both of them are safe to share without revealing anything to an adversary.

The security comes from the keyed hash function non reversible nature and the fact that for each msg we pass as input, we are ensured that we won't have a duplicate nonce.

Am I understanding things correctly?
Is it safe to use the same key for both keyed hash and encryption?
I assume actual siv usage is a bit more than just hashing the input?

There is already HS1-SIV; Advantages of HS1-SIV over ChaCha20-Poly1305-SIV? also Would it be safe to use the message hash as the IV in ChaCha? — kelalaka, Oct 22 '21 at 09:35
I've seen a SIV mode for ChaCha, however, I couldn't find the paper. — kelalaka, Oct 22 '21 at 10:06
What I don't understand from the question is that hash_shake256 is used over just the message, but that you talk about "security comes from the keyed hash function". SHAKE256 is not a keyed hash function at all, you'd use e.g. KMAC for that (this is basically the same as SHA-256 vs HMAC-SHA-256). — Maarten Bodewes, Oct 22 '21 at 14:46
Note that HS1-SIV does use a keyed hash function, and that it actually XOR's the result of that with the key before encryption. Yes, just using a plain hash is a bad idea. Anybody may know the hash, and anybody may know the ciphertext. That means that you can just flip bits in the hash output and message to get a valid result. It is absolutely required that you'd use a keyed hash. — Maarten Bodewes, Oct 22 '21 at 14:52
And note that, with XChaCha20, ChaCha20 doesn't need an SIV mode, since it has 192-bit nonces and random nonces are free from nonce collisions, never expected to see one! — kelalaka, Oct 22 '21 at 15:12
@kelalaka https://eprint.iacr.org/2020/067 may have been the paper you saw. — SAI Peregrinus, Oct 22 '21 at 17:08

LightBit · Answer 1 · 2021-10-22T17:58:41.873

Am I understanding things correctly?

SIV requires MAC, not just hash. Keyed hash can be used as MAC. However, you do not have a keyed hash in your example (but you do say keyed hash).

Is it safe to use the same key for both keyed hash and encryption?

Generally different key should be used for MAC and encryption. Although in some cases it may be fine with same key, if MAC and encryption are different enough. For example, if you use CBC-MAC and CTR both with AES, using same key is bad. SIV mode defines how you derive the keys from master key.

I assume actual siv usage is a bit more than just hashing the input?

Well, again you have to use MAC. You should check actual SIV variant for more details. For example SIV with AES (CMAC and CTR): https://datatracker.ietf.org/doc/html/rfc5297

Trying to understand SIV mode

1 Answers1