Abstract
We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened” by at most one hider h. While setting b = m, h = Ø is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a “non-trivial” concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations.
We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let \( \mathcal{A}\mathcal{E} \) be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use \( \mathcal{A}\mathcal{E} \) for encrypting long messages. Namely, to encrypt “long” m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext \( \left\langle {\mathcal{A}\mathcal{E}(b),h} \right\rangle \) . More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [[12],[13]]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for \( \mathcal{A}\mathcal{E} \) , gets back \( \mathcal{A}\mathcal{E} \)(b) , and outputs \( \left\langle {\mathcal{A}\mathcal{E}(b),h} \right\rangle \) (authenticated decryption is similar). Finally, we also observe that the particular schemes of [[13],[17]] are all special examples of our general paradigm.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
J. An and M. Bellare, “Constructing VIL-MACs from FIL-MACs: Message authentication under weakend assumptions,” In Crypto’ 99, pp. 252–269, LNCS Vol. 1666, 1999.
J. An, Y. Dodis, and T. Rabin, “On the Security of Joint Signature and Encryption,” In Eurocrypt’ 02, pp. 83–107, LNCS Vol. 2332, 2002.
J. Baek, R. Steinfeld, and Y. Zheng, “Formal proofs for the security of signcryption,” In PKC’ 02, pp. 80–98, LNCS Vol. 2274, 2002.
M. Bellare, R. Canetti and H. Krawczyk, “Keying hash functions for message authentication,” In Crypto’ 96, pp. 1–15, LNCS Vol. 1109, 1996.
M. Bellare, J. Kilian and P. Rogaway, “The security of the cipher block chaining message authentication code,” In Journal of Computer and System Sciences, pp. 362–399, Vol. 61, no. 3, Dec 2000.
M. Bellare, T. Kohno, C. Namprempre, “Provably Fixing the SSH Binary Packet Protocol,” In Proc. 9th CCS, pp. 1–11, ACM, 2002.
M. Bellare and C. Namprempre, “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm,” In Asiacrypt’00, pp. 531–545, LNCS Vol. 1976, 2000.
M. Bellare and P. Rogaway, “Optimal asymmetric encryption-How to encrypt with RSA,” In Eurocrypt’ 94, pp. 92–111, LNCS Vol. 950, 1994.
M. Bellare and P. Rogaway, “Collision-Resistant Hashing: Towards Making UOWHFs Practical,” In Crypto’ 97, pp. 470–484, LNCS Vol. 1294, 1997.
M. Bellare, P. Rogaway, “Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography,” In Asiacrypt’ 00, pp. 317–330, LNCS Vol 1976, 2000.
J. Black, S. Halevi, H. Krawczyk, T. Krovetz and P. Rogaway, “UMAC: Fast and secure message authentication,” In Crypto’ 99, pp. 216–233, LNCS Vol. 1666, 1999.
M. Blaze, “High-Bandwidth Encryption with Low-Bandwidth Smartcards,” In Fast Software Encryption (FSE)’ 96, pp. 33–40, LNCS Vol. 1039, 1996.
M. Blaze, J. Feigenbaum, M. Naor, “A Formal Treatment of Remotely Keyed Encryption,” In Eurocrypt’ 98, pp. 251–265, LNCS Vol. 1403, 1998.
I. Damgård, “Collision free hash functions and public key signature schemes,” In Eurocrypt’ 87, pp. 203–216, LNCS Vol. 304, 1987.
Y. Dodis and J. An, “Concealment and its applications to authenticated encryption,” Full version of this paper, available via http://theory.lcs.mit.edu/~yevgen/academic.html.
C. Jutla, “Encryption modes with almost free message integrity,” In Eurocrypt’01, pp. 529–544, LNCS Vol. 2045, 2001.
M. Jakobsson, J. Stern, and M. Yung, “Scramble All, Encrypt Small,” In Fast Software Encryption (FSE)’ 99, pp. 95–111, LNCS Vol. 1636, 1999.
J. Katz and M. Yung, “Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation,” In FSE’ 00, pp. 284–299, LNCS Vol. 1978, 2000.
H. Krawczyk, “The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?),” In Crypto’ 01, pp. 310–331, LNCS Vol. 2139, 2001.
S. Lucks, “On the Security of Remotely Keyed Encryption,” In Fast Software Encryption (FSE)’ 97, pp. 219–229, LNCS Vol. 1267, 1997.
S. Lucks, “Accelerated Remotely Keyed Encryption,” In Fast Software Encryption (FSE)’ 99, pp. 112–123, LNCS Vol. 1636, 1999.
A. Menezes, P. van Oorshot and S. Vanstone, “Handbook of applied cryptography,” CRC Press LLC, 1997.
M. Naor, “Bit Commitment Using Pseudorandomness,” In Journal of Cryptology, 4(2):151–158, 1991.
M. Naor and M. Yung, “Universal One-Way Hash Functions and their Cryptographic Applications,” In Proc. 21st STOC, pp. 33–43, ACM, 1989.
P. Rogaway, “Authenticated-Encryption with Associated-Data,” In Proc. 9th CCS, pp. 98–107, ACM, 2002.
P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption,” In Proc. 8th CCS, pp. 196–205, ACM, 2001.
J. Rompel, “One-way functions are necessary and sufficient for secure signatures,” In Proc. 22nd STOC, pp. 387–394, ACM, 1990.
V. Shoup, “A composition theorem for universal one-way hash functions,” In Eurocrypt’ 00, pp. 445–452, LNCS Vol. 1807, 2000.
V. Shoup, “A proposal for an ISO standard for public key encryption (version 2.1),” IACR E-Print Archive, 2001/112, http://eprint.iacr.org/2001/112/, 2001.
D. Simon, “Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions?,” In Eurocrypt’ 98, pp. 334–345, LNCS Vol. 1403, 1998.
Y. Zheng, “Digital Signcryption or How to Achieve Cost(Signature & Encryption) ≪ Cost(Signature) + Cost(Encryption),” In Crypto’ 97, pp. 165–179, LNCS Vol. 1294, 1997.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 International Association for Cryptologic Research
About this paper
Cite this paper
Dodis, Y., An, J.H. (2003). Concealment and Its Applications to Authenticated Encryption. In: Biham, E. (eds) Advances in Cryptology — EUROCRYPT 2003. EUROCRYPT 2003. Lecture Notes in Computer Science, vol 2656. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39200-9_19
Download citation
DOI: https://doi.org/10.1007/3-540-39200-9_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-14039-9
Online ISBN: 978-3-540-39200-2
eBook Packages: Springer Book Archive