Paper 2023/1525
Committing AE from Sponges: Security Analysis of the NIST LWC Finalists
Abstract
Committing security has gained considerable attention in the field of authenticated encryption (AE). This can be traced back to a line of recent attacks, which entail that AE schemes used in practice should not only provide confidentiality and authenticity, but also committing security. Roughly speaking, a committing AE scheme guarantees that ciphertexts will decrypt only for one key. Despite the recent research effort in this area, the finalists of the NIST lightweight cryptography standardization process have not been put under consideration yet. We close this gap by providing an analysis of these schemes with respect to their committing security. Despite the structural similarities the finalists exhibit, our results are of a quite heterogeneous nature: We break four of the schemes with effectively no costs, while for two schemes our attacks are costlier, yet still efficient. For the remaining three schemes ISAP, Ascon, and (a slightly modified version of) Schwaemm, we give formal security proofs. Our analysis reveals that sponges—due to their large states—are more favorable for committing security compared to block-ciphers.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint.
- Keywords
- Committing securityAuthenticated encryptionNIST LWC
- Contact author(s)
-
juliane kraemer @ ur de
patrick struck @ uni-konstanz de
maximiliane weishaeupl @ ur de - History
- 2024-02-23: revised
- 2023-10-06: received
- See all versions
- Short URL
- https://ia.cr/2023/1525
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1525,
author = {Juliane Krämer and Patrick Struck and Maximiliane Weishäupl},
title = {Committing AE from Sponges: Security Analysis of the NIST LWC Finalists},
howpublished = {Cryptology ePrint Archive, Paper 2023/1525},
year = {2023},
note = {\url{https://eprint.iacr.org/2023/1525}},
url = {https://eprint.iacr.org/2023/1525}
}
