Package Cryptodome :: Package Cipher :: Module _mode_siv :: Class SivMode

Class SivMode

object --+
         |
        SivMode

Synthetic Initialization Vector (SIV).

This is an Authenticated Encryption with Associated Data (AEAD) mode. It provides both confidentiality and authenticity.

The header of the message may be left in the clear, if needed, and it will still be subject to authentication. The decryption step tells the receiver if the message comes from a source that really knowns the secret key. Additionally, decryption detects if any part of the message - including the header - has been modified or corrupted.

Unlike other AEAD modes such as CCM, EAX or GCM, accidental reuse of a nonce is not catastrophic for the confidentiality of the message. The only effect is that an attacker can tell when the same plaintext (and same associated data) is protected with the same key.

The length of the MAC is fixed to the block size of the underlying cipher. The key size is twice the length of the key of the underlying cipher.

This mode is only available for AES ciphers.

Cipher
SIV MAC size
(bytes)
SIV key length
(bytes)
AES-128 16 32
AES-192 16 48
AES-256 16 64

See RFC5297 and the original paper.

Instance Methods
 
update(self, component)
Protect one associated data component
 
encrypt(self, plaintext)
Encrypt data with the key and the parameters set at initialization.
 
decrypt(self, ciphertext)
Decrypt data with the key and the parameters set at initialization.
 
digest(self)
Compute the binary MAC tag.
 
hexdigest(self)
Compute the printable MAC tag.
 
verify(self, received_mac_tag)
Validate the binary MAC tag.
 
hexverify(self, hex_mac_tag)
Validate the printable MAC tag.
 
encrypt_and_digest(self, plaintext)
Perform encrypt() and digest() in one step.
 
decrypt_and_verify(self, ciphertext, mac_tag)
Perform decryption and verification in one step.

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Instance Variables
  block_size
The block size of the underlying cipher, in bytes.
  nonce
Public attribute is only available in case of non-deterministic encryption.
Properties

Inherited from object: __class__

Method Details

update(self, component)

 

Protect one associated data component

For SIV, the associated data is a sequence (vector) of non-empty byte strings (components).

This method consumes the next component. It must be called once for each of the components that constitue the associated data.

Note that the components have clear boundaries, so that:

>>> cipher.update(b"builtin")
>>> cipher.update(b"securely")

is not equivalent to:

>>> cipher.update(b"built")
>>> cipher.update(b"insecurely")

If there is no associated data, this method must not be called.

Parameters:
  • component (byte string) - The next associated data component. It must not be empty.

encrypt(self, plaintext)

 

Encrypt data with the key and the parameters set at initialization.

A cipher object is stateful: once you have encrypted a message you cannot encrypt (or decrypt) another message using the same object.

This method can be called only once.

You cannot reuse an object for encrypting or decrypting other data with the same key.

This function does not add any padding to the plaintext.

Parameters:
  • plaintext (byte string) - The piece of data to encrypt. It can be of any length, but it cannot be empty.
Returns:
the encrypted data, as a byte string. It is as long as plaintext.

decrypt(self, ciphertext)

 

Decrypt data with the key and the parameters set at initialization.

For SIV, decryption and verification must take place at the same point. This method shall not be used.

Use decrypt_and_verify instead.

digest(self)

 

Compute the binary MAC tag.

The caller invokes this function at the very end.

This method returns the MAC that shall be sent to the receiver, together with the ciphertext.

Returns:
the MAC, as a byte string.

hexdigest(self)

 

Compute the printable MAC tag.

This method is like digest.

Returns:
the MAC, as a hexadecimal string.

verify(self, received_mac_tag)

 

Validate the binary MAC tag.

The caller invokes this function at the very end.

This method checks if the decrypted message is indeed valid (that is, if the key is correct) and it has not been tampered with while in transit.

Parameters:
  • received_mac_tag (byte string) - This is the binary MAC, as received from the sender.
Raises:
  • ValueError - if the MAC does not match. The message has been tampered with or the key is incorrect.

hexverify(self, hex_mac_tag)

 

Validate the printable MAC tag.

This method is like verify.

Parameters:
  • hex_mac_tag (string) - This is the printable MAC, as received from the sender.
Raises:
  • ValueError - if the MAC does not match. The message has been tampered with or the key is incorrect.

encrypt_and_digest(self, plaintext)

 
Perform encrypt() and digest() in one step.
Parameters:
  • plaintext (byte string) - The piece of data to encrypt.
Returns:

a tuple with two byte strings:

  • the encrypted data
  • the MAC

decrypt_and_verify(self, ciphertext, mac_tag)

 

Perform decryption and verification in one step.

A cipher object is stateful: once you have decrypted a message you cannot decrypt (or encrypt) another message with the same object.

You cannot reuse an object for encrypting or decrypting other data with the same key.

This function does not remove any padding from the plaintext.

Parameters:
  • ciphertext (byte string) - The piece of data to decrypt. It can be of any length.
  • mac_tag (byte string) - This is the binary MAC, as received from the sender.
Returns:
the decrypted data (byte string).
Raises:
  • ValueError - if the MAC does not match. The message has been tampered with or the key is incorrect.