{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T06:08:52Z","timestamp":1759990132065,"version":"3.41.2"},"reference-count":24,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2024,10,9]],"date-time":"2024-10-09T00:00:00Z","timestamp":1728432000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,12,3]]},"abstract":"<jats:p>  Forkcipher-based AEADs have emerged as lightweight and efficient cryptographic modes, making them suitable for resource-constrained environments such as IoT devices and distributed decryption through MPC. These schemes, including prominent examples like Eevee (Jolteon, Espeon, and Umbreon), PAEF, RPAEF, and SAEF, leverage the properties of forkciphers to achieve enhanced performance. However, their security in terms of key commitment, a critical property for certain applications such as secure cloud services, as highlighted by Albertini et al. (USENIX 2022), has not been comprehensively analyzed until now.<\/jats:p>\n          <jats:p>In this work, we analyze the key-commitment properties of forkcipher-based AEADs. We found that some of the forkcipher-based AEAD schemes lack key-commitment properties, primarily due to the distinctive manner in which they process associated data and plaintext. For two different keys and the same nonce, an adversary can identify associated data and plaintext blocks that produce identical ciphertext-tags with a complexity of <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mi>O<\/mml:mi>\n                <mml:mo stretchy=\"false\">(<\/mml:mo>\n                <mml:mn>1<\/mml:mn>\n                <mml:mo stretchy=\"false\">)<\/mml:mo>\n              <\/mml:mrow>\n            <\/mml:math>. Our findings apply to various forkcipher-based AEADs, including Eevee, PAEF, and SAEF, and naturally extend to less strict frameworks, such as CMT-1 and CMT-4.<\/jats:p>\n          <jats:p>These findings highlight a significant limitation in the robustness of forkcipher-based AEADs. While these modes are attractive for their lightweight design and efficiency, their deployment should be restricted in scenarios where explicit robustness or key-commitment security is required. <\/jats:p>","DOI":"10.62056\/ayfhp2fgx","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:00:52Z","timestamp":1736787652000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["On the Key-Commitment Properties of Forkcipher-based AEADs"],"prefix":"10.62056","volume":"1","author":[{"given":"Mostafizar","family":"Rahman","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0151bmh98","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Hyogo","place":["Kobe, Japan"]}]},{"given":"Samir","family":"Kundu","sequence":"additional","affiliation":[{"name":"Siksha 'O' Anusandhan (Deemed to be) University","place":["Bhubaneswar, India"]}]},{"given":"Takanori","family":"Isobe","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0151bmh98","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Hyogo","place":["Kobe, Japan"]}]}],"member":"48349","published-online":{"date-parts":[[2025,1,13]]},"reference":[{"key":"ref1:DBLP:conf\/crypto\/GrubbsLR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"66","DOI":"10.1007\/978-3-319-63697-9_3","article-title":"Message Franking via Committing Authenticated Encryption","volume":"10403","author":"Paul Grubbs","year":"2017"},{"key":"ref2:DBLP:conf\/crypto\/DodisGRW18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/978-3-319-96884-1_6","article-title":"Fast Message Franking: From Invisible Salamanders to\n  Encryptment","volume":"10991","author":"Yevgeniy Dodis","year":"2018"},{"volume-title":"Messenger Secret Conversations technical whitepaper","year":"2016","author":"Facebook","key":"ref3:facebook2016messenger"},{"volume-title":"Challenges of E2E Encryption in Facebook Messenger","year":"2017","author":"Jon Millican","key":"ref4:millican2017challenges"},{"key":"ref5:DBLP:conf\/uss\/LenGR21","first-page":"195","article-title":"Partitioning Oracle Attacks","author":"Julia Len","year":"2021"},{"key":"ref6:DBLP:conf\/eurocrypt\/JareckiKX18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"456","DOI":"10.1007\/978-3-319-78372-7_15","article-title":"OPAQUE: An Asymmetric PAKE Protocol Secure Against\n  Pre-computation Attacks","volume":"10822","author":"Stanislaw Jarecki","year":"2018"},{"key":"ref7:DBLP:conf\/uss\/AlbertiniDGKLS22","first-page":"3291","article-title":"How to Abuse and Fix Authenticated Encryption Without Key\n  Commitment","author":"Ange Albertini","year":"2022"},{"key":"ref8:DBLP:conf\/esorics\/ChanR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1007\/978-3-031-17146-8_14","article-title":"On Committing Authenticated-Encryption","volume":"13555","author":"John Chan","year":"2022"},{"key":"ref9:DBLP:conf\/eurocrypt\/BellareH22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"845","DOI":"10.1007\/978-3-031-07085-3_29","article-title":"Efficient Schemes for Committing Authenticated\n  Encryption","volume":"13276","author":"Mihir Bellare","year":"2022"},{"key":"ref10:DBLP:conf\/eurocrypt\/MendaLGR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"379","DOI":"10.1007\/978-3-031-30634-1_13","article-title":"Context Discovery and Commitment Attacks - How to Break\n  CCM, EAX, SIV, and More","volume":"14007","author":"Sanketh Menda","year":"2023"},{"key":"ref11:DBLP:journals\/tosc\/NaitoSS23","doi-asserted-by":"publisher","first-page":"420","DOI":"10.46586\/TOSC.V2023.I4.420-451","article-title":"Committing Security of Ascon: Cryptanalysis on Primitive and\n  Proof on Mode","volume":"2023","author":"Yusuke Naito","year":"2023","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref12:DBLP:journals\/tosc\/ChenFIIIMMNST23","doi-asserted-by":"publisher","first-page":"452","DOI":"10.46586\/TOSC.V2023.I4.452-488","article-title":"Key Committing Security of AEZ and More","volume":"2023","author":"Yu Long Chen","year":"2023","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref13:DBLP:journals\/tosc\/DerbezFIRS24","doi-asserted-by":"publisher","first-page":"135","DOI":"10.46586\/TOSC.V2024.I1.135-157","article-title":"Key Committing Attacks against AES-based AEAD Schemes","volume":"2024","author":"Patrick Derbez","year":"2024","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref14:DBLP:conf\/asiacrypt\/0001LPR0V19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1007\/978-3-030-34621-8_6","article-title":"Forkcipher: A New Primitive for Authenticated Encryption\n  of Very Short Messages","volume":"11922","author":"Elena Andreeva","year":"2019"},{"key":"ref15:DBLP:journals\/tosc\/KimLL20","doi-asserted-by":"publisher","first-page":"71","DOI":"10.46586\/TOSC.V2020.I4.71-87","article-title":"Forking Tweakable Even-Mansour Ciphers","volume":"2020","author":"Hwigyeom Kim","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref16:DBLP:journals\/tosc\/0001BPV21","doi-asserted-by":"publisher","first-page":"1","DOI":"10.46586\/TOSC.V2021.I3.1-35","article-title":"1, 2, 3, Fork: Counter Mode Variants based on a Generalized\n  Forkcipher","volume":"2021","author":"Elena Andreeva","year":"2021","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref17:DBLP:conf\/acns\/AndreevaW23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-33491-7_1","article-title":"A Forkcipher-Based Pseudo-Random Number Generator","volume":"13906","author":"Elena Andreeva","year":"2023"},{"key":"ref18:DBLP:journals\/cic\/DattaDLM24","doi-asserted-by":"publisher","first-page":"21","DOI":"10.62056\/AKGYL86BM","article-title":"FEDT: Forkcipher-based Leakage-resilient\n  Beyond-birthday-secure AE","volume":"1","author":"Nilanjan Datta","year":"2024","journal-title":"IACR Commun. Cryptol."},{"key":"ref19:DBLP:journals\/cic\/Mandal24","doi-asserted-by":"publisher","first-page":"42","DOI":"10.62056\/AEY4FBN2HD","article-title":"Tweakable ForkCipher from Ideal Block Cipher","volume":"1","author":"Sougata Mandal","year":"2024","journal-title":"IACR Commun. Cryptol."},{"key":"ref20:DBLP:conf\/ccs\/BhatiPA0P23","doi-asserted-by":"publisher","first-page":"2546","DOI":"10.1145\/3576915.3623091","article-title":"Let's Go Eevee! A Friendly and Suitable Family of AEAD\n  Modes for IoT-to-Cloud Secure Computation","author":"Amit Singh Bhati","year":"2023"},{"key":"ref21:DBLP:journals\/tosc\/FarshimOR17","doi-asserted-by":"publisher","first-page":"449","DOI":"10.13154\/tosc.v2017.i1.449-473","article-title":"Security of Symmetric Primitives under Incorrect Usage of\n  Keys","volume":"2017","author":"Pooya Farshim","year":"2017","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref22:DBLP:journals\/iacr\/AndreevaRVV18","first-page":"916","article-title":"Forking a Blockcipher for Authenticated Encryption of Very\n  Short Messages","author":"Elena Andreeva","year":"2018","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref23:DBLP:conf\/crypto\/BeierleJKL0PSSS16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/978-3-662-53008-5_5","article-title":"The SKINNY Family of Block Ciphers and Its Low-Latency\n  Variant MANTIS","volume":"9815","author":"Christof Beierle","year":"2016"},{"key":"ref24:DBLP:conf\/crypto\/BellareH24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1007\/978-3-031-68385-5_10","article-title":"Succinctly-Committing Authenticated Encryption","volume":"14923","author":"Mihir Bellare","year":"2024"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:12:25Z","timestamp":1736788345000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/4\/32"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,13]]},"references-count":24,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,1,13]]}},"URL":"https:\/\/doi.org\/10.62056\/ayfhp2fgx","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"subject":[],"published":{"date-parts":[[2025,1,13]]},"assertion":[{"value":"2024-10-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-4-66"}}