Paper 2021/1541

Revisiting the Security of COMET Authenticated Encryption Scheme

Shay Gueron, Ashwin Jha, and Mridul Nandi


COMETv1, by Gueron, Jha and Nandi, is a mode of operation for nonce-based authenticated encryption with associated data functionality. It was one of the second round candidates in the ongoing NIST Lightweight Cryptography Standardization Process. In this paper, we study a generalized version of COMETv1, that we call gCOMET, from provable security perspective. First, we present a comprehensive and complete security proof for gCOMET in the ideal cipher model. Second, we view COMET, the underlying mode of operation in COMETv1, as an instantiation of gCOMET, and derive its concrete security bounds. Finally, we propose another instantiation of gCOMET, dubbed COMETv2, and show that this version achieves better security guarantees as well as memory-efficient implementations as compared to COMETv1.

Note: Minor correction in title.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Major revision.Indocrypt 2021
COMETICMprovable securityrekeyinglightweightAEAD
Contact author(s)
shay gueron @ gmail com
ashwin jha @ cispa de
mridul nandi @ gmail com
2021-11-23: revised
2021-11-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Shay Gueron and Ashwin Jha and Mridul Nandi},
      title = {Revisiting the Security of COMET Authenticated Encryption Scheme},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1541},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.