Paper 2025/758

Blockcipher-Based Key Commitment for Nonce-Derived Schemes

Panos Kampanakis, Amazon Web Services
Shai Halevi, Amazon Web Services
Nevine Ebeid, Amazon Web Services
Matt Campagna, Amazon Web Services
Abstract

AES-GCM has been the status quo for efficient symmetric encryption for decades. As technology and cryptographic applications evolved over time, AES-GCM has posed some challenges to certain use-cases due to its default 96-bit nonce size, 128-bit block size, and lack of key commitment. Nonce-derived schemes are one way of addressing these challenges: Such schemes derive multiple keys from nonce values, then apply standard AES-GCM with the derived keys (and possibly another 96-bit nonce). The approach overcomes the nonce length and data limit issues since each derived key is only used to encrypt a few messages. By itself, the use of nonce-derived keys does not address key commitment, however. Some schemes chose to include a built-in key commitment mechanism, while others left it out of scope. In this work, we explore efficient key commitment methods that can be added to any nonce-derived scheme in a black-box manner. Our focus is on options that use the underlying block cipher and no other primitive, are efficient, and only use standard primitives which are FIPS-approved. For concreteness we focus here specifically on adding key commitment to XAES-256-GCM, a nonce-scheme originally proposed by Filippo Valsorda, but these methods can be adapted to any other nonce-derived scheme. We propose an efficient CMAC-based key commitment solution, and prove its security in the ideal-cipher model. We argue that adding this solution yields a FIPS-compliant mode, quantify the data and message length limits of this mode and compare this combination to other nonce-derived modes. We also benchmark our key committing XAES-256-GCM performance.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
XAESKC-XAESKey Committing AEADCMAC based key commitment
Contact author(s)
kpanos @ amazon com
shaihal @ amazon com
nebeid @ amazon com
campagna @ amazon com
History
2025-04-30: approved
2025-04-28: received
See all versions
Short URL
https://ia.cr/2025/758
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/758,
      author = {Panos Kampanakis and Shai Halevi and Nevine Ebeid and Matt Campagna},
      title = {Blockcipher-Based Key Commitment for Nonce-Derived Schemes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/758},
      year = {2025},
      url = {https://eprint.iacr.org/2025/758}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.