SIV (Synthetic Initialization Vector) is a two-pass AEAD block cipher mode of operation described in RFC 5297. It can be used either for key-wrap (nonce-less deterministic authenticated encryption) or, with a nonce, for conventional authenticated encryption with maximal tolerance of nonce reuse.
SIV (Synthetic Initialization Vector) is a two-pass AEAD block cipher mode of operation developed by Phillip Rogaway and Thomas Shrimpton and standardized in RFC 5297. It can be used either for key-wrap (nonce-less deterministic authenticated encryption) or, with a nonce, for conventional authenticated encryption with maximal tolerance of nonce reuse.
The SIV mode is based on CTR mode, CMAC and a novel construction called S2V which allows a PRF (such as CMAC) to efficiently operate on multiple input strings.
To encrypt a message, the message and any associated data are first processed using CMAC* (CMAC with S2V) to derive a "synthetic IV", which is then used to encrypt the message using CTR mode and prepended to the ciphertext. This synthetic IV effectively acts both as an IV for the encryption and as a message authentication code (MAC). When decrypting a message, the recipient first decrypts it using CTR mode with the prepended IV, and then repeats the CMAC* computation and verifies that the result agrees with the IV.
Optionally, one of the associated data inputs for SIV mode may be a nonce, such as a message number. When used without a nonce, SIV mode guarantees message authenticity and privacy, subject only to the generic disclosure of message length and the fact that, since encryption is deterministic, an attacker can tell if the same message is sent twice with the same associated data. Including a nonce eliminates this latter leak by ensuring that the associated data is unique.
