Paper 2022/1260

On Committing Authenticated Encryption

John Chan, University of California, Davis
Phillip Rogaway, University of California, Davis
Abstract

We provide a strong definition for committing authenticated-encryption (cAE), as well as a framework that encompasses earlier and weaker definitions. The framework attends not only to what is committed but also the extent to which the adversary knows or controls keys. We slot into our framework strengthened cAE-attacks on GCM and OCB. Our main result is a simple and efficient construction, CTX, that makes a nonce-based AE (nAE) scheme committing. The transformed scheme achieves the strongest security notion in our framework. Just the same, the added computational cost (on top of the nAE scheme's cost) is a single hash over a short string, a cost independent of the plaintext's length. And there is no increase in ciphertext length compared to the base nAE scheme. That such a thing is possible, let alone easy, upends the (incorrect) intuition that you can't commit to a plaintext or ciphertext without hashing one or the other. And it motivates a simple and practical tweak to AE-schemes to make them committing.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. ESORICS 2022
Keywords
AEAD authenticated encryption committing encryption key-robustness
Contact author(s)
jmachan @ ucdavis edu
rogaway @ cs ucdavis edu
History
2022-09-26: approved
2022-09-22: received
See all versions
Short URL
https://ia.cr/2022/1260
License
Creative Commons Attribution-NonCommercial
CC BY-NC

BibTeX 

@misc{cryptoeprint:2022/1260,
      author = {John Chan and Phillip Rogaway},
      title = {On Committing Authenticated Encryption},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1260},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1260}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.