[cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Naveen Nathan naveen at lastninja.net
Wed Dec 24 19:29:23 EST 2014

> As I see it from that paper the advantages of a key-wrap scheme over using a
> generic AEAD scheme is that
> (a) it may be lighter weight in computation and size of ciphertext
> (b) Defends against “IV misuse”.
> (c) RFC 3394 has been around for a while and is widely available

The paper in question is available online:

The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard).
The stated security goal is IND-CCA2. However if you read further you will come across this little gem:
"There is no proof of security, and the mechanism is so complex that providing one would be difficult."

The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper
and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under
eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond
to the same plaintext).

Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P);
verification/integrity check is done after decryption by recomputing the MAC and ideally the
MAC and Encryption keys are distinct.

- Naveen

More information about the cryptography mailing list