Welcome to the resource topic for 2025/320
Title:
Committing Authenticated Encryption: Generic Transforms with Hash Functions
Authors: Shan Chen, Vukašin Karadžić
Abstract:Recent applications and attacks have highlighted the need for authenticated encryption (AE) schemes to achieve the so-called committing security beyond privacy and authenticity. As a result, several generic solutions have been proposed to transform a non-committing AE scheme to a committing one, for both basic unique-nonce security and advanced misuse-resistant (MR) security. We observe that all existing practical generic transforms are subject to at least one of the following limitations: (i) not committing to the entire encryption context, (ii) involving non-standard primitives, (iii) not being a black-box transform, (iv) providing limited committing security. Furthermore, so far, there has been no generic transform that can directly elevate a basic AE scheme to a committing AE scheme that offers MR security. Our work fills these gaps by developing black-box generic transforms that crucially rely on hash functions, which are well standardized and widely deployed.
First, we construct three basic transforms that combine AE with a single hash function, which we call \mathsf{HtAE}, \mathsf{AEaH} and \mathsf{EtH}. They all guarantee strong security, and \mathsf{EtH} can be applied to both AE and basic privacy-only encryption schemes. Next, for MR security, we propose two advanced hash-based transforms that we call \mathsf{AEtH} and \mathsf{chaSIV}. \mathsf{AEtH} is an MRAE-preserving transform that adds committing security to an MR-secure AE scheme. \mathsf{chaSIV} is the first generic transform that can directly elevate basic AE to one with both committing and MR security; moreover, \mathsf{chaSIV} also works with arbitrary privacy-only encryption schemes. Both of them feature a simple design and ensure strong security.
For performance evaluation, we compare our transforms to similar existing ones, both in theory and through practical implementations. The results show that our \mathsf{AEaH} achieves the highest practical efficiency among basic transforms, while \mathsf{AEtH} excels in MRAE-preserving transforms. Our MRAE-lifting transform \mathsf{chaSIV} demonstrates comparable performance to MRAE-preserving ones and surpasses them for messages larger than approximately 360 bytes; for longer messages, it even outperforms the benchmark, non-committing standardized \mathsf{AES}\text{-}\mathsf{GCM}\text{-}\mathsf{SIV}.
ePrint: https://eprint.iacr.org/2025/320
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .