Key vs Full Commitment #68
-
|
What is the difference between key commitment and full commitment and how can one achieve full commitment easily either via an existing program or by coding it? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
These questions would be better placed on Cryptography Stack Exchange as this is not a forum, and that would make answers visible to more people. Chances are, if you have a question, it's already been answered somewhere (e.g. on a forum, in a book, in a blog post, in a paper, etc) or is a question that lacks an obvious answer/an answer is hard to find and so other people are also asking the same question. As a quick answer, key commitment only commits to the key, so other parameters (e.g. the associated data) can be controlled to decrypt without an authentication error, leading to a different plaintext than the one that was encrypted. Context/full commitment prevents this by committing to all the parameters, which is how you'd intuitively expect an AEAD to work. For full commitment, you can use the libsodium transform (including the associated data) or CTX+. The former is easier to implement, but the latter reduces ciphertext expansion and prevents a timing side-channel during decryption if implemented properly. |
Beta Was this translation helpful? Give feedback.
These questions would be better placed on Cryptography Stack Exchange as this is not a forum, and that would make answers visible to more people. Chances are, if you have a question, it's already been answered somewhere (e.g. on a forum, in a book, in a blog post, in a paper, etc) or is a question that lacks an obvious answer/an answer is hard to find and so other people are also asking the same question.
As a quick answer, key commitment only commits to the key, so other parameters (e.g. the associated data) can be controlled to decrypt without an authentication error, leading to a different plaintext than the one that was encrypted. Context/full commitment prevents this by committing to…