> As I see it from that paper the advantages of a key-wrap scheme over using a > generic AEAD scheme is that > > (a) it may be lighter weight in computation and size of ciphertext > (b) Defends against “IV misuse”. > (c) RFC 3394 has been around for a while and is widely available
The paper in question is available online: https://eprint.iacr.org/2006/221.pdf The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard). The stated security goal is IND-CCA2. However if you read further you will come across this little gem: "There is no proof of security, and the mechanism is so complex that providing one would be difficult." The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond to the same plaintext). Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P); verification/integrity check is done after decryption by recomputing the MAC and ideally the MAC and Encryption keys are distinct. - Naveen _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography