Document where the design for `s2v` comes from

Question

Document where the design for `s2v` comes from

Closed this issue 2 years ago · 2 comments

Looking at the implementation of s2v it resembles the S2V construct from RFC 5297.

The only difference I see, besides the choice of hash function and sizes, is that if the message is less than the MAC size, you apply an extra d[mlen] ^= 0x80;.

Am I correct?

Answer 1 · 2023-01-10T22:48:16.000Z

S2V is defined in Rogaway's paper -- See fig.2

It's a generic construction, so any PRF can be used. Setting the bit after the data is required to make the distinction between padding bits and zero bits from actual data.

Answer 2 · 2023-01-10T23:00:52.000Z

The construction here is an instantiation of the SIV mode described in that paper. Pretty boring, but in a good way.

S2V is used in the SIV mode, but also in AES-OCB.

It can be used in any other context, to provide domain separation between members of a tuple.