Editing Block cipher mode of operation (section)

==== Synthetic initialization vector (SIV) ====

Synthetic initialization vector (SIV) is a nonce-misuse resistant block cipher mode.

SIV synthesizes an internal IV using the pseudorandom function S2V. S2V is a keyed hash based on CMAC, and the input to the function is:
* Additional authenticated data (zero, one or many AAD fields are supported)
* Plaintext
* Authentication key (K{{sub|1}}).

SIV encrypts the S2V output and the plaintext using AES-CTR, keyed with the encryption key (K{{sub|2}}).

SIV can support external nonce-based authenticated encryption, in which case one of the authenticated data fields is utilized for this purpose. RFC5297<ref>{{cite web |last1=Harkins |first1=Dan |title=Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) |date=October 2008 |url=https://tools.ietf.org/html/rfc5297 |access-date=21 October 2020}}</ref> specifies that for interoperability purposes the last authenticated data field should be used external nonce.

Owing to the use of two keys, the authentication key K{{sub|1}} and encryption key K{{sub|2}}, naming schemes for SIV AEAD-variants may lead to some confusion; for example AEAD_AES_SIV_CMAC_256 refers to AES-SIV with two AES-128 keys and '''not''' AES-256.