Paper 2022/1260

On Committing Authenticated Encryption

John Chan, University of California, Davis
Phillip Rogaway, University of California, Davis

We provide a strong definition for committing authenticated-encryption (cAE), as well as a framework that encompasses earlier and weaker definitions. The framework attends not only to what is committed but also the extent to which the adversary knows or controls keys. We slot into our framework strengthened cAE-attacks on GCM and OCB. Our main result is a simple and efficient construction, CTX, that makes a nonce-based AE (nAE) scheme committing. The transformed scheme achieves the strongest security notion in our framework. Just the same, the added computational cost (on top of the nAE scheme's cost) is a single hash over a short string, a cost independent of the plaintext's length. And there is no increase in ciphertext length compared to the base nAE scheme. That such a thing is possible, let alone easy, upends the (incorrect) intuition that you can't commit to a plaintext or ciphertext without hashing one or the other. And it motivates a simple and practical tweak to AE-schemes to make them committing.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. ESORICS 2022
AEAD authenticated encryption committing encryption key-robustness
Contact author(s)
jmachan @ ucdavis edu
rogaway @ cs ucdavis edu
2022-09-26: approved
2022-09-22: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial


      author = {John Chan and Phillip Rogaway},
      title = {On Committing Authenticated Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1260},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.