Shan Chen
Southern University of Science and Technology, Shenzhen, China

Vukašin Karadžić
Technische Universität Darmstadt, Germany

Keywords: Authenticated Encryption, Committing Security, Misuse Resistance, Generic Transform, Hash Function, Random Oracle Model

Abstract

Recent applications and attacks have highlighted the need for authenticated encryption (AE) schemes to achieve the so-called committing security beyond privacy and authenticity. As a result, several generic solutions have been proposed to transform a non-committing AE scheme to a committing one, for both basic unique-nonce security and advanced misuse-resistant (MR) security. We observe that all existing practical generic transforms are subject to at least one of the following limitations: (i) not committing to the entire encryption context, (ii) involving non-standard primitives, (iii) not being a black-box transform, (iv) providing limited committing security. Furthermore, so far, there has been no generic transform that can directly elevate a basic AE scheme to a committing AE scheme that offers MR security. Our work fills these gaps by developing black-box generic transforms that crucially rely on hash functions, which are well standardized and widely deployed.

First, we construct three basic transforms that combine AE with a single hash function, which we call HtAE, AEaH and EtH. They all guarantee strong security, and EtH can be applied to both AE and basic privacy-only encryption schemes. Next, for MR security, we propose two advanced hash-based transforms that we call AEtH and chaSIV. AEtH is an MRAE-preserving transform that adds committing security to an MR-secure AE scheme. chaSIV is the first generic transform that can directly elevate basic AE to one with both committing and MR security; moreover, chaSIV also works with arbitrary privacy-only encryption schemes. Both of them feature a simple design and ensure strong security.

For performance evaluation, we compare our transforms to similar existing ones, both in theory and through practical implementations. The results show that our AEaH achieves the highest practical efficiency among basic transforms, while AEtH excels in MRAE-preserving transforms. Our MRAE-lifting transform chaSIV demonstrates comparable performance to MRAE-preserving ones and surpasses them for messages larger than approximately 360 bytes; for longer messages, it even outperforms the benchmark, non-committing standardized AES-GCM-SIV.