Concealment and its applications to authenticated encryption

Yevgeniy Dodis, Jee Hea An

Research output: Contribution to journalArticle

Abstract

We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals "no information" about m, while (2) the binder b can be "meaningfully opened" by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a "non-trivial" concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let Aε be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use Aε for encrypting long messages. Namely, to encrypt "long" m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈Aε(b), h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12,13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for Aε), gets back Aε(b), and outputs 〈Aε(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13,17] are all special examples of our general paradigm.

Original languageEnglish (US)
Pages (from-to)312-329
Number of pages18
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2656
StatePublished - 2003

Fingerprint

Authenticated Encryption
Cryptography
Equipment and Supplies
Paradigm
Binders
Output
Bandwidth
Hash functions
Hash Function
Efficient Implementation
General Solution
Trivial
Collision
Chemical analysis

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

@article{114dd519991c43439d7071cec0948ba9,
title = "Concealment and its applications to authenticated encryption",
abstract = "We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals {"}no information{"} about m, while (2) the binder b can be {"}meaningfully opened{"} by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a {"}non-trivial{"} concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let Aε be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use Aε for encrypting long messages. Namely, to encrypt {"}long{"} m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈Aε(b), h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12,13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for Aε), gets back Aε(b), and outputs 〈Aε(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13,17] are all special examples of our general paradigm.",
author = "Yevgeniy Dodis and An, {Jee Hea}",
year = "2003",
language = "English (US)",
volume = "2656",
pages = "312--329",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Concealment and its applications to authenticated encryption

AU - Dodis, Yevgeniy

AU - An, Jee Hea

PY - 2003

Y1 - 2003

N2 - We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals "no information" about m, while (2) the binder b can be "meaningfully opened" by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a "non-trivial" concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let Aε be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use Aε for encrypting long messages. Namely, to encrypt "long" m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈Aε(b), h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12,13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for Aε), gets back Aε(b), and outputs 〈Aε(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13,17] are all special examples of our general paradigm.

AB - We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals "no information" about m, while (2) the binder b can be "meaningfully opened" by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a "non-trivial" concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let Aε be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use Aε for encrypting long messages. Namely, to encrypt "long" m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈Aε(b), h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12,13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for Aε), gets back Aε(b), and outputs 〈Aε(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13,17] are all special examples of our general paradigm.

UR - http://www.scopus.com/inward/record.url?scp=35248852884&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35248852884&partnerID=8YFLogxK

M3 - Article

VL - 2656

SP - 312

EP - 329

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -