SIV Mode: Nonce-Misuse Resistant AEAD
Explore Synthetic IV (SIV) mode and how it protects against catastrophic nonce reuse.
Nonce Reuse: A Catastrophic Failure
CTR-mode based AEAD ciphers like AES-GCM require a unique nonce for every encryption. If the same nonce is reused with the same key, an attacker who observes two ciphertexts can XOR them together to recover the XOR of the two plaintexts, immediately breaking confidentiality.
GCM Nonce Reuse Leaks the Auth Key
Nonce reuse in AES-GCM is even more catastrophic than in plain CTR mode. When two messages are encrypted under the same nonce and key, an attacker can recover the GHASH authentication key H entirely. With H known, the attacker can forge arbitrary authenticated messages.
All lessons in this course
- Why Encrypt-Then-MAC Beats MAC-Then-Encrypt
- SIV Mode: Nonce-Misuse Resistant AEAD
- AEGIS: High-Speed Authenticated Encryption
- Selecting AEAD for Production Systems