[Resource Topic] 2003/050: Concealment and its Applications to Authenticated Encryption

Welcome to the resource topic for 2003/050

Concealment and its Applications to Authenticated Encryption

Authors: Yevgeniy Dodis, Jee Hea An


We introduce a new cryptographic primitive we call concealment,
which is related, but quite different from the notion of commitment.
A concealment is a publicly known randomized transformation, which,
on input m, outputs a hider h and a binder b. Together, h and b
allow one to recover m, but separately, (1) the hider h reveals
“no information” about m, while (2) the binder b can be
“meaningfully opened” by at most one hider h. While setting
b=m, h=empty is a trivial concealment, the challenge is to make
|b|<<|m|, which we call a “non-trivial” concealment. We show that
non-trivial concealments are equivalent to the existence of
collision-resistant hash functions. Moreover, our construction of
concealments is extremely simple, optimal, and yet very general,
giving rise to a multitude of efficient implementations.

We show that concealments have natural and important applications in
the area of authenticated encryption. Specifically, let AE be an
authenticated encryption scheme (either public- or symmetric-key)
designed to work on short messages. We show that concealments are
exactly the right abstraction allowing one to use AE for
encrypting long messages. Namely, to encrypt long m, one uses a
concealment scheme to get h and b, and outputs authenticated
ciphertext (AE(b),h). More surprisingly, the above paradigm leads
to a very simple and general solution to the problem of
remotely keyed (authenticated) encryption (RKAE).
In this problem, one wishes to split the task of high-bandwidth
authenticated encryption between a secure, but
low-bandwidth/computationally limited device, and an insecure, but
computationally powerful host. We give formal definitions for RKAE,
which we believe are simpler and more natural than all the previous
definitions. We then show that our composition paradigm satisfies
our (very strong) definition. Namely, for authenticated encryption,
the host simply sends a short value b to the device (which stores
the actual secret key for AE), gets back AE(b), and outputs (AE(b),h)
(authenticated decryption is similar). Finally, we also observe that
several previous RKAE proposals are all special examples of our
general paradigm.

ePrint: https://eprint.iacr.org/2003/050

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .