Re: [Cfrg] request for comments on "Generation of Deterministic Initialization Vectors (IVs) and Nonces"

Peter Gutmann <> Wed, 20 July 2011 07:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BFF4D21F873A for <>; Wed, 20 Jul 2011 00:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.643
X-Spam-Status: No, score=-3.643 tagged_above=-999 required=5 tests=[AWL=-0.044, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YJkrZ2xv1Fi5 for <>; Wed, 20 Jul 2011 00:50:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9CF4B21F872F for <>; Wed, 20 Jul 2011 00:50:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1311148217; x=1342684217; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<> |, |Subject:=20Re:=20[Cfrg]=20request=20for=20comments=20on =20"Generation=20of=20Deterministic=20Initialization=20Ve ctors=20(IVs)=20and=20Nonces"|,=20mcgr|In-Reply-To:=20<49fd928bf94d1d1920df676bb61f>|Message-Id:=20<E1QjRXj->|Date:=20Wed,=2020 =20Jul=202011=2019:50:07=20+1200; bh=fupqVjnY9wqsXfjNcJSoTbDFVGuhRCe0YLrOoK/hYkc=; b=tVmjTXbseq3ZVL2FWwNPsQLv7Q97rWK+QAdGiWwDhqHvLSIqUFoxOXWM lm0TzSd+CyTBwEro0EGTvhn98YyG0SS0vBOVbAGj6MebramdOzxmBVI02 zkw+fbYF7o/TGqC1LJSwVN77hNEBHn42cz7ghYg87vbM5WfMsCqtejBWF U=;
X-IronPort-AV: E=Sophos;i="4.67,233,1309694400"; d="scan'208";a="72896870"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 20 Jul 2011 19:50:07 +1200
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <>) id 1QjRXj-0005YD-Hz; Wed, 20 Jul 2011 19:50:07 +1200
Received: from pgut001 by with local (Exim 4.69) (envelope-from <>) id 1QjRXj-0002HE-HM; Wed, 20 Jul 2011 19:50:07 +1200
From: Peter Gutmann <>
In-Reply-To: <>
Message-Id: <>
Date: Wed, 20 Jul 2011 19:50:07 +1200
Subject: Re: [Cfrg] request for comments on "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jul 2011 07:50:20 -0000

"Dan Harkins" <> writes:

>Let me remind everyone of SIV mode*. It's a CTR mode derivative but is
>resistant to nonce misuse. Unlike CBC, the nonce doesn't need to be
>unguessable. And it even provides a strong assurance of security if the nonce
>is reused.

Doesn't SIV require the entire message to be buffered, which makes it unusable
in streaming implementations?


Unless I've misinterpreted some part of Fig.3 and Fig.8 of RFC 5297, this
can't be used in a streaming implementation because the CMAC operation to
create the IV has to make a complete pass over the message before you can
start encrypting (this is also similar to a key-wrap mechanism that Colin
Plumb and I came up with for RFC 3211, although it'd need a tweak to use a
proper MAC for full integrity-protection, it was designed for non-expanding
512-byte disk sector encryption and dates from the early 1990s, so it predates
pretty much all of the work that newer modes and mechanisms are built on).
SIV is quite nice for something like 802.11, SRTP, DTLS, and others, but
unfortunately won't work as a general-purpose mechanism.

Are there any IP issues around SIV?