Paper 2025/758
Blockcipher-Based Key Commitment for Nonce-Derived Schemes
Abstract
AES-GCM has been the status quo for efficient symmetric encryption for decades. As technology and cryptographic applications evolved over time, AES-GCM has posed some challenges to certain use-cases due to its default 96-bit nonce size, 128-bit block size, and lack of key commitment. Nonce-derived schemes are one way of addressing these challenges: Such schemes derive multiple keys from nonce values, then apply standard AES-GCM with the derived keys (and possibly another 96-bit nonce). The approach overcomes the nonce length and data limit issues since each derived key is only used to encrypt a few messages. By itself, the use of nonce-derived keys does not address key commitment, however. Some schemes chose to include a built-in key commitment mechanism, while others left it out of scope. In this work, we explore efficient key commitment methods that can be added to any nonce-derived scheme in a black-box manner. Our focus is on options that use the underlying block cipher and no other primitive, are efficient, and only use standard primitives which are FIPS-approved. For concreteness we focus here specifically on adding key commitment to XAES-256-GCM, a nonce-scheme originally proposed by Filippo Valsorda, but these methods can be adapted to any other nonce-derived scheme. We propose an efficient CMAC-based key commitment solution, and prove its security in the ideal-cipher model. We argue that adding this solution yields a FIPS-compliant mode, quantify the data and message length limits of this mode and compare this combination to other nonce-derived modes. We also benchmark our key committing XAES-256-GCM performance.
Metadata
- Available format(s)
-
PDF
- Category
- Foundations
- Publication info
- Preprint.
- Keywords
- XAESKC-XAESKey Committing AEADCMAC based key commitment
- Contact author(s)
-
kpanos @ amazon com
shaihal @ amazon com
nebeid @ amazon com
campagna @ amazon com - History
- 2025-04-30: approved
- 2025-04-28: received
- See all versions
- Short URL
- https://ia.cr/2025/758
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/758, author = {Panos Kampanakis and Shai Halevi and Nevine Ebeid and Matt Campagna}, title = {Blockcipher-Based Key Commitment for Nonce-Derived Schemes}, howpublished = {Cryptology {ePrint} Archive, Paper 2025/758}, year = {2025}, url = {https://eprint.iacr.org/2025/758} }