How to Implement Deterministic Encryption Safely in .NET The Next CEO of Stack OverflowUsing HMAC as a nonce with AES-CTR encrypt-and-MACWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageDeterministic nonces in CTR modeWhich gives better deterministic encryption SIV or Plain ECB mode?Security of this deterministic encryption scheme(Re-)Using deterministic IV in CTR mode / How to: deterministic AESWhy is synthetic IV (SIV) mode considered deterministic authenticated encryption (DAE)?Deterministic encryption for a limited space: using HMAC as IVIs deterministic encryption appropriate for low entropy plaintext when CPA is not a concern?Are there any misuse-resistant asymmetric encryption schemes?What Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageDeterministic Authenticated Encryption with AES-OFB and HMAC

How to find image of a complex function with given constraints?

Iterate through multiline string line by line

Calculate the Mean mean of two numbers

Easy to read palindrome checker

what's the use of '% to gdp' type of variables?

Can this note be analyzed as a non-chord tone?

Is dried pee considered dirt?

What is the difference between Statistical Mechanics and Quantum Mechanics

Is a distribution that is normal, but highly skewed, considered Gaussian?

How to get the last not-null value in an ordered column of a huge table?

Is there such a thing as a proper verb, like a proper noun?

Why doesn't UK go for the same deal Japan has with EU to resolve Brexit?

Audio Conversion With ADS1243

Does destroying a Lich's phylactery destroy the soul within it?

Purpose of level-shifter with same in and out voltages

Does Germany produce more waste than the US?

How to set page number in right side in chapter title page?

Is it convenient to ask the journal's editor for two additional days to complete a review?

How to properly draw diagonal line while using multicolumn inside tabular environment?

What was the first Unix version to run on a microcomputer?

Is "three point ish" an acceptable use of ish?

Is it ever safe to open a suspicious HTML file (e.g. email attachment)?

Can I use the word “Senior” as part of a job title directly in German?

Would a completely good Muggle be able to use a wand?



How to Implement Deterministic Encryption Safely in .NET



The Next CEO of Stack OverflowUsing HMAC as a nonce with AES-CTR encrypt-and-MACWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageDeterministic nonces in CTR modeWhich gives better deterministic encryption SIV or Plain ECB mode?Security of this deterministic encryption scheme(Re-)Using deterministic IV in CTR mode / How to: deterministic AESWhy is synthetic IV (SIV) mode considered deterministic authenticated encryption (DAE)?Deterministic encryption for a limited space: using HMAC as IVIs deterministic encryption appropriate for low entropy plaintext when CPA is not a concern?Are there any misuse-resistant asymmetric encryption schemes?What Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageDeterministic Authenticated Encryption with AES-OFB and HMAC










2












$begingroup$


I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.



In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.



Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?



This post is a continuation of a previous post.



My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].



Thank you!










share|improve this question









New contributor




user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$
















    2












    $begingroup$


    I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.



    In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.



    Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?



    This post is a continuation of a previous post.



    My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].



    Thank you!










    share|improve this question









    New contributor




    user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.







    $endgroup$














      2












      2








      2





      $begingroup$


      I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.



      In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.



      Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?



      This post is a continuation of a previous post.



      My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].



      Thank you!










      share|improve this question









      New contributor




      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.







      $endgroup$




      I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.



      In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.



      Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?



      This post is a continuation of a previous post.



      My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].



      Thank you!







      ctr nonce deterministic-encryption siv






      share|improve this question









      New contributor




      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 56 mins ago









      kelalaka

      8,60022351




      8,60022351






      New contributor




      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 hours ago









      user67091user67091

      111




      111




      New contributor




      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes


















          3












          $begingroup$

          You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:



          • HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.


          • HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.



          • Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.



            AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.



          • Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.



          • Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.



            • Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.


            • In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.







          share|improve this answer











          $endgroup$












          • $begingroup$
            1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
            $endgroup$
            – user67091
            20 mins ago











          • $begingroup$
            Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
            $endgroup$
            – user67091
            19 mins ago











          Your Answer





          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          user67091 is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68443%2fhow-to-implement-deterministic-encryption-safely-in-net%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3












          $begingroup$

          You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:



          • HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.


          • HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.



          • Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.



            AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.



          • Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.



          • Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.



            • Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.


            • In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.







          share|improve this answer











          $endgroup$












          • $begingroup$
            1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
            $endgroup$
            – user67091
            20 mins ago











          • $begingroup$
            Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
            $endgroup$
            – user67091
            19 mins ago















          3












          $begingroup$

          You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:



          • HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.


          • HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.



          • Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.



            AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.



          • Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.



          • Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.



            • Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.


            • In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.







          share|improve this answer











          $endgroup$












          • $begingroup$
            1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
            $endgroup$
            – user67091
            20 mins ago











          • $begingroup$
            Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
            $endgroup$
            – user67091
            19 mins ago













          3












          3








          3





          $begingroup$

          You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:



          • HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.


          • HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.



          • Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.



            AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.



          • Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.



          • Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.



            • Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.


            • In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.







          share|improve this answer











          $endgroup$



          You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:



          • HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.


          • HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.



          • Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.



            AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.



          • Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.



          • Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.



            • Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.


            • In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.








          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 hours ago

























          answered 2 hours ago









          Squeamish OssifrageSqueamish Ossifrage

          21.8k132100




          21.8k132100











          • $begingroup$
            1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
            $endgroup$
            – user67091
            20 mins ago











          • $begingroup$
            Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
            $endgroup$
            – user67091
            19 mins ago
















          • $begingroup$
            1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
            $endgroup$
            – user67091
            20 mins ago











          • $begingroup$
            Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
            $endgroup$
            – user67091
            19 mins ago















          $begingroup$
          1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
          $endgroup$
          – user67091
          20 mins ago





          $begingroup$
          1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
          $endgroup$
          – user67091
          20 mins ago













          $begingroup$
          Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
          $endgroup$
          – user67091
          19 mins ago




          $begingroup$
          Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
          $endgroup$
          – user67091
          19 mins ago










          user67091 is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          user67091 is a new contributor. Be nice, and check out our Code of Conduct.












          user67091 is a new contributor. Be nice, and check out our Code of Conduct.











          user67091 is a new contributor. Be nice, and check out our Code of Conduct.














          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68443%2fhow-to-implement-deterministic-encryption-safely-in-net%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Oświęcim Innehåll Historia | Källor | Externa länkar | Navigeringsmeny50°2′18″N 19°13′17″Ö / 50.03833°N 19.22139°Ö / 50.03833; 19.2213950°2′18″N 19°13′17″Ö / 50.03833°N 19.22139°Ö / 50.03833; 19.221393089658Nordisk familjebok, AuschwitzInsidan tro och existensJewish Community i OświęcimAuschwitz Jewish Center: MuseumAuschwitz Jewish Center

          Valle di Casies Indice Geografia fisica | Origini del nome | Storia | Società | Amministrazione | Sport | Note | Bibliografia | Voci correlate | Altri progetti | Collegamenti esterni | Menu di navigazione46°46′N 12°11′E / 46.766667°N 12.183333°E46.766667; 12.183333 (Valle di Casies)46°46′N 12°11′E / 46.766667°N 12.183333°E46.766667; 12.183333 (Valle di Casies)Sito istituzionaleAstat Censimento della popolazione 2011 - Determinazione della consistenza dei tre gruppi linguistici della Provincia Autonoma di Bolzano-Alto Adige - giugno 2012Numeri e fattiValle di CasiesDato IstatTabella dei gradi/giorno dei Comuni italiani raggruppati per Regione e Provincia26 agosto 1993, n. 412Heraldry of the World: GsiesStatistiche I.StatValCasies.comWikimedia CommonsWikimedia CommonsValle di CasiesSito ufficialeValle di CasiesMM14870458910042978-6

          Typsetting diagram chases (with TikZ?) Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)How to define the default vertical distance between nodes?Draw edge on arcNumerical conditional within tikz keys?TikZ: Drawing an arc from an intersection to an intersectionDrawing rectilinear curves in Tikz, aka an Etch-a-Sketch drawingLine up nested tikz enviroments or how to get rid of themHow to place nodes in an absolute coordinate system in tikzCommutative diagram with curve connecting between nodesTikz with standalone: pinning tikz coordinates to page cmDrawing a Decision Diagram with Tikz and layout manager