Deterministic AEAD provides encryption with a deterministic property: encrypting the same data always yields the same ciphertext. This type of encryption is useful for key wrapping or for some schemes for searching on encrypted data (see RFC 5297, Section 1.3 for more info). Because of its deterministic property, implementations of this primitive can lead to loss of secrecy because an attacker only needs to find out the ciphertext for a given message to identify other instances of that message.
Deterministic AEAD has the following properties:
- Secrecy: Nobody will be able to get any information about the encrypted plaintext, except the length and the equality of repeated plaintexts.
- Authenticity: Without the key it is impossible to change the plaintext underlying the ciphertext undetected.
- Symmetric: Encrypting the message and decrypting the ciphertext is done with the same key.
- Deterministic: A deterministic AEAD protects data almost as well as a normal AEAD. However, if you send the same message twice, an attacker can notice that the two messages are equal. If this is not desired, see AEAD.
Deterministic AEAD can also be used to
tie ciphertext to specific associated data. For example,
suppose you have a database with a field,
user-id, and a field,
encrypted-medical-history. In this case,
user-id should be used as
associated data when encrypting the medical history. This ensures that an
attacker cannot move medical history from one user to another.
Choosing a key type
We recommend the AES256_SIV key type for all use cases.
Minimal security guarantees
- At least 80-bit authentication strength.
- The plaintext and associated data can have arbitrary lengths (within the range 0..232 bytes).
- 128-bit security level against key recovery attacks, and also in multi-user attacks with up to 232 keys—that means if an adversary obtains 232 ciphertexts of the same message encrypted under 232 keys, they need to do 2128 computations to obtain a single key.
- AES-SIV keys can safely be used to encrypt 238 messages, provided each is less than 1MB in length. You can encrypt more if the messages are shorter, and fewer if they are longer.
- There are no secrecy or validity guarantees for associated data.