Compactly Committing Authenticated Encryption Made Simpler

Abstract

In 2016, message franking was introduced by Facebook in end-to-end encrypted messaging. This feature enables recipients to report harmful content to their service provider in a verifiable manner. Grubbs et al. (CRYPTO 2017) formalized compactly committing authenticated encryption with associated data (ccAEAD) as a symmetric-key primitive that can be used for message franking and presented its generic constructions. Dodis et al. (CRYPTO 2018) proposed encryptment as a core component of ccAEAD and presented two transforms to build ccAEAD from encryptment. One transform builds randomized ccAEAD with one call to conventional AEAD, while the other builds nonce-based ccAEAD with two calls to a pseudorandom function (PRF). Hirose and Minematsu presented an improved transform that requires a tweakable block cipher instead of AEAD. This paper presents an even simplified transform to build randomized ccAEAD, which requires only one call to a PRF. The resulting ccAEAD is more efficient regarding bandwidth than Dodis et al. and has a smaller computation cost than Hirose and Minematsu. The presented transform can be extended to build nonce-based ccAEAD, which is also more efficient than the one presented by Dodis et al. regarding bandwidth, though it requires two calls to a PRF as well as their transform.