Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


KIVR: Context-Committing Authenticated Encryption Using Plaintext Redundancy and Application to GCM and Variants

October 4, 2023


Yusuke Naito - Mitsubishi Electric Corporation


Committing security of authenticated encryption (AE) is an emerging area of research motivated by real-world attacks. In particular, constructing AEs satisfying CMT-4, a security notion considering an adversary who generates multiple inputs for encryption that result in the same ciphertext, is an ongoing research challenge. In this paper, we propose a new mode KIVR, which transforms existing AEs to have CMT-4 security without increasing the ciphertext size by exploiting plaintext redundancy found in practical use cases. KIVR uses a collision-resistant hash to convert a tuple of key, nonce, and associated data into a temporary key, an initial value (or nonce), and a masking value applied to redundant data used by an underlying AE. Unlike the conventional HtE and CTX conversions limited by the birthday bounds of the key and tag sizes, the security of KIVR linearly increases with the number of redundant bits \(r\) and can achieve the beyond-birthday-bound (BBB) security. Combined with GCM, KIVR’s security becomes \(r \over 2\) bits. In practical use cases with a sufficiently large \(r\), KIVR salvages GCM for BBB security while preserving the ciphertext size and respecting GCM’s interface. Furthermore, if we can use modified AEs, KIVR combined with CAU-SIV-C1 (a variant of GCM-SIV for committing security) achieves \(r \over 2\) + 64 bits, enabling higher security with fewer redundant bits.

Presented at

The Third NIST Workshop on Block Cipher Modes of Operation

Event Details


    National Cybersecurity Center of Excellence (NCCoE)
    9700 Great Seneca Highway
    Rockville, MD 20850

Related Topics

Security and Privacy: encryption

Created October 04, 2023, Updated October 05, 2023