Paper 2022/1680
Authenticated Encryption with Key Identification
, Cornell TechAbstract
Authenticated encryption with associated data (AEAD) forms the core of much of symmetric cryptography, yet the standard techniques for modeling AEAD assume recipients have no ambiguity about what secret key to use for decryption. This is divorced from what occurs in practice, such as in key management services, where a message recipient can store numerous keys and must identify the correct key before decrypting. To date there has been no formal investigation of their security properties or efficacy, and the ad hoc solutions for identifying the intended key deployed in practice can be inefficient and, in some cases, vulnerable to practical attacks. We provide the first formalization of nonce-based AEAD that supports key identification (AEAD-KI). Decryption now takes in a vector of secret keys and a ciphertext and must both identify the correct secret key and decrypt the ciphertext. We provide new formal security definitions, including new key robustness definitions and indistinguishability security notions. Finally, we show several different approaches for AEAD-KI and prove their security.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- A major revision of an IACR publication in ASIACRYPT 2022
- Keywords
- key identification authenticated encryption key commitment key robustness
- Contact author(s)
-
jlen @ cs cornell edu
paulgrub @ umich edu
ristenpart @ cornell edu - History
- 2022-12-03: approved
- 2022-12-02: received
- See all versions
- Short URL
- https://ia.cr/2022/1680
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1680,
author = {Julia Len and Paul Grubbs and Thomas Ristenpart},
title = {Authenticated Encryption with Key Identification},
howpublished = {Cryptology ePrint Archive, Paper 2022/1680},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/1680}},
url = {https://eprint.iacr.org/2022/1680}
}
