ATProto Browser
Experimental browser for the Atmosphere
Experimental browser for the Atmosphere
Blockcipher-Based Key Commitment for Nonce-Derived Schemes (Panos Kampanakis, Shai Halevi, Nevine Ebeid, Matt Campagna) ia.cr/2025/758
May 3, 2025, 8:13 PM
{
"uri": "at://did:plc:fwa55bujvdrwlwlwgqmmxmuf/app.bsky.feed.post/3loc5nnztgg2s",
"cid": "bafyreidmqg3g27erhvv3dbq572o7lhoucqajbnou24qiqukw32pwpzvf6m",
"value": {
"text": "Blockcipher-Based Key Commitment for Nonce-Derived Schemes (Panos Kampanakis, Shai Halevi, Nevine Ebeid, Matt Campagna) ia.cr/2025/758",
"$type": "app.bsky.feed.post",
"embed": {
"$type": "app.bsky.embed.images",
"images": [
{
"alt": "Abstract. AES-GCM has been the status quo for efficient symmetric encryption for decades. As technology and cryptographic applications evolved over time, AES-GCM has posed some challenges to certain use-cases due to its default 96-bit nonce size, 128-bit block size, and lack of key commitment. Nonce-derived schemes are one way of addressing these challenges: Such schemes derive multiple keys from nonce values, then apply standard AES-GCM with the derived keys (and possibly another 96-bit nonce). The approach overcomes the nonce length and data limit issues since each derived key is only used to encrypt a few messages. By itself, the use of nonce-derived keys does not address key commitment, however. Some schemes chose to include a built-in key commitment mechanism, while others left it out of scope.\n\nIn this work, we explore efficient key commitment methods that can be added to any nonce-derived scheme in a black-box manner. Our focus is on options that use the underlying block cipher and no other primitive, are efficient, and only use standard primitives which are FIPS-approved. For concreteness we focus here specifically on adding key commitment to XAES-256-GCM, a nonce-scheme originally proposed by Filippo Valsorda, but these methods can be adapted to any other nonce-derived scheme. We propose an efficient CMAC-based key commitment solution, and prove its security in the ideal-cipher model. We argue that adding this solution yields a FIPS-compliant mode, quantify the data and message length limits of this mode and compare this combination to other nonce-derived modes. We also benchmark our key committing XAES-256-GCM performance.\n",
"image": {
"$type": "blob",
"ref": {
"$link": "bafkreigviz2cvio7k5qm25pdqol53mtrpacd223ydwjr6liwa45pvo5oji"
},
"mimeType": "image/png",
"size": 102457
},
"aspectRatio": {
"width": 1200,
"height": 800
}
},
{
"alt": "Image showing part 2 of abstract.",
"image": {
"$type": "blob",
"ref": {
"$link": "bafkreifmrgge2mnpfgkwootinebs53t5gjhz22h777shtzgczqkqfkvw3e"
},
"mimeType": "image/png",
"size": 60069
},
"aspectRatio": {
"width": 1200,
"height": 800
}
}
]
},
"facets": [
{
"index": {
"byteEnd": 134,
"byteStart": 120
},
"features": [
{
"uri": "https://ia.cr/2025/758",
"$type": "app.bsky.richtext.facet#link"
}
]
}
],
"createdAt": "2025-05-03T20:13:35.960312Z"
}
}