Why is AES-SIV not used, but AESKW, AKW1?



I'm trying to investigate different key wrapping algorithms for my implementation. I've noticed that AES-SIV is very rarely implemented by most of open source libraries. Most of them implements key wrap from RFC 3394.

It's a bit weird, as AES-SIV has many nice properties and (maybe I'm wrong) seems like best choice for key wrapping in most cases. So I wonder if I haven't missed something. Are there any known weaknesses of AES-SIV?

Henry Dorsett Case

Posted 2016-01-10T22:34:29.183

Reputation: 115

No, SIV is great it just requires more key material. – Thomas M. DuBuisson – 2016-01-10T22:42:17.590

3It's a bit complicated and requires two passes. The latter is probably the main reason it's only implemented rarely. – Artjom B. – 2016-01-10T22:55:40.453

1AES-SIV is 6 years newer and the other wrapping mechanism isn't exactly broken. Personally I don't like the fact that AES-SIV places the IV at the start. This means you cannot encrypt the key value in place. That's not a huge issue when used as a cipher, but it unnecessarily complicates memory handling when used for key wrapping. – Maarten Bodewes – 2016-02-05T11:16:55.780



No, AES-SIV is just newer. There are currently no published weaknesses (to my knowledge).

There are however a few practical inefficiencies:

  • the fixed locations of the SIV (/ authentication tag) can be a bit tricky to work with, as it means that the wrapped key data cannot be stored in the same place as the unwrapped key data;
  • it's a two pass protocol, which requires a bit more work.

The other wrapping methods have been standardized as well and are not broken in any significant way. So there is no big incentive to shift to SIV, even if it has the deterministic integrity protection property.

Many keys are stored in key stores rather than being wrapped individually (although combined approaches are used as well). A key store is likely to have no need for a deterministic algorithm such as SIV.

So it's an educated guess that AES-SIV is not implemented much due to lack of (commercial) interest.

Note that we're still in the process of moving out SHA-1 in favor of SHA-256. There is a very clear reason to do so, and SHA-3 is already out as well. The security field is not known for speedy transitions, even though it is just half a century old.

EDIT > 2yrs later: currently there seems to be a bit more interest to avoid the dire consequences of IV reuse for CTR mode and all authenticated ciphers (CCM, GCM, EAX etc.) that rely on it. That may speedup the use of AES-SIV and it's sibling, AES-GCM-SIV.

Maarten Bodewes

Posted 2016-01-10T22:34:29.183

Reputation: 51 933