International Association for Cryptologic Research

International Association
for Cryptologic Research


Key Committing Security of AEZ and More

Yu Long Chen , imec-COSIC, KU Leuven, Leuven, Belgium
Antonio Flórez-Gutiérrez , NTT Social Informatics Laboratories, Musashino, Japan
Akiko Inoue , NEC Corporation, Kawasaki, Japan
Ryoma Ito , National Institute of Information and Communications Technology, Koganei, Japan
Tetsu Iwata , Nagoya University, Nagoya, Japan
Kazuhiko Minematsu , NEC Corporation, Kawasaki, Japan
Nicky Mouha , Strativia, Largo, MD, United States
Yusuke Naito , Mitsubishi Electric Corporation, Kanagawa, Japan
Ferdinand Sibleyras , NTT Social Informatics Laboratories, Musashino, Japan
Yosuke Todo , NTT Social Informatics Laboratories, Musashino, Japan
DOI: 10.46586/tosc.v2023.i4.452-488
Search ePrint
Search Google
Abstract: For an Authenticated Encryption with Associated Data (AEAD) scheme, the key committing security refers to the security notion of whether the adversary can produce a pair of distinct input tuples, including the key, that result in the same output. While the key committing security of various nonce-based AEAD schemes is known, the security analysis of Robust AE (RAE) is largely unexplored. In particular, we are interested in the key committing security of AEAD schemes built on the Encode-then-Encipher (EtE) approach from a wide block cipher. We first consider AEZ v5, the classical and the first dedicated RAE that employs the EtE approach. We focus our analysis on the core part of AEZ to show our best attacks depending on the length of the ciphertext expansion. In the general case where the Tweakable Block Cipher (TBC) is assumed to be ideal, we show a birthday attack and a matching provable security result. AEZ adopts a simpler key schedule and the prove-then-prune approach in the full specification, and we show a practical attack against it by exploiting the simplicity of the key schedule. The complexity is 227, and we experimentally verify the correctness with a concrete example. We also cover two AEAD schemes based on EtE. One is built on Adiantum, and the other one is built on HCTR2, which are two wide block ciphers that are used in real applications. We present key committing attacks against these schemes when used in EtE and matching proofs for particular cases.
  title={Key Committing Security of AEZ and More},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={023 No. 4},
  author={Yu Long Chen and Antonio Flórez-Gutiérrez and Akiko Inoue and Ryoma Ito and Tetsu Iwata and Kazuhiko Minematsu and Nicky Mouha and Yusuke Naito and Ferdinand Sibleyras and Yosuke Todo},