In AES Key Wrap, we apply 6n AES encryptions for an input of n 64-bit blocks. Informally speaking, we wrap the key 6 times. What is the motivation behind 6? Why not 4 or 10? Is there something like a treshold or trade-off coming from security vs efficiency concerns?
Add a comment |
1 Answer
$\begingroup$ $\endgroup$
1 The AES Key Wrap scheme (AESKW) was developed in the ANSI X9.102 standard by the X9F1 working group, though the scheme was first proposed by NIST and appears in SP800-38F. Although, the ANSI group specified goals for key wrap algorithms (indistinguishability of ciphertexts under an adaptive chosen-ciphertext attack (IND-CCA2), and unforgeability of ciphertexts under an adaptive chosen-ciphertext attack) they gave no indication of why their choices of designs/parameters might achieve these. This opacity attracted some criticism from academic cryptographers (see e.g appendix A of Deterministic Authenticated-Encryption A Provable-Security Treatment of the Key-Wrap Problem by Rogaway and Shrimpton).
The appendix note that the number of AES calls is large in comparison to other keywrapping schemes
The number of blockcipher calls seems large: roughly 12 per block of data (the same price paid for $X$ or $H$). This is six times more than that used for AKW1.
among other criticisms. They do however note
The above criticism notwithstanding, we find it likely that the mechanism is correct.[...] The modified Feistel network used here probably does have security (as a strong PRP) better than $\sigma^2/2\eta$, but it would be hard to prove.
In a (arguably) more tongue-in-cheek complaint in appendix F (and also The Journal of Craptology vol 3, November 2006) "Key Rap" they imply that the NSA may have had input into the design:
Now NIST and X9
and their friends at the fort
suggest that you stick it
in a six-layer torte
- $\begingroup$ Thanks a lot for the detailed answer $\endgroup$guestQWERTY– guestQWERTY2024-01-18 12:41:50 +00:00Commented Jan 18, 2024 at 12:41