Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2006: Advances in Cryptology - EUROCRYPT 2006 pp 373-390

A Provable-Security Treatment of the Key-Wrap Problem

  • Phillip Rogaway
  • Thomas Shrimpton
Conference paper

DOI: 10.1007/11761679_23

Volume 4004 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Rogaway P., Shrimpton T. (2006) A Provable-Security Treatment of the Key-Wrap Problem. In: Vaudenay S. (eds) Advances in Cryptology - EUROCRYPT 2006. EUROCRYPT 2006. Lecture Notes in Computer Science, vol 4004. Springer, Berlin, Heidelberg


We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Phillip Rogaway
    • 1
  • Thomas Shrimpton
    • 2
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Dept. of Computer SciencePortland State UniversityPortlandUSA