Paper 2025/320

Committing Authenticated Encryption: Generic Transforms with Hash Functions

Shan Chen, Southern University of Science and Technology
Vukašin Karadžić, TU Darmstadt
Abstract

Recent applications and attacks have highlighted the need for authenticated encryption (AE) schemes to achieve the so-called committing security beyond privacy and authenticity. As a result, several generic solutions have been proposed to transform a non-committing AE scheme to a committing one, for both basic unique-nonce security and advanced misuse-resistant (MR) security. We observe that all existing practical generic transforms are subject to at least one of the following limitations: (i) not committing to the entire encryption context, (ii) involving non-standard primitives, (iii) not being a black-box transform, (iv) providing limited committing security. Furthermore, so far, there has been no generic transform that can directly elevate a basic AE scheme to a committing AE scheme that offers MR security. Our work fills these gaps by developing black-box generic transforms that crucially rely on hash functions, which are well standardized and widely deployed. First, we construct three basic transforms that combine AE with a single hash function, which we call $\mathsf{HtAE}, \mathsf{AEaH}$ and $\mathsf{EtH}$. They all guarantee strong security, and $\mathsf{EtH}$ can be applied to both AE and basic privacy-only encryption schemes. Next, for MR security, we propose two advanced hash-based transforms that we call $\mathsf{AEtH}$ and $\mathsf{chaSIV}$. $\mathsf{AEtH}$ is an MRAE-preserving transform that adds committing security to an MR-secure AE scheme. $\mathsf{chaSIV}$ is the first generic transform that can directly elevate basic AE to one with both committing and MR security; moreover, $\mathsf{chaSIV}$ also works with arbitrary privacy-only encryption schemes. Both of them feature a simple design and ensure strong security. For performance evaluation, we compare our transforms to similar existing ones, both in theory and through practical implementations. The results show that our $\mathsf{AEaH}$ achieves the highest practical efficiency among basic transforms, while $\mathsf{AEtH}$ excels in MRAE-preserving transforms. Our MRAE-lifting transform $\mathsf{chaSIV}$ demonstrates comparable performance to MRAE-preserving ones and surpasses them for messages larger than approximately $360$ bytes; for longer messages, it even outperforms the benchmark, non-committing standardized $\mathsf{AES}\text{-}\mathsf{GCM}\text{-}\mathsf{SIV}$.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2025
Keywords
Authenticated EncryptionCommitting SecurityMisuse ResistanceGeneric TransformHash FunctionRandom Oracle Model
Contact author(s)
dragoncs16 @ gmail com
vukasin karadzic @ tu-darmstadt de
History
2025-02-24: revised
2025-02-21: received
See all versions
Short URL
https://ia.cr/2025/320
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/320,
      author = {Shan Chen and Vukašin Karadžić},
      title = {Committing Authenticated Encryption: Generic Transforms with Hash Functions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/320},
      year = {2025},
      url = {https://eprint.iacr.org/2025/320}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.