Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

Standards bodies have been addressing the key-wrap problem, a cryptographic goal that has never received a provable-security treatment. In response, the authors provide one, giving definitions, constructions, and proofs. They suggest that key-wrap's goal is security in the sense of Deterministic Authenticated-Encryption (DAE), a notion that they put forward. They also provide an alternative notion, a PseudoRandom Injection (PRI), which they prove to be equivalent. They provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard.