October 3, 2023
Viet Tung Hoang - Florida State University
Authenticated encryption (AE) currently aims to provide privacy and authenticity of the communicated data. Recent attacks and applications [3, 4, 8, 15, 16, 21] motivate an additional security attribute, namely to be committing. This means a ciphertext should be a commitment to the key, and beyond that, possibly to all the inputs to the encryption algorithm. In the proposed talk, we will start by surveying the landscape of committing AE, listing available schemes and comparing then along a set of metrics involving both security and cost. We will see that committing security can be achieved quite cheaply if one is content with 64-bit security, but we will argue that, due to offline attacks, standards should target 128- bit security. But current schemes for this all pay in increased ciphertext size compared to the underlying (non-committing) AE scheme. We present a new, general, and arguably surprising technique that succeeds in eliminating this overhead, providing 128 bits of committing security, with no increase in ciphertext size compared to the underlying AE scheme. We report on implementation-based performance assessments that show that our new schemes compare well in computation time to alternatives.
The Third NIST Workshop on Block Cipher Modes of Operation