Committing Wide Encryption Mode with Minimum Ciphertext Expansion
We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext expansion. In response to the recent call for proposal by NIST, WE and its tweakable variant, TWE, are attracting much attention in the last f...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2025-03-01
|
| Series: | IACR Transactions on Symmetric Cryptology |
| Subjects: | |
| Online Access: | https://tosc.iacr.org/index.php/ToSC/article/view/12071 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849762339248668672 |
|---|---|
| author | Yusuke Naito Yu Sasaki Takeshi Takeshi |
| author_facet | Yusuke Naito Yu Sasaki Takeshi Takeshi |
| author_sort | Yusuke Naito |
| collection | DOAJ |
| description |
We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext expansion. In response to the recent call for proposal by NIST, WE and its tweakable variant, TWE, are attracting much attention in the last few years. Combined with the encode-then-encipher (EtE) construction, TWE offers an RAE that provides robustness against wide range of misuses. The list of desired properties for WE-based authenticated encryption in the NIST standardization includes committing security that considers an attacker who generates ciphertexts that can be decrypted with different decryption contexts, but TWE-based EtE does not provide good committing security, and there is a recent constant-time CMT-4 attack (Chen et al., ToSC 2023(4)). Improving CMT-4 security requires considerable ciphertext expansion, and the state-of-the-art scheme expands the ciphertext by srae + 2scmt bits from an original message to achieve srae-bit RAE and scmt-bit CMT-4 security. Our new WE mode, FFF, addresses the issue by achieving srae-bit RAE and scmt-bit CMT-4 security only with max{scmt, srae} bits of ciphertext expansion. Our design is based on the committing concealer proposed by Bellare et al., and its extension to WE (cf. tag-based AE) while satisfying RAE security is the main technical innovation.
|
| format | Article |
| id | doaj-art-af55d8cece654e30950c90d72fe874e6 |
| institution | DOAJ |
| issn | 2519-173X |
| language | English |
| publishDate | 2025-03-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | IACR Transactions on Symmetric Cryptology |
| spelling | doaj-art-af55d8cece654e30950c90d72fe874e62025-08-20T03:05:45ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2025-03-012025110.46586/tosc.v2025.i1.44-69Committing Wide Encryption Mode with Minimum Ciphertext ExpansionYusuke Naito0Yu Sasaki1Takeshi Takeshi2Mitsubishi Electric Corporation, Kanagawa, JapanNTT Social Informatics Laboratories, Tokyo, Japan; National Institute of Standards and Technology (Associate), Gaithersburg, USAThe University of Electro-Communications, Tokyo, Japan We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext expansion. In response to the recent call for proposal by NIST, WE and its tweakable variant, TWE, are attracting much attention in the last few years. Combined with the encode-then-encipher (EtE) construction, TWE offers an RAE that provides robustness against wide range of misuses. The list of desired properties for WE-based authenticated encryption in the NIST standardization includes committing security that considers an attacker who generates ciphertexts that can be decrypted with different decryption contexts, but TWE-based EtE does not provide good committing security, and there is a recent constant-time CMT-4 attack (Chen et al., ToSC 2023(4)). Improving CMT-4 security requires considerable ciphertext expansion, and the state-of-the-art scheme expands the ciphertext by srae + 2scmt bits from an original message to achieve srae-bit RAE and scmt-bit CMT-4 security. Our new WE mode, FFF, addresses the issue by achieving srae-bit RAE and scmt-bit CMT-4 security only with max{scmt, srae} bits of ciphertext expansion. Our design is based on the committing concealer proposed by Bellare et al., and its extension to WE (cf. tag-based AE) while satisfying RAE security is the main technical innovation. https://tosc.iacr.org/index.php/ToSC/article/view/12071Wide encryptionCommitmentRobust authenticated encryptionMinimum ciphertext expansionMode of operation |
| spellingShingle | Yusuke Naito Yu Sasaki Takeshi Takeshi Committing Wide Encryption Mode with Minimum Ciphertext Expansion IACR Transactions on Symmetric Cryptology Wide encryption Commitment Robust authenticated encryption Minimum ciphertext expansion Mode of operation |
| title | Committing Wide Encryption Mode with Minimum Ciphertext Expansion |
| title_full | Committing Wide Encryption Mode with Minimum Ciphertext Expansion |
| title_fullStr | Committing Wide Encryption Mode with Minimum Ciphertext Expansion |
| title_full_unstemmed | Committing Wide Encryption Mode with Minimum Ciphertext Expansion |
| title_short | Committing Wide Encryption Mode with Minimum Ciphertext Expansion |
| title_sort | committing wide encryption mode with minimum ciphertext expansion |
| topic | Wide encryption Commitment Robust authenticated encryption Minimum ciphertext expansion Mode of operation |
| url | https://tosc.iacr.org/index.php/ToSC/article/view/12071 |
| work_keys_str_mv | AT yusukenaito committingwideencryptionmodewithminimumciphertextexpansion AT yusasaki committingwideencryptionmodewithminimumciphertextexpansion AT takeshitakeshi committingwideencryptionmodewithminimumciphertextexpansion |