Score:5

Can an authenticated encryption scheme detect if wrong key is used?

sy flag

Can an authenticated encryption scheme (like AES-GCM) detect if a wrong key is used for decryption? If not, what is the standard way to check whether the entered key is indeed correct. I presume KCVs can be used for this but does this somehow leak any information about the key?

kelalaka avatar
in flag
Welcome to Cryptography. The answer is yes and no! AES-GCM and ChaCha20-Poly1305 is non-commiting! [Understanding the impact of partitioning oracle attacks on stream ciphers](https://crypto.stackexchange.com/q/88716/18298). A **committing encryption** scheme is a scheme that is computationally intractable to find a pair of keys and a ciphertext that decrypts under both keys. One need to use HMAC and KMAC.
Ordinary avatar
sy flag
Thank you for the answer! I was wondering what is the difference between a committing encryption scheme like [here](https://eprint.iacr.org/2003/254.pdf) and a key committing scheme?
kelalaka avatar
in flag
AFAIK, they are the same.
Score:5
us flag

This is an interesting question, and it depends on the situation where you might decrypt with the "wrong" key.

If two keys $k_1$ and $k_2$ are independently generated, and $c$ is an honestly generated ciphertext under $k_1$, then decrypting $c$ under $k_2$ will result in an error, except with negligible probability. If this weren't the case, it would lead to an attack against AEAD security (the attacker just submits a ciphertext under an independently chosen key). This analysis covers the case of "accidental" or "incidental" decryption under the wrong key.

However, this does not cover the case where $k_1, k_2, c$ are all generated adversarially. (Maybe an attacker shows you $c$ and $k_1$, and since $c$ decrypts successfully under $k_1$ you incorrectly conclude that someone with a different key could not have accepted $c$.) The usual definitions of AEAD don't prevent that. There are natural AEAD schemes (including AES-GCM) where it is possible to generate such $k_1, k_2, c$ such that $c$ decrypts without error under both $k_1$ and $k_2$. This property can indeed cause problems for some applications of AEAD, like password-authenticated key agreement and abuse reporting in encrypted messaging.

If it is hard to come up with any $k_1, k_2, c$ where $c$ decrypts without error under both $k_1$ and $k_2$, then we say that the scheme is key-committing. Sometimes the key-committing property requires providing some additional value (apart from the usual ciphertext and key) to help bind the key to the ciphertext. Key-committing encryption is studied here and here.

Ordinary avatar
sy flag
Thank you for the answer! I was wondering what is the difference between a **committing encryption** scheme like [here](https://eprint.iacr.org/2003/254.pdf) and a **key committing** scheme?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.