Paper 2022/1260
On Committing Authenticated Encryption
Abstract
We provide a strong definition for committing authenticated-encryption (cAE), as well as a framework that encompasses earlier and weaker definitions. The framework attends not only to what is committed but also the extent to which the adversary knows or controls keys. We slot into our framework strengthened cAE-attacks on GCM and OCB. Our main result is a simple and efficient construction, CTX, that makes a nonce-based AE (nAE) scheme committing. The transformed scheme achieves the strongest security notion in our framework. Just the same, the added computational cost (on top of the nAE scheme's cost) is a single hash over a short string, a cost independent of the plaintext's length. And there is no increase in ciphertext length compared to the base nAE scheme. That such a thing is possible, let alone easy, upends the (incorrect) intuition that you can't commit to a plaintext or ciphertext without hashing one or the other. And it motivates a simple and practical tweak to AE-schemes to make them committing.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. ESORICS 2022
- Keywords
- AEAD authenticated encryption committing encryption key-robustness
- Contact author(s)
-
jmachan @ ucdavis edu
rogaway @ cs ucdavis edu - History
- 2022-09-26: approved
- 2022-09-22: received
- See all versions
- Short URL
- https://ia.cr/2022/1260
- License
-
CC BY-NC
BibTeX
@misc{cryptoeprint:2022/1260,
author = {John Chan and Phillip Rogaway},
title = {On Committing Authenticated Encryption},
howpublished = {Cryptology ePrint Archive, Paper 2022/1260},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/1260}},
url = {https://eprint.iacr.org/2022/1260}
}
