Following up on my own question: > On Dec 24, 2014, at 3:44 PM, Jeffrey Goldberg <jeff...@goldmark.org> wrote: > > My big question whether use of Key Wrap (RFC 3394) is recommended or not.
If I want provable security, then I should use a generated AEAD construction, but there is nothing known to be wrong with Key Wrap. > My intuition is is that the integrity check (see section 2.2.3 of > http://www.ietf.org/rfc/rfc3394.txt ) > does more harm then good in providing necessary integrity checks. My intuition was wrong. This is designed to prevent adaptive CCAs. (Though I still don’t fully understand how). > I assume that this has been discussed somewhere, but my Google-fu is failing > me today. > Pointers to the literature would be welcome. And the exact paper has already been written: @incollection{rogaway2006provable, title={A provable-security treatment of the key-wrap problem}, author={Rogaway, Phillip and Shrimpton, Thomas}, booktitle={Advances in Cryptology-EUROCRYPT 2006}, pages={373--390}, year={2006}, publisher={Springer} } As I see it from that paper the advantages of a key-wrap scheme over using a generic AEAD scheme is that (a) it may be lighter weight in computation and size of ciphertext (b) Defends against “IV misuse”. (c) RFC 3394 has been around for a while and is widely available Cheers, -j _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography