Paper 2024/1542

Robust AE With Committing Security

Viet Tung Hoang, Florida State University
Sanketh Menda, Cornell Tech
Abstract

There has been a recent interest to develop and standardize Robust Authenticated Encryption (Robust AE) schemes. NIST, for example, is considering an Accordion mode (a wideblock tweakable blockcipher), with Robust AE as a primary application. On the other hand, recent attacks and applications suggest that encryption needs to be committing. Indeed, committing security isalso a design consideration in the Accordion mode. Yet it is unclear how to build a Robust AE with committing security. In this work, we give a modular solution for this problem. We first show how to transform any wideblock tweakable blockcipher TE to a Robust AE scheme SE that commits just the key. The overhead is cheap, just a few finite-field multiplications and blockcipher calls. If one wants to commit the entire encryption context, one can simply hash the context to derive a 256-bit subkey, and uses SE on that subkey. The use of 256-bit key on SE only means that it has to rely on AES-256 but doesn't require TE to have 256-bit key. Our approach frees the Accordion designs from consideration of committing security. Moreover, it gives a big saving for several key-committing applications that don't want to pay the inherent hashing cost of full committing.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2024
Keywords
Robust authenticated encryptioncommitting security
Contact author(s)
tvhoang @ cs fsu edu
sm2289 @ cornell edu
History
2024-10-04: approved
2024-10-02: received
See all versions
Short URL
https://ia.cr/2024/1542
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1542,
      author = {Viet Tung Hoang and Sanketh Menda},
      title = {Robust {AE} With Committing Security},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1542},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1542}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.