|Classes of Scott Arciszewski||>||Cipher Sweet||>||docs/internals/01-key-hierarchy.md||>||Download|
Key Hierarchy in CipherSweet
CipherSweet uses a series of key expansion/splitting techniques to turn
a single key (which is handled by the
At a super high-level, the picture looks like this:
The constants C1 and C2 were chosen to have a Hamming distance of 32*4 = 128b between them, and are used to achieve domain separation for secure key splitting.
Why were 0xB4 and 0x7E selected?
The primary purpose of these two byte values was to achieve a simple property called domain separation, which helps side-step accidental misuse of cryptographic secrets.
As long as two distinct constants were used, this property is achieved.
However, consider that the security proof for HMAC made it clear that a high Hamming distance between the padding values was desirable.
Indeed, a 2012 paper on generic related-key attacks for HMAC demonstrated that poor choice in padding constants could make their attacks significantly more powerful.
This led us to choose padding constants with a high Hamming distance per byte (4, as per HMAC), but distinct from the HMAC padding constants.