Committing Wide Encryption Mode with Minimum Ciphertext Expansion

We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext expansion. In response to the recent call for proposal by NIST, WE and its tweakable variant, TWE, are attracting much attention in the last fe...

Full description

Saved in:
Bibliographic Details
Published inIACR Transactions on Symmetric Cryptology Vol. 2025; no. 1; pp. 44 - 69
Main Authors Naito, Yusuke, Sasaki, Yu, Takeshi, Takeshi
Format Journal Article
LanguageEnglish
Published Ruhr-Universität Bochum 07.03.2025
Subjects
Commitment
Minimum ciphertext expansion
Mode of operation
Robust authenticated encryption
Wide encryption
Online AccessGet full text
ISSN2519-173X
2519-173X
DOI10.46586/tosc.v2025.i1.44-69

Cover

Abstract We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext expansion. In response to the recent call for proposal by NIST, WE and its tweakable variant, TWE, are attracting much attention in the last few years. Combined with the encode-then-encipher (EtE) construction, TWE offers an RAE that provides robustness against wide range of misuses. The list of desired properties for WE-based authenticated encryption in the NIST standardization includes committing security that considers an attacker who generates ciphertexts that can be decrypted with different decryption contexts, but TWE-based EtE does not provide good committing security, and there is a recent constant-time CMT-4 attack (Chen et al., ToSC 2023(4)). Improving CMT-4 security requires considerable ciphertext expansion, and the state-of-the-art scheme expands the ciphertext by srae + 2scmt bits from an original message to achieve srae-bit RAE and scmt-bit CMT-4 security. Our new WE mode, FFF, addresses the issue by achieving srae-bit RAE and scmt-bit CMT-4 security only with max{scmt, srae} bits of ciphertext expansion. Our design is based on the committing concealer proposed by Bellare et al., and its extension to WE (cf. tag-based AE) while satisfying RAE security is the main technical innovation.
AbstractList We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext expansion. In response to the recent call for proposal by NIST, WE and its tweakable variant, TWE, are attracting much attention in the last few years. Combined with the encode-then-encipher (EtE) construction, TWE offers an RAE that provides robustness against wide range of misuses. The list of desired properties for WE-based authenticated encryption in the NIST standardization includes committing security that considers an attacker who generates ciphertexts that can be decrypted with different decryption contexts, but TWE-based EtE does not provide good committing security, and there is a recent constant-time CMT-4 attack (Chen et al., ToSC 2023(4)). Improving CMT-4 security requires considerable ciphertext expansion, and the state-of-the-art scheme expands the ciphertext by srae + 2scmt bits from an original message to achieve srae-bit RAE and scmt-bit CMT-4 security. Our new WE mode, FFF, addresses the issue by achieving srae-bit RAE and scmt-bit CMT-4 security only with max{scmt, srae} bits of ciphertext expansion. Our design is based on the committing concealer proposed by Bellare et al., and its extension to WE (cf. tag-based AE) while satisfying RAE security is the main technical innovation.
Author Naito, Yusuke
Sasaki, Yu
Takeshi, Takeshi
Author_xml – sequence: 1
  givenname: Yusuke
  surname: Naito
  fullname: Naito, Yusuke
– sequence: 2
  givenname: Yu
  surname: Sasaki
  fullname: Sasaki, Yu
– sequence: 3
  givenname: Takeshi
  surname: Takeshi
  fullname: Takeshi, Takeshi
BookMark eNpNkNFKwzAUhoNMcM69gRd9gc4kTdLkcpSpgw1vFL0LWXK6ZaxNSaNub2-dIl6dc35-Pg7fNRq1oQWEbgmeMcGluEuht7MPiimfeTJjLBfqAo0pJyonZfE2-rdfoWnf7zHGVKpCMDVG8yo0jU_Jt9vs1TvIFq2Npy750GbrMNyfPu2ytW99895kle92EBMcU7Y4dqbth9oNuqzNoYfp75ygl_vFc_WYr54eltV8lVvKaMqJlAacM8AtNtQx54BZW4JTtQRqhJQbiqGUxBpnh4exkmSoKKYc3WxMUUzQ8ofrgtnrLvrGxJMOxutzEOJWm5i8PYA2NedOWrAgOIMCK46twq6kNciSgRhY7IdlY-j7CPUfj2B9tqq_reqzVe2JZkwLVXwBog5wVw
ContentType Journal Article
DBID AAYXX
CITATION
DOA
DOI 10.46586/tosc.v2025.i1.44-69
DatabaseName CrossRef
DOAJ Directory of Open Access Journals
DatabaseTitle CrossRef
DatabaseTitleList
CrossRef
Database_xml – sequence: 1
  dbid: DOA
  name: DOAJ Directory of Open Access Journals
  url: https://www.doaj.org/
  sourceTypes: Open Website
DeliveryMethod fulltext_linktorsrc
EISSN 2519-173X
EndPage 69
ExternalDocumentID oai_doaj_org_article_af55d8cece654e30950c90d72fe874e6
10_46586_tosc_v2025_i1_44_69
GroupedDBID AAYXX
ADBBV
ALMA_UNASSIGNED_HOLDINGS
BCNDV
CITATION
GROUPED_DOAJ
ID FETCH-LOGICAL-c242t-188aeddae5c0a2d4dde4cc7ed9f8e2a688b20e781cadc2510981de4949d2bba33
IEDL.DBID DOA
ISSN 2519-173X
IngestDate Wed Aug 27 01:14:43 EDT 2025
Tue Jul 01 05:24:13 EDT 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 1
Language English
License http://creativecommons.org/licenses/by/4.0
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c242t-188aeddae5c0a2d4dde4cc7ed9f8e2a688b20e781cadc2510981de4949d2bba33
OpenAccessLink https://doaj.org/article/af55d8cece654e30950c90d72fe874e6
PageCount 26
ParticipantIDs doaj_primary_oai_doaj_org_article_af55d8cece654e30950c90d72fe874e6
crossref_primary_10_46586_tosc_v2025_i1_44_69
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2025-03-07
PublicationDateYYYYMMDD 2025-03-07
PublicationDate_xml – month: 03
  year: 2025
  text: 2025-03-07
  day: 07
PublicationDecade 2020
PublicationTitle IACR Transactions on Symmetric Cryptology
PublicationYear 2025
Publisher Ruhr-Universität Bochum
Publisher_xml – name: Ruhr-Universität Bochum
SSID ssj0002893649
Score 2.2849972
Snippet We propose a new wide encryption (WE) mode of operation that satisfies robust authenticated encryption (RAE) and committing security with minimum ciphertext...
SourceID doaj
crossref
SourceType Open Website
Index Database
StartPage 44
SubjectTerms Commitment
Minimum ciphertext expansion
Mode of operation
Robust authenticated encryption
Wide encryption
Title Committing Wide Encryption Mode with Minimum Ciphertext Expansion
URI https://doaj.org/article/af55d8cece654e30950c90d72fe874e6
Volume 2025
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV1LS8NAEF6kJy-iqFhf7MFr2mz2faylRYR6stjbsk-I0FRqKvrv3d1Uyc2LlxBCCJuZbL5vdme-AeBOah1dzUhBZTAFsfHMYBMPNFiMdCCOpmrkxRN7WJLHFV31Wn2lnLBOHrgz3FgHSp2w3npGiceREZRWlo5XwQtOfBbbjpjXC6Zeu-0zzIjsauVIRFk2bjfvdvQRY306qtGIkCLlOPewqCfZn7FlfgyO9qQQTrrBnIAD35yCSardqHNaMnypnYezxm6_8gyHqYMZTEuocFE39Xq3htM66QOkNA44-4wzPC2CnYHlfPY8fSj2DQ8KG5GyLZAQ2junPbWlrhyJvx5iLfdOBuErzYQwVem5QFY7G4lJKSPb9ElfxlXGaIzPwaDZNP4CQIsEx0IgZJkmhkvBXRUCwUI7ryNaDUHx8-rqrdO1UDEeyKZSyVQqm0rVSBGimByC-2Sf33uTKnW-EH2l9r5Sf_nq8j8ecgUO08hyHhi_BoN2u_M3kRi05jZ_A98KH7i_
linkProvider Directory of Open Access Journals
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Committing+Wide+Encryption+Mode+with+Minimum+Ciphertext+Expansion&rft.jtitle=IACR+Transactions+on+Symmetric+Cryptology&rft.au=Naito%2C+Yusuke&rft.au=Sasaki%2C+Yu&rft.au=Takeshi%2C+Takeshi&rft.date=2025-03-07&rft.issn=2519-173X&rft.eissn=2519-173X&rft.volume=2025&rft.issue=1&rft.spage=44&rft.epage=69&rft_id=info:doi/10.46586%2Ftosc.v2025.i1.44-69&rft.externalDBID=n%2Fa&rft.externalDocID=10_46586_tosc_v2025_i1_44_69
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2519-173X&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2519-173X&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2519-173X&client=summon