SIV-MAC: An Efficient MAC Scheme

Shay Gueron

doi:10.1007/978-3-031-56599-1_14

SIV-MAC: An Efficient MAC Scheme

Shay Gueron

School Of Business Administration

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

SIV-MAC is a deterministic Message Authentication Code (MAC) built over the efficient universal family of hash functions POLYVAL. Unlike the standardized GMAC that also uses universal hashing (with GHASH) SIV-MAC does not require a nonce. SIV-MAC is the special case of the nonce-misuse resistant AEAD named AES-GCM-SIV, instantiated with a 256-bit main key and a fixed 96-bit zero nonce. The authentication tag of a string X is the output of AES-GCM-SIV invoked with an empty message and with X as the Additional Authenticated Data (AAD). This means that SIV-MAC is readily available in libraries that support AES-GCM-SIV, such as BoringSSL and OpenSSL (The OpenSSL Project, OpenSSL: the open source toolkit for SSL/TLS. www.openssl.org, 2003). However, performance can be further improved. We show here how tagging messages can reach asymptotic performance of 0.3 cycles per byte. Finally, we explain why a key can be used for safely processing 250 bytes before it needs to be rotated.

Original language	English
Title of host publication	International Conference on Information Technology-New Generations
Publisher	Springer Cham
Pages	97-102
Number of pages	6
ISBN (Electronic)	978-3-031-56599-1
ISBN (Print)	978-3-031-56598-4
DOIs	https://doi.org/10.1007/978-3-031-56599-1_14
State	Published - 9 Jul 2024

Access to Document

10.1007/978-3-031-56599-1_14

Cite this

@inproceedings{7460421807684c249a2fc1a5c15b075e,

title = "SIV-MAC: An Efficient MAC Scheme",

abstract = "SIV-MAC is a deterministic Message Authentication Code (MAC) built over the efficient universal family of hash functions POLYVAL. Unlike the standardized GMAC that also uses universal hashing (with GHASH) SIV-MAC does not require a nonce. SIV-MAC is the special case of the nonce-misuse resistant AEAD named AES-GCM-SIV, instantiated with a 256-bit main key and a fixed 96-bit zero nonce. The authentication tag of a string X is the output of AES-GCM-SIV invoked with an empty message and with X as the Additional Authenticated Data (AAD). This means that SIV-MAC is readily available in libraries that support AES-GCM-SIV, such as BoringSSL and OpenSSL (The OpenSSL Project, OpenSSL: the open source toolkit for SSL/TLS. www.openssl.org, 2003). However, performance can be further improved. We show here how tagging messages can reach asymptotic performance of 0.3 cycles per byte. Finally, we explain why a key can be used for safely processing 250 bytes before it needs to be rotated.",

author = "Shay Gueron",

year = "2024",

month = jul,

day = "9",

doi = "10.1007/978-3-031-56599-1_14",

language = "English",

isbn = "978-3-031-56598-4",

pages = "97--102",

booktitle = "International Conference on Information Technology-New Generations",

publisher = "Springer Cham",

}

TY - GEN

T1 - SIV-MAC

T2 - An Efficient MAC Scheme

AU - Gueron, Shay

PY - 2024/7/9

Y1 - 2024/7/9

N2 - SIV-MAC is a deterministic Message Authentication Code (MAC) built over the efficient universal family of hash functions POLYVAL. Unlike the standardized GMAC that also uses universal hashing (with GHASH) SIV-MAC does not require a nonce. SIV-MAC is the special case of the nonce-misuse resistant AEAD named AES-GCM-SIV, instantiated with a 256-bit main key and a fixed 96-bit zero nonce. The authentication tag of a string X is the output of AES-GCM-SIV invoked with an empty message and with X as the Additional Authenticated Data (AAD). This means that SIV-MAC is readily available in libraries that support AES-GCM-SIV, such as BoringSSL and OpenSSL (The OpenSSL Project, OpenSSL: the open source toolkit for SSL/TLS. www.openssl.org, 2003). However, performance can be further improved. We show here how tagging messages can reach asymptotic performance of 0.3 cycles per byte. Finally, we explain why a key can be used for safely processing 250 bytes before it needs to be rotated.

AB - SIV-MAC is a deterministic Message Authentication Code (MAC) built over the efficient universal family of hash functions POLYVAL. Unlike the standardized GMAC that also uses universal hashing (with GHASH) SIV-MAC does not require a nonce. SIV-MAC is the special case of the nonce-misuse resistant AEAD named AES-GCM-SIV, instantiated with a 256-bit main key and a fixed 96-bit zero nonce. The authentication tag of a string X is the output of AES-GCM-SIV invoked with an empty message and with X as the Additional Authenticated Data (AAD). This means that SIV-MAC is readily available in libraries that support AES-GCM-SIV, such as BoringSSL and OpenSSL (The OpenSSL Project, OpenSSL: the open source toolkit for SSL/TLS. www.openssl.org, 2003). However, performance can be further improved. We show here how tagging messages can reach asymptotic performance of 0.3 cycles per byte. Finally, we explain why a key can be used for safely processing 250 bytes before it needs to be rotated.

U2 - 10.1007/978-3-031-56599-1_14

DO - 10.1007/978-3-031-56599-1_14

M3 - Conference contribution

SN - 978-3-031-56598-4

SP - 97

EP - 102

BT - International Conference on Information Technology-New Generations

PB - Springer Cham

ER -

SIV-MAC: An Efficient MAC Scheme

Abstract

Access to Document

Fingerprint

Cite this