Resources on (AEAD) encryption

General stuff

AEAD ciphers

stands for “authenticated encryption with associated data”

Also interesting, but not captured in “AEAD” is probabilistic encryption:

  • Prevents the same message to have the same ciphertext when encrypted twice with the same key.
  • Usually achieved by providing a nonce (sometimes called initialization vector) that is either randomly generated or incremented for every message with a given random key.

Most ciphers are probabilistic (or “non-deterministic”). So why are some ciphers deterministic?

  • You might not need additional randomness if your messages are inherently random, e.g. when you’re doing key-wrapping.
  • To provide non-determinism you need to attach a random nonce to your ciphertext. Deterministic encryption ciphertexts thus tend to be shorter.

Key Commitment

A newer property is key commitment. From a paper on key commitment:

if recipient A decrypts a ciphertext with the key K_A into a valid plaintext, meaning authentication succeeds, then A knows that the ciphertext has not been modified during
transmission. Intuitively, one might mistakenly extend that integrity guarantee to keys, i.e., if some other recipient B decrypts the same ciphertext with their key K_B, then decryp-
tion would fail. However, this is neither an AE design goal, nor a guaranteed property, and there are secure and globally deployed AE schemes where both recipients can successfully
decrypt the same ciphertext.

The paper both contains some examples on how to abuse non-key-committing encryption modes in practice as well as how to fix encryption schemes today.
In practice key-committing encryption schemes are not widely supported.


Amazing! Thanks for putting this together @matheus23 :tada:

Nice! thx for the resources @matheus23 :partying_face:

fwiw - Rust :crab: AEAD go-to list:

1 Like

Added a section on Key Commitment. Seems to be a more recent thing.