[cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Jeffrey Goldberg jeffrey at goldmark.org
Wed Dec 24 18:43:52 EST 2014

Following up on my own question:

> On Dec 24, 2014, at 3:44 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> My big question whether use of Key Wrap (RFC 3394) is recommended or not.

If I want provable security, then I should use a generated AEAD construction, but there
is nothing known to be wrong with Key Wrap.

> My intuition is is that the integrity check (see section 2.2.3 of http://www.ietf.org/rfc/rfc3394.txt )
> does more harm then good in providing necessary integrity checks.

My intuition was wrong. This is designed to prevent adaptive CCAs. (Though I still don’t fully
understand how).

> I assume that this has been discussed somewhere, but my Google-fu is failing me today.
> Pointers to the literature would be welcome.

And the exact paper has already been written:

  title={A provable-security treatment of the key-wrap problem},
  author={Rogaway, Phillip and Shrimpton, Thomas},
  booktitle={Advances in Cryptology-EUROCRYPT 2006},

As I see it from that paper the advantages of a key-wrap scheme over using a
generic AEAD scheme is that

(a) it may be lighter weight in computation and size of ciphertext
(b) Defends against “IV misuse”.
(c) RFC 3394 has been around for a while and is widely available



More information about the cryptography mailing list