Paper 2023/1525

Committing AE from Sponges: Security Analysis of the NIST LWC Finalists

Juliane Krämer, University of Regensburg
Patrick Struck, University of Konstanz
Maximiliane Weishäupl, University of Regensburg

Committing security has gained considerable attention in the field of authenticated encryption (AE). This can be traced back to a line of recent attacks, which entail that AE schemes used in practice should not only provide confidentiality and authenticity, but also committing security. Roughly speaking, a committing AE scheme guarantees that ciphertexts will decrypt only for one key. Despite the recent research effort in this area, the finalists of the NIST lightweight cryptography standardization process have not been put under consideration yet. We close this gap by providing an analysis of these schemes with respect to their committing security. Despite the structural similarities the finalists exhibit, our results are of a quite heterogeneous nature: We break four of the schemes with effectively no costs, while for two schemes our attacks are costlier, yet still efficient. For the remaining three schemes ISAP, Ascon, and (a slightly modified version of) Schwaemm, we give formal security proofs. Our analysis reveals that sponges—due to their large states—are more favorable for committing security compared to block-ciphers.

Available format(s)
Secret-key cryptography
Publication info
Committing securityAuthenticated encryptionNIST LWC
Contact author(s)
juliane kraemer @ ur de
patrick struck @ uni-konstanz de
maximiliane weishaeupl @ ur de
2024-02-23: revised
2023-10-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Juliane Krämer and Patrick Struck and Maximiliane Weishäupl},
      title = {Committing AE from Sponges: Security Analysis of the NIST LWC Finalists},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1525},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.