Paper 2024/875

Succinctly-Committing Authenticated Encryption

Mihir Bellare, University of California, San Diego
Viet Tung Hoang, Florida State University
Abstract

Recent attacks and applications have led to the need for symmetric encryption schemes that, in addition to providing the usual authenticity and privacy, are also committing. In response, many committing authenticated encryption schemes have been proposed. However, all known schemes, in order to provide s bits of committing security, suffer an expansion---this is the length of the ciphertext minus the length of the plaintext---of 2s bits. This incurs a cost in bandwidth or storage. (We typically want s=128, leading to 256-bit expansion.) However, it has been considered unavoidable due to birthday attacks. We show how to bypass this limitation. We give authenticated encryption (AE) schemes that provide s bits of committing security, yet suffer expansion only around s as long as messages are long enough, namely more than s bits. We call such schemes succinct. We do this via a generic, ciphertext-shortening transform called SC: given an AE scheme with 2s-bit expansion, SC returns an AE scheme with s-bit expansion while preserving committing security. SC is very efficient; an AES-based instantiation has overhead just two AES calls. As a tool, SC uses a collision-resistant invertible PRF called HtM, that we design, and whose analysis is technically difficult. To add the committing security that SC assumes to a base scheme, we also give a transform CTY that improves Chan and Rogaway's CTX. Our results hold in a general framework for authenticated encryption, called AE3, that includes both AE1 (also called AEAD) and AE2 (also called nonce-hiding AE) as special cases, so that we in particular obtain succinctly-committing AE schemes for both these settings.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2024
Keywords
committing securityauthenticated encryption
Contact author(s)
mbellare @ ucsd edu
tvhoang @ cs fsu edu
History
2024-07-24: revised
2024-06-01: received
See all versions
Short URL
https://ia.cr/2024/875
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/875,
      author = {Mihir Bellare and Viet Tung Hoang},
      title = {Succinctly-Committing Authenticated Encryption},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/875},
      year = {2024},
      url = {https://eprint.iacr.org/2024/875}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.