Key Committing Security of AEZ and More

. For an Authenticated Encryption with Associated Data (AEAD) scheme, the key committing security refers to the security notion of whether the adversary can produce a pair of distinct input tuples, including the key, that result in the same output. While the key committing security of various nonce-based AEAD schemes is known, the security analysis of Robust AE (RAE) is largely unexplored. In particular, we are interested in the key committing security of AEAD schemes built on the Encode-then-Encipher (EtE) approach from a wide block cipher. We first consider AEZ v5, the classical and the first dedicated RAE that employs the EtE approach. We focus our analysis on the core part of AEZ to show our best attacks depending on the length of the ciphertext expansion. In the general case where the Tweakable Block Cipher (TBC) is assumed to be ideal, we show a birthday attack and a matching provable security result. AEZ adopts a simpler key schedule and the prove-then-prune approach in the full specification, and we show a practical attack against it by exploiting the simplicity of the key schedule. The complexity is 2 27 , and we experimentally verify the correctness with a concrete example. We also cover two AEAD schemes based on EtE. One is built on Adiantum, and the other one is built on HCTR2, which are two wide block ciphers that are used in real applications. We present key committing attacks against these schemes when used in EtE and matching proofs for particular cases.


Introduction
An Authenticated Encryption with Associated Data (AEAD) scheme is a symmetric primitive for privacy and integrity.The two important security notions for AEAD are privacy and authenticity, which are the conventional security notions of AEAD schemes as a keyed primitive.The development of AEAD schemes has identified that these two notions do not necessarily capture the security requirements expected in real applications.
One of the notions we focus on in this paper is the key committing security.In this notion, we consider whether a ciphertext returned by the encryption algorithm commits to a key, nonce, AD, and a plaintext, i.e., we expect that decryption of the ciphertext with another key, nonce, or AD fails to return rejection.Key committing security is in the known-key or chosen-key setting.Hence, it is not covered by the classical notions of AEAD schemes.This notion was initiated by Farshim et al. [FOR17] and is relevant in various practical applications, including end-to-end encrypted messaging systems [GLR17,DGRW18,IIM21], key rotation in key management services, envelop encryption, Subscribe with Google (SwG) [ADG + 22], and password-based encryption and key exchange [LGR21].
We consider a class of AEAD schemes that achieve the strongest robustness, called Robust Authenticated Encryption (RAE) [HKR15].This generalizes Deterministic AE (DAE) and nonce-reuse Misuse-Resistant AE (MRAE) [RS06].RAE schemes have several desirable features, including nonce-misuse resistance, flexibility of the ciphertext expansion, and a type of security against the release of unverified plaintexts [ABL + 14].RAE can be obtained through Encode-then-Encipher (EtE) [BR00] using a tweakable Wide-Block Cipher (WBC) as the underlying primitive.EtE is a well-known and strong approach to designing authenticated encryption, and Grubbs et al. [GLR17] proved a variant of key committing security (receiver-binding property) of EtE.However, the underlying WBC is assumed to be ideal.They suggested AEZ [HKR15] as one of the possibly safe instantiations for key committing EtE, however, no concrete analysis was shown.Beyond this result, the key committing security of EtE is largely unexplored, which is the focus of this paper.
In this paper, we consider three RAE schemes built on the EtE approach, AEZ, EtE-Adiantum, and EtE-HCTR2, and we analyze the key committing security of these schemes.
Committing Security.In this paper, we adopt the "committing security" notions by Bellare and Hoang [BH22].We remark that the security formalization has evolved over the years [FOR17, GLR17, DGRW18, ADG + 22, MLGR23], and we refer to Chan and Rogaway [CR22] for a summary of these works and the relationships between these security notions.
We consider the notion for DAE or MRAE following Bellare and Hoang [BH22] adapted to our target schemes.The encryption takes (K, A, M ) as input, where K is a key, A is AD, and M is a message and returns a ciphertext C. In the CMT-1 notion, the adversary wins if it returns (K, A, M ) and (K ′ , A ′ , M ′ ) such that (K, A, M ) and (K ′ , A ′ , M ′ ) have the same ciphertext and K ̸ = K ′ .The CMT-4 notion is stronger, requiring only (K, A, M ) ̸ = (K ′ , A ′ , M ′ ) instead of K ̸ = K ′ .In this paper, we cover both CMT-1 and CMT-4.For the relation between these notions and practical applications, we refer to Bellare and Hoang [BH22].
AEZ. AEZ was proposed by Hoang, Krovetz, and Rogaway at Eurocrypt 2015 [HKR15].It was submitted to CAESAR [Ber19] and advanced to the third round.It has multiple versions, v1, v1.1, v2, v3, v4, v4.1, v4.2, and v5, and our focus is on the latest version, AEZ v5, which we write as AEZ for simplicity.The changes between the versions are explained in [HKR17,Sect. 8].AEZ uses a tweakable WBC called AEZ-core for processing plaintexts of 256 bits or longer, and AEZ-tiny for shorter ones.We apply zero appending as the encoding in EtE to obtain an AE.AEZ-core builds on EME [HR04,Hal04] and OTR [Min14], and its structure has a proof of security [HKR15].The full specification of AEZ adopts the proof-then-prune approach to reduce the number of rounds of the primitive and uses an efficient key schedule to gain efficiency.AEZ-tiny is a type of format-preserving encryption [BRRS09] that needs a larger number of Feistel rounds, its security claim is heuristic and not supported by a proof.AEZ is the first attempt to efficiently realize the EtE approach, which is inherently an offline AE to achieve strong robustness.The computational cost of AEZ is about one AES computation per block, so its throughput is close to AES-CTR mode.
The security of AEZ in the secret key setting has been well analyzed.See [BDD + 17, CG16, FLS15, FLLW17] for analyses of earlier versions in the classical setting, [Men17] for an analysis of weak keys, and [KLLN16,Bon17] for analyses in the quantum setting.AEZ remains an important target of cryptanalysis as it is the first dedicated EtE construction to achieve RAE security.From the application perspective, AEZ has attracted several open-source projects including Tor [Mat15], and both JavaScript and WebAssembly implementations are provided by the Node.jspackage manager [Gug18,Mok18].We also remark that NIST has held a workshop on block cipher modes of operation [Nat23,MD23], where tweakable wide encryption techniques were among the topics of discussion, and AEZ is a representative example of this category.
We present the analysis of AEZ in terms of key committing security.Specifically, we focus our analysis on AEZ-core, as this forms the core part of the scheme, and it comes with a proof of security. 1We present the following results: • We first point out that a straightforward CMT-4 attack exists against general AEZ, which is AEZ where the underlying Tweakable Block Cipher (TBC) is assumed to be ideal.The attack is efficient and works with O(1) complexity.
• We then consider CMT-1 attacks.We divide our analysis into cases depending on τ , which is a parameter that specifies the stretch of the ciphertext.For n, the block length of the underlying TBC, we consider the case τ = n, which is the default case, and the case τ < n.We show that there is a CMT-1 attack against the default case with the birthday complexity of O(2 n/2 ).For the case τ < n, we show CMT-1 attacks with the generic attack, the attack based on the 4-tree algorithm [Wag02], the attack based on the repeated 4-tree algorithm, and the birthday attack, depending on the value of τ .Here, the repeated 4-tree algorithm is a variant of the 4-tree algorithm [Wag02] that we formalize here.It works when the size of the lists is insufficient.Our findings are illustrated in Fig. 4.
• To see the tightness of our attack against general AEZ, we present a provable security result when τ = n, assuming that the primitives are ideal.By reducing the CMT-1 attack into a collision-finding problem of a part of the output of general AEZ, we show an O(2 n/2 ) provable security bound, indicating the tightness of our attack for this case.We remark that, to our knowledge, this is the first provable security result of the key committing security for a non-monolithic EtE scheme.
• We then consider AEZ, where the underlying TBC follows the full specification of AEZ-core, which we call full-spec AEZ.By fully utilizing the details of the key schedule adopted in full-spec AEZ, we carefully choose distinct keys (K, K ′ ) so that the difference in certain intermediate states becomes zero with a high probability.As a result, we obtain a CMT-1 attack against full-spec AEZ with a complexity of 2 27 , whose correctness we have experimentally verified.We provide a numerical example of the CMT-1 attack against full-spec AEZ.
Therefore, in general, the structure of AEZ is sound with respect to key committing security as the provable security result on general AEZ shows, while the full specification of AEZ is practically insecure due to the details of the key schedule, as the attack against full-spec AEZ shows.

EtE-Adiantum.
Adiantum is a wide-block encryption scheme designed and proposed by Crowley and Biggers [CB18] and is widely deployed in practice as a disk sector encryption scheme and for filesystem-level encryption (fscrypt) on Android devices.It uses a variant of the Feistel structure called HBSH that follows [MT05].It uses a universal hash function, a block cipher, and a stream cipher as the underlying primitive.Adiantum has a proof of security as a wide block cipher [MT05,CB18].It was designed to be efficient on lower-end processors, and it adopts the combination of NH [BHK + 99] and Poly1305 [Ber05] as the hash function, AES-256 as the block cipher, and XChaCha12 as the stream cipher to be efficient on such platforms.To our knowledge, an EtE AEAD scheme based on Adiantum, which we write EtE-Adiantum, has not been deployed to a real product.However, as mentioned, Adiantum is widely used in practice and is a high-profile target of cryptanalysis for its practical importance.We analyze the key committing security of EtE-Adiantum.In AEZ, the message is first zero-appended to encode according to the specification.For EtE-Adiantum, it turns out that zero-prepending and zero-appending can have different security characteristics, and we consider both cases for EtE-Adiantum.We present the following results: • We point out that an efficient CMT-4 attack is possible against both the prepending and appending cases.
• For a CMT-1 attack, we discuss that the problem is reduced to a collision-finding problem.As a result, we show that the key committing security of EtE-Adiantum is at most O(2 τ /2 ) for the prepending case and O(2 n/2 ) for the appending case, where τ is the bit length of the zero-padding and n is the block length of the block cipher.
• We show that our attack on the prepending case is tight by showing a proof of security, assuming the cryptographic permutation inside XChaCha12 is ideal.More precisely, we consider prepending 0 τ to the input, where τ ≤ n, and we show O(2 τ /2 ) security of EtE-Adiantum.To complete our proof, we prove a lemma showing the upper bound on the s-way collision probability of a permutation-based Davies-Meyer mode.

EtE-HCTR2.
HCTR2 is a wide-block encryption scheme designed by Crowley, Huckleberry, and Biggers [CHB21].It is based on HCTR [WFW05] to improve the security bound and to address an issue in [CN08] of the provable security result.HCTR2 uses a polynomial hash function as a universal hash function, AES as a block cipher, and a mode of stream encryption called XCTR, and it has a proof of security as a wide block cipher [CHB21].As in the case of Adiantum, we do not know a practical deployment of EtE-HCTR2.However, HCTR2 is practically deployed as a part of fscrypt [And23] as well as Adiantum, and is under consideration in an extension of UDP proxy optimized for QUIC [PRS23].Thus, we consider that analyzing the security of EtE-HCTR2 is of interest.As in the case of EtE-Adiantum, we consider the zero-prepending and zero-appending cases, and we present the following results: • There is an efficient CMT-4 attack against both the prepending and appending cases.
• There is a CMT-1 attack with a birthday complexity.More precisely, following the CMT-1 attack against EtE-Adiantum, we can reduce the CMT-1 attack against EtE-HCTR2 into a collision finding problem to show that the key committing security of EtE-HCTR2 is at most O(2 τ /2 ) for the appending case and O(2 n/2 ) for the prepending case.
See Table 1 for the summary of our results.
In Sect.2, we give preliminaries to define security notions and the specifications of AEZ, Adiantum, and HCTR2.In Sect.3, we present our attacks against general AEZ, covering both CMT-4 and CMT-1 attacks.In Sect.4, we present a practical CMT-1 attack against full-spec AEZ, including a numerical example.We cover attacks against EtE-Adiantum in Sect. 5 and against EtE-HCTR2 in Sect.6.In Sect.7, we present provable security results.We cover general AEZ in Sect.7.1 and Adiantum in Sect.7.2.We conclude the paper in Sect.8.
(Tweakable) Block Ciphers.A tweakable block cipher (TBC) [LRW11] is a keyed function E : K × T w × M → M such that for any (key, tweak) pair (K, T ) ∈ K × T w , E(K, T, •) is a permutation over M. A tweak T is a public value that may be chosen by the adversary.The encryption of a plaintext M ∈ M with a key K and a tweak T is a ciphertext C = E(K, T, M ), which is also written as E K (T, X) or E T K (X).Similarly, the decryption is written as A TBC with a singleton tweak space |T w | = 1 is interpreted as a conventional block cipher E : K × M → M. We write E −1 K ( * ) to denote the decryption function when it is clear that we use E as a (non-tweakable) block cipher.
If the message length of a TBC is variable, the scheme has various names: a variablelength TBC, a wide block cipher (WBC), or a Tweakable Enciphering Scheme.The tweak may or may not be of variable length.Throughout the paper, we adopt the name WBC.Typically, the message space of a WBC is not the full {0, 1} * but has a certain minimum length.For example, the most common block cipher-based WBCs have a minimum message length of n bits, where n denotes the block size of the underlying block cipher.
Ideal primitives.For finite sets X and Y, let Func(X , Y) be the set of all the functions: X → Y. Similarly, let TPerm(T w , M) denote the set of all tweakable permutations over M with tweak space T w , and let Perm(M) be the set of all permutations over M.
An ideal cipher (IC) π : K × M → M uniformly distributes over TPerm(K, M).It is used as a public function so that the adversary can query a tuple (K, X) ∈ K × M in the forward or backward direction.The oracle returns Y = π(K, X) (Y = π −1 (K, X)) for the forward (backward) direction.Similarly, an ideal tweakable cipher π : K × T w × M → M uniformly distributes over TPerm(K × T w , M), and a (public) random permutation π : M → M uniformly distributes over Perm(M).Both accept forward and backward queries (including the tweak as a part of the query for the former) as in the case of an IC.
(Deterministic) Authenticated Encryption.Deterministic authenticated encryption (DAE) is a class of authenticated encryption (AE) introduced by [RS06].Unlike conventional nonce-based AE schemes such as GCM or OCB, it does not necessarily require a nonce if our confidentiality/privacy goal is Deterministic Privacy [RS06] (note that a DAE still needs a non-repeating nonce to achieve the standard privacy notion).The syntax of DAE is as follows.Let DAE = (DAE.E, DAE.D) be a DAE scheme.The (deterministic) encryption algorithm DAE.E takes a key K ∈ K and a tuple (A, M ) consisting of associated data (AD) A ∈ A and a plaintext M ∈ M as input, and returns a ciphertext C ∈ M. Note that |C| > |M | must hold for authenticity.The (deterministic) decryption algorithm DAE.D takes K ∈ K and the tuple (A, C) ∈ A × M as input, and returns M ∈ M or the reject symbol ⊥.While not mandatory, a DAE scheme may contain a nonce as an independent variable or as a part of the AD.In this case, a DAE scheme may be called a (nonce) misuse-resistant AE (MRAE) as it offers the best possible protection against nonce repetition when encrypting.Since our focus is not on standard DAE security notions for confidentiality and integrity, we refer to [RS06] for their definitions.
A secure WBC Π : K × T w × M → M can be converted into a DAE/MRAE by the popular encode-then-encipher (EtE) approach [BR00].For an encryption input (A, M ) ∈ A × M such that A ⊆ T w , let the ciphertext C = Π K (A, M ∥ 0 τ ) for some τ > 0, assuming an encoding of A into the tweak space.Often τ ∈ [n] is fixed for the block size n.The verification for (A, C) is done by checking if lsb τ (Π −1 K (A, C)) = 0 τ holds.The DAE security of EtE with a WBC is reduced to the pseudorandomness of WBC [BR00].The security depends on the redundancy introduced by the encoding (τ ), and one can use other injective encodings of M with an appropriate checking method.Specifically, we focus on 0 τ appending (C = Π K (A, M ∥ 0 τ )) and 0 τ prepending (C = Π K (A, 0 τ ∥ M )) as the most natural options.Let EtE-Π denote the EtE using the WBC Π.We may write Π to mean EtE-Π if it is clear from the context.
We mostly follow the original notation for each of the target schemes.Hence, the notation may have slight differences.For details, we refer to each specification section.

Security Notions
We adopt the "committing security" notions by Bellare and Hoang [BH22].They succinctly capture various goals of the key committing property.While sharing the same spirit, namely finding a pair of inputs, including the keys, that produces the same output, different notions for key committing security have been proposed in the literature [FOR17, GLR17, DGRW18, ADG + 22, MLGR23].Chan and Rogaway [CR22] provided an excellent summary of these works and the relationships between these security notions and their notions.
We describe the notions proposed by Bellare and Hoang [BH22].For simplicity, our description is dedicated to DAE (or MRAE; in that case, AD is assumed to contain the nonce), but it is originally defined for general nonce-based AE.
Definition 1.Let DAE = (DAE.E, DAE, D) be a DAE scheme with a key space K, a message space M, and an AD space A. The CMT-1 notion is the maximum advantage of the adversary whose goal is to find two input tuples (K, A, M ), (K The sequence (Z 1 . . ., Z ℓ ) denotes i-th string in the vector T containing AD, and j = i + 2. Note that E −1, * K denotes the forward evaluation with the tweak (−1, * ), not the inverse.such that K ̸ = K ′ and DAE.E(K, A, M ) = DAE.E(K ′ , A ′ , M ′ ).The CMT-1 advantage is defined as The CMT-4 notion is identical to CMT-1 except that only (K, A, M However, Bellare and Hoang [BH22] showed that it is equivalent to CMT-4.They also proposed a class of CMTD notions whose winning condition is defined via decryption functions rather than encryption functions.Bellare and Hoang [BH22] showed that CMTDx is equivalent to CMT-x for x ∈ {1, 3, 4} when the target scheme is tidy.2As all the analyzed schemes in this paper are tidy, we only consider CMT-x notions.The same approach was taken by [MLGR23].Note that the adversary in these notions can choose keys.Hence, proving the security under these notions will require an idealized primitive inside the target to make these notions meaningful (see e.g.[Rog06]).

Specification of AEZ
We study the latest specification (v5) [HKR17] of AEZ.It consists of two WBCs, AEZ-tiny and AEZ-core, where the former is used for plaintexts shorter than 256 bits, and the latter is used otherwise.The standard EtE method with zero appending is applied to the WBC to implement an AE.As the name suggests, we focus on the latter case using AEZ-core as it is the "core" construction of AEZ.AEZ-tiny is a kind of format-preserving encryption [BRRS09] and needs a larger number of Feistel rounds.We may write AEZ to mean AEZ-core throughout the paper.
Mode.The original pseudocodes of [HKR17] are shown in Appendix B (Algs. 1, 2 and 3).See also Fig. 1.We omit the pseudocodes for AEZ-tiny and BLAKE2b [ANWW13].The structure of (the internal WBC of) AEZ is Encrypt-Mix-Encrypt, where "Encrypt" is realized by a two-round Feistel permutation and "Mix" is a combination of a linear operation and one encryption round per diblock.It is built on the ideas of EME [HR04] and OTR [Min14].
Let n = 128.The encryption of AEZ (Alg. 1) takes a key N, A, τ, C) and returns M or ⊥, an error symbol.The key length |K| is recommended to be at least 128 bits, and the default length is 3n = 384 bits.The key length does not matter for our generic attacks of Sect.3.2.The variable τ is a multiple of 8 and denotes the bit-length overhead.The default (and the recommended maximum) value is τ = n.It can vary for each message, however, the designers suggested it is typically fixed.We consider the case τ ∈ [n] following these suggestions.An AD in AEZ can consist of multiple bitstrings (i.e., a vector).Unlike the description of Sect.2, AEZ treats the nonce explicitly; a vector-input PRF AEZ-hash takes an encoding of (τ, N, A), denoted by T .We assume that AD is a single bitstring without loss of generality for our attacks and proofs.We do not distinguish nonce and other AD blocks.Moreover, we may write A instead of A and write AEZ-hash(K, A) instead of AEZ-hash(K, T ).We mostly follow the original notation, however, we apply slight modifications to them for convenience.In particular, our attack descriptions will use M M i (CC i ) to denote the 2n-bit sequence (diblock) Primitive.AEZ is based on a TBC E : K × T w × M → M, where K = {0, 1} 3n , M = {0, 1} n , T w = I × J with I, J ⊆ Z; their actual ranges can be found in the pseudocode.The designers proved standard DAE security (more precisely, an even stronger one called robust AE security) assuming the underlying TBC is computationally secure, i.e., a tweakable pseudorandom permutation [HKR15].In the submission to the CAESAR competition, this TBC is instantiated by either a 4-round or 10-round AES depending on the tweak value, rather than relying on provably secure constructions such as XE [Rog04] built on (unmodified) AES.Moreover, it adopts very simple tweak and key schedules.
The concrete instantiation of TBC E i,j K ( * ) is shown in Alg. 3, where AES10 K denotes 10-round AES with the list of subkeys K. Similarly AES4 k denotes 4-round AES with the list of round keys k.As the pseudocode shows, if |K| = 384, we first parse K into three n-bit parts, I, J, and L, and any n-bit round key in K and k is one of I or J or L. See Appendix B for more details.This instantiation implies that the reduction to AES's pseudorandomness is no longer possible.Even more, the 4-round AES can be practically distinguished from random with a chosen plaintext attack [DKR97, KW02], clearly indicating the deviation from what provable security aims at.The designers named this approach prove-then-prune.The security of a prove-then-prune construction depends on the interaction between the mode and the primitive instantiation; thus, it is not always safely applicable.As DAE/MRAE, the security claim of AEZ (v5) using the above TBC instantiation has been maintained since the proposal.
1: procedure HashP(K P , P ) Adiantum with an n-bit block cipher E and a stream cipher S that accepts a nonce and an output length as arguments.K, P , and T denote the key, the plaintext, and the tweak, respectively.ε is the empty string.pad() is a padding that adds 0 * to the end of its input until its size reaches a multiple of n.

Specification of Adiantum
Adiantum is a WBC proposed by Crowley and Biggers [CB18].It is based on three primitives: a universal hash H, a block cipher E, and a stream cipher S. The specification is given in Fig. 2. See also Fig. 6 for illustration.In particular, Adiantum implements E as the AES-256 [AES23] block cipher and S as the XChaCha12 stream cipher, which is an extension of ChaCha12 [Ber08] to accept a 192-bit nonce.Adiantum uses XChaCha12 by padding the 128-bit nonce with a one followed by 63 zeroes.The hash function relies on two hash subroutines: NH [BHK + 99] and Poly1305 [Ber05].
NH is an efficient hash function that uses an 8, 576-bit key split into 32-bit blocks

and split the input into 32-bit blocks
Then, it adds and multiplies blocks of the key and the message, appending the result once all the key blocks are used: Then, it evaluates a polynomial with coefficients depending on M at the point k: As mentioned earlier, we consider EtE-Adiantum by either prepending or appending 0 τ to the plaintext P .The tweak T will be used as an AD, which may contain a nonce.The decryption mechanism then rejects every plaintext that does not start (or end) by 0 τ .
based on an n-bit block cipher E, and processing a key K, a tweak T , and a plaintext P .The function pad() is a padding that adds 0 * to the end of its input until it reaches a size multiple of n.

Specification of HCTR2
Crowley, Huckleberry, and Biggers designed HCTR2 [CHB21], which is a WBC based on Wang et al.'s HCTR [WFW05].HCTR2 consists of a variant of counter mode and a polynomial hash function.HCTR2's specifications are given in Fig. 3. See also Fig. 7 for illustration.As in the case of Adiantum, we consider EtE-HCTR2 with either prepending or appending 0 τ to the plaintext.HCTR2 follows the same structure as HCTR with slight differences.For instance, HCTR2 derives the hash key from the block cipher's key, which may make it more resistant to attacks on key committing security.It is fairly straightforward to translate attacks on the key committing security of HCTR2 to the original HCTR; hence, we focus our study on HCTR2.Indeed, independently setting the keys gives the attacker more freedom in looking for other key materials to build a key committing attack.This stands in contrast with standard notions of security, where it is the key derivation that may introduce security flaws.
The hash function of HCTR2 can mostly be understood as a polynomial evaluated at a secret point, the secret key h, with coefficients depending on its inputs.Also, for a given length, it can be rewritten as the sum of two polynomials, one depending on the tweak T and one depending on the input M .Let us define Poly h (X) for an x-block input X = X 1 ∥ X 2 ∥ • • • ∥ X x as the following polynomial with coefficients given by X and evaluated at h writing finite field multiplication as "•": Then, for input sizes |T | and |M | that are multiple of n, the hash function of HCTR2 is: This representation will help describe our key committing attacks in Sect.6.

Key Committing Security of General AEZ
We start with attacking AEZ, assuming the underlying TBC E : K × T w × M → M is an ideal tweakable cipher.We call such a version general AEZ.The CMT-4 attack is simple and works for any τ with negligible complexity.The complexity of the CMT-1 attack depends on τ .Recall that we consider τ ∈ [n]; the default is τ = n.

CMT-4 Attack
We present a CMT-4 attack against general AEZ.The adversary fixes K (of any length) and other input variables, performs encryption, and tries to find another AD that yields a collision on AEZ-hash.Since AEZ-hash is effectively a TBC-based PHASH (the message hashing part of PMAC [Rog04]), finding such an AD pair is trivial because preimages are easy to find given the key.Assuming AD is a single bitstring, an input to AEZ-hash is a vector T of three components.Then the output ∆ = AEZ-hash(K, T ) is written as , where Z ℓ−1 and Z ℓ are the last two AD blocks and ∆ is a value computed from K and T except Z ℓ−1 and Z ℓ .To find a collision, we modify the last two AD blocks to Z ′ ℓ−1 and Z ′ ℓ so that for some e ̸ = 0 n .Then, a difference e introduced in i = ℓ − 1 is canceled in i = ℓ.An example of a complete attack is: first, fix (K, A, M ), then, encrypt (A, M ) with K to obtain ∆ and C, and finally, find another A ′ ̸ = A that yields the same ∆ and returns ((K, A, M ), (K, A ′ , M ), C).This attack needs two forward and inverse queries with negligible computation and is thus practical.

Remark.
A variant of the CMT-4 attack described above works on any EtE scheme if AD is processed by a (keyed) function f and the result is absorbed into the main encryption/decryption routine and f is weak with respect to preimage with knowledge of its key (if keyed).This holds for many WBCs, including Adiantum and HCTR2.We omit the details of the attacks as they are rather straightforward from the paragraph "Preimages using Hash Function" in Sect. 5 and Sect.6.A cryptographically strong hashing for AD processing would prevent this type of CMT-4 attack but does not guarantee CMT-4 security in general.

CMT-1 Attack for τ = n
Unlike CMT-4, breaking CMT-1 needs a pair of distinct keys for a pair of input tuples.Hence, the internal states are processed by independent random primitives, thereby excluding simple single-variable cancellation strategies as our CMT-4 attack.We first present an attack for the default setting τ = n.The attack requires finding a collision on C y , which is a birthday attack of O(2 n/2 ) time.However, we emphasize that this is not a trivial collision finding on a hash function (K, A, M ) → C y deduced from general AEZ since other ciphertext blocks must collide.
Overview.Our attack focuses on the last diblock.See the box with a dashed line in Fig. 1.For encryption, it takes the key K, the last plaintext diblock (M x , M y ), the internal variables X and Y determined by the other diblocks, and the output of AEZ-hash taking AD, ∆.It outputs the last ciphertext diblock (C x , C y ) and S, which is absorbed by the processing of other diblocks.Following Fig. 1, let We first fix a pair of distinct keys, K and K ′ , and the ciphertext diblocks except the last one.Next, we find a collision on C y by sampling 2 n/2 times for the internal Y 1 .Then, we can make the system of equations for the last diblock consistent by exploiting the preimage weakness of AEZ-hash.
For simplicity, we describe the case of even message blocks.Extending to odd blocks can be done by minor modifications after Step 7.For the notation, we refer to Fig. 1 and Appendix B.2.

Attack Procedure.
Step 1. Pick an arbitrary pair of distinct keys K, K ′ ∈ K. Pick an arbitrary sequence of diblocks CC = (CC 1 , . . ., CC m ) and Step 2. (Randomly) sample 2 n/2 values of Y 1 as candidates for Y 1 , and sample 2 n/2 values of Y ′ 1 as candidates for Y ′ 1 .
Step 3.For each pair, derive Step 4. Find a collision in the lists which becomes C y : Step 5.
Step 6. Find A, A ′ ∈ {0, 1} 8 * so that AEZ-hash(K, A) = ∆ target and AEZ-hash(K ′ , A ′ ) = ∆ ′ target .This can be done efficiently by using the inverse of E in the same manner as in a CMT-4 attack.

CMT-1 Attack for τ < n
The complexity of a CMT-1 attack can be reduced if τ is smaller than n as it enables us to choose Y 1 and X 2 independently for the first (n − τ ) bits.More specifically, when τ ≤ 2n/3, we can use a generalized birthday attack on 4XOR (4-tree algorithm) [Wag02].The 4-tree algorithm takes four lists L X1 , L X2 , L X3 , and L X4 as input, where each list It requires the time and memory complexities of O(2 n/3 ).Note that 4-tree has been used in the key committing attack on SIV [MLGR23], but ours is different and not derived from their attack.We modify the attack procedure of Sect.3.2 as follows.
Step 3. We compute X 1 and Y 2 and X ′ 1 and Y ′ 2 each for 2 n/3 values and build the lists of these variables, denoted by L X1 , L Y2 , L X ′ 1 , and L Y ′ 2 .
Step 4. We run the 4-tree algorithm of Wagner [Wag02] on these four lists.With a high probability, we find a solution, i.e., The remaining steps remain the same.The time and memory complexities of this attack are O(2 n/3 ).
Case 2n/3 < τ < n.The above attack needs τ ≤ 2n/3 to ensure we have enough samples for X 1 , Y 2 , X ′ 1 , and Y ′ 2 .However, even when 2n/3 < τ , we can mount a variant of the 4-tree attack by repeating the 4-tree attack with small lists until we find a solution.This repeated 4-tree algorithm works better than the birthday attack when 2n/3 < τ < 3n/4, and its complexity is O(2 2τ −n ) as shown in Fig. 4. See Appendix D for the details.
Case τ < n/3.In case τ < n/3, a simple generic attack against EtE-based AE works.We just pick random 2 τ tuples (K, A, C) and decrypt them until we find a valid plaintext M , i.e., lsb τ (M y ) = 0 τ .We obtain (K, A, M, C) as a valid tuple.We repeat this procedure using another 2 τ tuples of (K ′ , A ′ , C) for some K ′ ̸ = K and A ′ ̸ = A to find the solution.The time and memory complexities are O(2 τ ).

Key Committing Security of Full-spec AEZ
We continue to consider attacking AEZ where the underlying TBC E : K × T w × M → M follows the full-spec AEZ-core.We call such a version full-spec AEZ.A CMT-4 attack against full-spec AEZ works for any τ with negligible complexity, as described in Sect.3.1.Unlike the attack described in Sect.3.1, we choose the key of full-spec AEZ to provide a CMT-1 attack.Note that the CMT-1 security definition does not restrict whether the attacker can or cannot choose the key.Although we need a stronger assumption, this is a practical attack of 2 27 time for any τ .We verified the attack experimentally.We provide an example of two data sets enciphering to the same ciphertext in Appendix C.
Overview.This attack follows similar steps to the CMT-1 attack described in Sect.3.2.Namely, this attack also focuses on the last diblock, which is illustrated as the dashed line box in Fig. 1, and finding . The notation in this section is almost identical to Sect.3.2, with the following differences.We use the round keys of as (∆, I, J, L, I, J, L, I, J, L, I) instead of ( 0, I, J, L, I, J, L, I, J, L, I), where ∆ = i • L. With this change, we note that the input value of AES10 K is changed from X ⊕ ∆ to X. Let δ B be an XOR difference between B and B ′ , which are two blocks at the same location, i.e., δ B = B ⊕ B ′ .
According to Alg. 3, the subkeys (I, J, L) are directly derived from the master key K when |K| = 384 as (I ∥ J ∥ L) ← K, however, they are generated from the BLAKE2b algorithm when |K| ̸ = 384, as (I ∥ J ∥ L) ← BLAKE2b(K).The BLAKE2b algorithm is not invertible.Therefore, we choose the key length as |K| = 384, which is the default option, so that we can choose the subkey differences (δ I , δ J , δ L ) in our attack.
How to Choose Subkey Differences.Before explaining the details, we discuss how to choose the subkey differences (δ I , δ J , δ L ).As described above, we need to choose a proper pair of distinct keys (K, K ′ ) in such a way that (δ X1 , δ Y1 , δ X2 , δ Y2 ) = (0, 0, 0, 0) holds and the number of active S-boxes is minimized.To find such a differential propagation from δ X1 to δ Y2 , we consider a series of computations from X 1 to Y 2 as two consecutive AES10 K functions with round keys (( L, I, J, L, I, J, L, I, J, L, I), (2L, I, J, L, I, J, L, I, J, L, I)).
Focusing on the round keys of the two consecutive AES10 K functions, the first and last two consecutive round keys are (L, I) or (2L, I).In addition, unlike the original AES, AES10 K contains MixColumns in the last round.We use these properties to analyze a differential propagation of the two consecutive AES10 K functions.Our strategy consists of choosing the differences δ I , δ J , and δ L and the values I, J, L in such a way that the difference that is introduced in one round will be canceled out by the difference in the next round with high probability.Then, there are several rounds where the input and output differences are zero.We choose the round key differences in the following steps: 1. We choose δ L or δ 2L in such a way that these differences activate only one byte of the internal state.In other words, when inserting these differences into the internal state, we need to minimize the number of active S-boxes in the corresponding aesenc function.Note that choosing δ L uniquely determines δ 2L .
2. We choose δ I in such a way that the differential propagation caused by inserting δ L or δ 2L in the previous round will be canceled with high probability.In other words, inserting this difference into the internal state will lead to a pair of identical internal states (zero difference, no active S-boxes) with high probability.
3. We do not need to consider a difference in J (i.e., δ J = 0), since we know from Step 2 that the probability that the state difference is already zero is high.Instead, we choose the value J satisfying X 1 = X ′ 1 = aesenc(aesenc(aesenc(X 1 , L), I), J).
Given X 1 (= X ′ 1 ), δ Y1 = 0 holds by choosing round key differences and values from the above way.It implies that we do not need to rely on a probabilistic event for a differential propagation of the first AES10 K .Instead, we rely on a probabilistic event for a differential propagation of the second AES10 K , but it contains only four active S-boxes.Its differential probability is within the range of 2 −6×4 to 2 −7×4 .Note that AES10 K contains MixColumns in the last round; thus, both δ Y1 = 0 and δ Y2 = 0 hold simultaneously with high probability by canceling the differences with δ I .Attack Procedure.We execute the following procedure: Step 1. Pick a pair (X 1 , X ′ 1 ) and a pair (M y , M ′ y ) in such a way that δ X1 = 0 and δ My = 0, respectively.
Step 2. Find a proper pair of distinct keys (K, K ′ ) in the following procedure, with the way of choosing the round key differences as described above (see Fig. 5 for a better understanding of a differential propagation used in this step): 1. Pick (L, I) randomly, and compute 2. Compute aesdec(aesenc(X 1 ⊕L, I)⊕I ′ , X ′ 1 ) to get L ′ , and determine δ L = L⊕L ′ .3. Select a pair (J, J ′ ) for which both aesenc(aesenc(X 1 ⊕ L, I), J) = X 1 and aesenc(aesenc(X ′ 1 ⊕ L ′ , I ′ ), J ′ ) = X ′ 1 , where J = J ′ since δ J = 0. 4. Execute the remaining first AES10 K to get δ Y1 .If Steps 2 and 3 hold, we know that the same will apply to the remaining rounds because of the repetition of the round subkeys and the states, and δ Y1 = 0 holds with probability one.
Complexity Estimation.Following the above attack procedure, the complexity of making Substeps 2-5 of Step 2 work is dominant.The probability that Substeps 2-5 hold is within the range of 2 −24 to 2 −28 , therefore, the complexity of the whole attack is estimated as at most 2 28 .Experimental Verification.We experimentally verified the validity of the proposed attack.We first search for an appropriate δ L , where the probability that the differential trail is satisfied is maximum.Clearly, δ L must have a single active byte.Then, the active column position of δ I is determined.Moreover, msb 1 (δ L ) = 0. Otherwise, a different byte position is active in δ 2L , and it is impossible to cancel the difference by XORing δ I .Therefore, the choice of δ L is at most 16 × 127, and an exhaustive search is possible.
Countermeasure.The practical CMT-1 attack against full-spec AEZ exploits the weak key schedule, where the attacker can easily control the value of I, J, and L. One option to counter the practical attack is to use BLAKE2b to generate a 384-bit key even when the key length is 384 bits.Without breaking the hash function BLAKE2b, this makes it hard to choose the master key satisfying the subkey relation.

Key Committing Security of Adiantum
This section describes two collision-based CMT-1 attacks on EtE using Adiantum, both for prepending and appending.In both cases, the most expensive step is a collision-finding problem.Thus, both attacks work in the time and memory complexity of the chosen collision algorithm, which is, at best, birthday-bound time complexity.Our attacks show that the key committing security of EtE-Adiantum is at most O(2 τ /2 ) for prepending and O(2 n/2 ) for appending.Figure 6 shows the collision-finding problem for each case.Preimages using Hash Function.The attacks described below rely on the efficiency of finding preimages of the hash function given a key.The input of a hash function is typically much larger than its output, so there can be many solutions.The hash used by Adiantum has good properties when using a secret key, but it is easily manipulable in the known-key setting, which allows for our efficient key committing attacks.The Adiantum hash is based on both NH and Poly1305 which allow for straightforward preimages when the key is known.
In particular, steps such as "Find T s.t.Hash(h, T, a) = b" for some value h, a, b involve finding a preimage of Poly1305 as: Indeed, given a known masked hash key k ̸ = 0, it is trivial to manipulate two or more blocks of T to obtain any 128-bit value.Since 2 130 − 5 is prime, (k i+1 (T i + 2 128 ) mod (2 130 − 5)) can have 2 128 different values, one for every choice of T i .Then, when reducing to mod 2 128 , a maximum of 4 possible values might map to a single one.Let us give an easy algorithm: given a target a, arbitrarily choose all blocks of T except T i for some i, and compute the required value.This works with a probability of at least 1/4, and this can be repeated by fixing other values for T .Note that finding a preimage implies a CMT-4 attack (see Sect. 3.1).We can break the CMT-4 notion by constructing a pair of distinct T and T ′ such that the hash function's outputs are identical.

Goal of CMT-1 Attack.
The goal of our attacks is to find a non-trivial solution to the equation: These can be seen as two equations for the left and right parts of the ciphertext, C L and C R , respectively.We further break down these by introducing the intermediate values C M and C ′ M so that we get four equations: (1)

CMT-1 Attack of Adiantum with 0 τ Prepending
Overview.The attack finds a non-trivial solution to Equation (1) where P L and P ′ L are replaced by 0 τ ∥ P L and 0 τ ∥ P ′ L , respectively, with The left figure of Fig. 6 shows the high-level idea of our attack.We find , which is the collision-finding problem, and we can find such a pair with a complexity of O(2 τ /2 ).Suppose we have such a pair, (C M , C ′ M ) with distinct keys, K and K ′ .Then, because we can easily compute the preimage of the hash function given a key, we can construct (T, P L , P R ) and (T ′ , P ′ L , P ′ R ) whose ciphertexts are identical using the following procedure.

Attack Procedure.
Step 1. Pick a pair of distinct keys K and K ′ arbitrarily.Pick P L and P R arbitrarily. Compute Step 2. Define Step 3.
, where matching 0 τ is guaranteed by the collision, Step 4. Find T s.t.Hash(h, T, 0 Step 5. Determine C R ← C M ⊟ Hash(h, T, C L ).

CMT-1 Attack of Adiantum with 0 n Appending
Overview.The attack finds a non-trivial solution to Equation (1) where P R and P ′ R are replaced by 0 n .The right figure of Fig. 6 shows the high-level idea of our attack.We exploit the following property of the hash function.

Hash(h, T, P
As shown in Fig. 6, C R is computed from C M and C L as follows: Therefore, given an arbitrary C L , we find C M and C ′ M satisfying C R = C ′ R , which is the collision-finding problem, and we can find such a pair with a complexity of O(2 n/2 ).Once we find such a pair, (C M , C ′ M ) with distinct keys K and K ′ , we can construct (T, P L , P R ) and (T ′ , P ′ L , P ′ R ) whose ciphertexts are identical using the following procedure because it is easy to find a preimage of the hash function given a key.

Attack Procedure.
Step 1. Pick a pair of distinct keys K and K ′ arbitrarily.Pick C L arbitrarily and ℓ ← |C L |.

Key Committing Security of HCTR2
This section describes two CMT-1 attacks on authenticated encryption using HCTR2, one for the prepend version and one for the append version.These attacks have much in common with the ones of Sect. 5 on Adiantum.Note that the roles of the left and right branches are reversed compared to Adiantum.The 0 τ appending and 0 n prepending attacks against HCTR2 correspond to 0 τ prepending and 0 n appending attacks against Adiantum, respectively.Just as in the attack on Adiantum, the most expensive step in both cases is a collision-finding problem.Thus, both attacks work with the time and memory complexity of the chosen collision algorithm, which is, at best, birthday-bound time complexity.Therefore, the key committing security of HCTR2 is at most O(2 τ /2 ) and O(2 n/2 ) for the 0 τ appending and 0 n prepending versions, respectively.Figure 7 shows the collision-finding problem for each case.
Preimages using Hash Function.The attacks described below rely on the efficiency of finding preimages of the hash function given a key.The input of a hash function is typically much larger than its output, so there can be many solutions.The hash used by HCTR2 has good properties when using a secret key, but it is easily manipulable in the known-key setting, which allows for our efficient key committing attacks.
In particular, steps such as "Find T s.t.Hash(h, T, a) = b" for some value h, a, b involve finding a preimage of Poly as: where h ̸ = 0 is known, and the right-hand side can be computed down to a single value.Finding this preimage is easy.For instance, one can arbitrarily set every block of T except one and compute the required value for the remaining block by simple algebra.Again, similarly to Adiantum, we can easily break CMT-4 by constructing a pair of distinct T and T ′ such that the hash function's outputs are identical.Goal of CMT-1 Attack.The goal of our attacks is to find a non-trivial solution to the equation: ).These can be seen as two equations for the left and right parts of the ciphertext, C L and C R , respectively.We further break down these by introducing the intermediate values C M and C ′ M so that we get four equations where h and L are derived from K (h ′ and L ′ from K ′ ): (2)

CMT-1 Attack of HCTR2 with 0 τ Appending
Overview.The attack finds a non-trivial solution to Equation (2) where P R and P ′ R are replaced by 0 τ ∥ P R and 0 τ ∥ P ′ R , respectively, with The left figure of Fig. 7 shows the high-level idea of our attack.We find C M and C ′ M satisfying , which is the collision-finding problem, and we can detect such a pair with a complexity of O(2 τ /2 ).Suppose we have such a pair, (C M , C ′ M ) with distinct keys, K and K ′ .Then, because we can easily compute the preimage of the hash function given a key, we can construct (T, P L , P R ) and (T ′ , P ′ L , P ′ R ) whose ciphertexts are identical as follows.
Attack Procedure.
Step 1. Pick a pair of distinct keys K and K ′ arbitrarily.Pick P L and P R arbitrarily.
, where matching 0 τ is guaranteed by the collision,

CMT-1 Attack of HCTR2 with 0 n Prepending
Overview.The attack finds a non-trivial solution to Equation (2) where P L and P ′ L are replaced by 0 n .The right figure of Fig. 7 shows the high-level idea of our attack.We exploit the following property of the hash function.
As shown in Fig. 7, C L is computed from C M as follows: Note that C R is not used here because the hash function output related to C R is canceled out.Therefore, we find C M and C ′ M satisfying C L = C ′ L , which is the collision-finding problem, and we can find such a pair with a complexity of O(2 n/2 ).Once we find such a pair, (C M , C ′ M ) with distinct keys K and K ′ , we can construct (T, P L , P R ) and (T ′ , P ′ L , P ′ R ) whose ciphertexts are identical using the following procedure because it is easy to find a preimage of the hash function given a key.

Attack Procedure.
Step 1. Pick a pair of distinct keys K and Step 2. Define

Security Proofs of General AEZ and Adiantum with Prepending
We present provable security results for general AEZ with τ = n and Adiantum with the 0 τ prepending case, assuming their primitives are ideal.We prove birthday-type security bounds for them, which indicates the tightness of our attacks for these cases.To our knowledge, they are the first results to show meaningful key committing security for the existing non-monolithic EtE schemes.We start with a definition of multi-collision resistance, which will be used in our proofs.
Multi-collision Resistance.Let H : X → Y be a function.Let s ≥ 2 be an integer.An s-way collision for H is a tuple (X 1 , . . ., X s ) of distinct points in X such that H(X 1 ) = • • • = H(X s ).For an adversary A, define its advantage in breaking the s-way multi-collision resistance of H built on a primitive Π as where the probability is over (X 1 , . . ., X s ) Here Π is an ideal primitive which can be a (tweakable) block cipher or permutation, and ± means that the adversary is getting both forward and inverse access to this primitive.When s = 2, we recover the classical notion of collision resistance and simply write Adv Coll H,s (A) as Adv Coll H (A).

Security Proof of general AEZ
We prove the CMT-1 security of general AEZ (gAEZ) when τ = n.
where p is the maximum number of queries by A to the underlying ideal tweakable cipher E.
Proof strategy.The CMT-1 security can be seen as the collision probability of the whole ciphertext.We prove that this probability is small by showing that the collision probability of a part of the ciphertext is sufficiently small by focusing on C y , the last ciphertext block.
Proof.For distinct input tuples of gAEZ, (K, A, M ), (K We extract a function outputting C y from gAEZ and define it as FPTP2' : {0, 1} k ×{0, 1} n → {0, 1} n .Thus, we obtain4 for some A ′ who uses p queries to the primitive.Here, In the game Coll, A has access to E −1,1 and E −1,2 , which are modeled as (tweakable) ideal ciphers.
Next, we evaluate max A ′ Adv Coll FPTP2' (A ′ ) .FPTP2' is the DM construction with double encryption and the proof is almost the same as the original DM's proof (just taking into account the structure of the double encryption).Without loss of generality, assume that an adversary makes no repeated queries.In this evaluation, we permit an adversary A ′ to obtain the following additional responses of the underlying primitives.In the additional setting, if there is an input-output tuple of E −1,i K1 where i ∈ {1, 2}, then an additional input-output tuple of the other primitive is defined by following the structure of FPTP2'.
• For a forward query (K 1 , X 1 ) to the forward oracle of E −1,1 K1 or an inverse query (K 1 , Y 1 ) to the inverse oracle of

K1
and then the query-response tuple (K 1 , Y 1 , Z 1 ) is defined, 3. the two responses Y 1 (resp., X 1 ) and Z 1 are returned to the adversary making the forward query (resp., the inverse query).
• For a forward query (K 2 , Y 2 ) to the forward oracle of E −1,2

K2
or an inverse query (K 2 , Z 2 ) to the inverse oracle of E −1,2 K2 , 1. the query-response tuple (K 2 , Y 2 , Z 2 ) is defined, 2. the additional query (K 2 , Y 2 ) is made to the inverse oracle of E −1,1 K2 and then the query-response tuple (K 2 , X 2 , Y 2 ) is defined, 3. the two responses X 2 and Z 2 (resp., Y 2 ) are returned to the adversary making the forward query (resp., the inverse query).
The additional queries ensure that for each query made by the adversary, one input-output tuple of FPTP2' is defined: (K 1 , X 1 , X 1 ⊕ Z 1 ) by the query to E −1,1 K1 or (K 2 , X 2 , X 2 ⊕ Z 2 ) by the query to E −1,2 K1 .Regarding the tuple (K 1 , X 1 , X 1 ⊕ Z 1 ) that is defined by the i-th query, at least one of X 1 or Z 1 is chosen uniformly at random from at least 2 n − p elements in {0, 1} n , thus the probability that X 1 ⊕ Z 1 collides with one of the previous outputs of FPTP2' is at most i−1 2 n −p .The same evaluation holds for the tuple (K 2 , X 2 , X 2 ⊕ Z 2 ).Summing the bound for each i, we have max Remark.Inequality (3) does not hold when evaluating CMT-4 security.In the case of CMT-1 security, K ̸ = K ′ necessarily holds (the left side of the inequation), and thus (K, Z) ̸ = (K ′ , Z ′ ) holds, which is required for the definition of Adv Coll FPTP2' (A ′ ).However, in the case of CMT-4 security, (K, Z) ̸ = (K ′ , Z ′ ) in Adv Coll FPTP2' (A ′ ) does not necessarily hold.For example, as we showed in Sect.3.1, the CMT-4 adversary can exploit two distinct AD values to collide ∆.In such a case, (K, Z) = (K ′ , Z ′ ) holds, and we cannot take an upper bound of collision probability of C y with that of FPTP2'.

Security Proof of Adiantum with Prepending
Let c = 512.In this section, we use X[i..j] to denote the i-th to j-th bit of X and X * [i..j] to denote the remainder of X by truncating the i-th to j-th bit of X.We here prove the CMT-1 security of Adiantum with 0 τ prepending, assuming the c-bit permutation underlying XChaCha12 (i.e., c-bit 12-round ChaCha permutation) is ideal.We do not change other components.We denote it by Adiantum-pre.Note that when τ = n, we obtain birthday-bound security.The first c-bit output block of XChaCha12 taking 128-bit input x with 256-bit key K is denoted as where π : {0, 1} c → {0, 1} c is an ideal permutation.Here, + 32 refers to 16 additions of 32-bit words, cst 1 is the 128-bit XChaCha12 constant and cst 2 is another 128-bit constant that is equal to ctr ∥ NUL (4) ∥ 1 ∥ 0 63 , where ctr = 0 31 ∥ 1, and NUL (4) is the concatenation of four constant bytes.This is because XChaCha12 uses the first 128 bits of its input for subkey derivation, while the remaining 64 bits are used together with the subkey to derive the final output.In the case of Adiantum, the 128-bit input is padded with a one followed by 63 zeroes to generate the 192-bit XChaCha12 input.

Theorem 2.
Adv CMT-1  Adiantum-pre (A) ≤ where p is the maximum number of queries to π.
Note that in our case, c = 512 and n = 128.Hence, the first term of the security bound is negligible.
We need the following result for our security proof on the permutation-based variant of truncated Davies-Meyer (DM) construction.In particular, let m ≤ n be an integer.The truncated DM based on a permutation π : {0, 1} c → {0, 1} c is defined as pDM π,m (X) := (π(X) + 32 X)[1..m].We write pDM π for the special case m = c (meaning there is no truncation).
Lemma 1 (ω-way collision of permutation-based Davies-Meyer).Let π : {0, 1} c → {0, 1} c be an ideal permutation.Let ω ≥ 2 and m ≤ c be integers.For an adversary A that makes at most p ≤ 2 n−1 − ω ideal permutation queries, we have The proof of Lemma 1 can be found in Appendix A and is similar to the one of the block cipher-based DM given in [BH22].Note that the same bound holds when + 32 is replaced by ⊕.
Proof strategy.As in the case of general AEZ, we prove the CMT-1 security by showing that the collision probability of a part of the ciphertext is sufficiently small.Focusing on msb τ (C L ), we can see that this value is almost the same as the output of the permutationbased DM construction if the subkey L is always fresh.The subkey is calculated by evaluating S K for the input x = E K E (P R ⊞ Hash(h, T, 0 τ ∥ P L )).See the left figure of Fig. 6.
for some A ′ who uses p queries to the primitive.Here, In the game Coll, A has both forward and backward (inverse) access to the ideal permutation π.Next, we evaluate Adv Coll tpDM (A ′ ), maximized over all possible A ′ .Without loss of generality, assume that an adversary makes no repeated query.In this evaluation, we permit an adversary A ′ to obtain the following additional responses of the underlying primitive.For a forward query X to π or an inverse query Y to π −1 , 1. the query-response tuple (X, Y ) is defined by π which is returned to the adversary, 2. the additional forward query (cst 1 ∥ Y * [c/4 + 1..3c/4] ∥ cst 2 ) is made to π and then the query-response tuple ((cst 3. the two responses Y (resp., X) and Z are returned to the adversary making the forward query (resp., the inverse query).
The additional queries ensure that for each query made by the adversary, one input-output tuple of tpDM is defined.Let s ∈ {+, −} denote the direction of the primitive queries; + for forward and − for backward.We define the following events: for any distinct (i, X i , Y i , s i ), (j, X j , Y j , s j ) tuples in the transcript such that one of the following conditions hold: Here, the probability where B is determined by A ′ and uses total p queries to the primitive.
What is now left is to bound the two probabilities.We will first bound the probability of the event Bad.We first start with Bad 1 .For the i-th forward entry (X i , Y i ), given X i and all prior queries/answers before the i-th query, Y i is uniformly distributed over a set of at least 2 c − p ≥ 2 c−1 values, and thus the conditional probability that Now we consider Bad 2 .For the i-th backward entry is (X i , Y i ), given Y i and all prior queries/answers before the i-th query, X i is uniformly distributed over a set of at least 2 c − p ≥ 2 c−1 values, and thus the conditional probability that From Lemma 1 by setting m = τ and s = 2, we obtain assuming p ≤ 2 n−1 .The theorem is proven by combining Equations (4) and (5).

Conclusions and Future Work
We have studied the key committing security of encode-then-encipher schemes built on wide block ciphers.Taking three well-known schemes as our targets, we have shown several new results, both from the attack and the provable security sides.Admittedly, our analysis is not comprehensive, in particular for the provable security side.The missing cases are left as future work.One reason for this is while conducting our research, we realized that a small detail that has little impact on the standard model security can significantly impact the key committing security.This can greatly increase the difficulty of analysis from both the attack and the proof sides.For example, our CMT-1 attack against Adiantum with 0 n appending can be greatly sped up if we replace the modular additions of the NH hash function with simple XORs.Such a function would still be a universal hash, but it now allows a very efficient attack.Therefore, it is impossible to prove the key committing security of Adiantum with 0 n appending up to birthday bound using only the fact that NH is a universal hash function.Conversely, HCTR2 uses XCTR which cannot be idealized as a PRF unlike in Adiantum where our proof idealizes XChaCha as a PRF.Indeed, HCTR2 produces a counter N for XCTR based on the same block cipher as XCTR itself.Thus, the adversary can manipulate and control N setting the same input to the block cipher and forcing it to repeat even if the block cipher itself is idealized.That is why we judged that it is challenging to prove birthday-bound security.In other words, proving key committing security can be difficult for schemes that are not designed for that purpose.Nonetheless, we think our research will give insights and help further analysis of the key committing security of EtE schemes and WBCs.
For K = (K 0 , K 1 , . . ., K 10 ), AES10 K (X) is defined in the same manner as AES4 k (X).Note that AES4 and AES10 contain MixColumns in the last round, unlike the original AES.

C Example of Different Keys Enciphering to the Same Ciphertexts
We provide two data sets containing a key, a nonce, a vector of additional data and a plaintext that will produce the same ciphertext when enciphering with AEZ where τ = 128. [

D Repeated 4-tree algorithm
We here show an algorithm and complexity of the 4-tree attack shown in Sect.3.3 when we do not have enough samples for X 1 , Y 2 , X ′ 1 , and Y ′ 2 .We set 2n/3 < τ < n and The algorithm is as follows.1. Creating a list L X1Y2 which contains all pairs of ⟨ X 1 , Y 2 ⟩ satisfying X 1 ∈ L X1 , Y 2 ∈ L Y2 , and msb n−τ ( X 1 ) = msb n−τ ( Y 2 ).We also create L X ′ 1 Y ′ 2 in the same way.

Find
2 ).If we can find such a pair, the tuple of ( 2 = 0 n , we terminate this algorithm.
3. If we fail in the previous step, we resample X 1 , Y 2 , X ′ 1 , and Y ′ 2 and create new four lists that are independent of previous lists.Then, we go back to step one.
Next, we evaluate the complexity of the above algorithm.The way to evaluate is almost the same as that of the original 4-tree algorithm [Wag02].We would like to note that the list values are not truly random since they are permutation outputs.However, we can assume that they are uniformly random since the distinguishing probability between them and random values is O(2 n/2 ), and we are interested in only the case where the complexity Thus, the complexity of step two can be evaluated as O(2 n−τ ).The probability that we can find the desired tuple ( X 1 , Y 2 , X ′ 1 , Y ′ 2 ) in step two is |L X1Y2 | × |L X1Y2 |/2 τ = 2 2n−3τ .We can expect to terminate the algorithm in step two by repeating the above steps 2 3τ −2n times.Thus, the required complexity of whole steps is O(2 n−τ ) × 2 3τ −2n = O(2 2τ −n ), which includes query complexities for (re-)sampling X 1 , Y 2 , X ′ 1 , and Y ′ 2 .
5 The complexity becomes O(2 n−τ ) = O(2 n−τ log(2 n−τ )) using a simple sort algorithm.However, it is well-known that the complexity is reduced to O(2 n−τ ) when the elements of the lists are random [Knu98].

0 1Figure 5 :
Figure 5: A differential propagation used in the proposed CMT-1 attack against full-spec AEZ.The values in red indicate the expected differences.The values in blue indicate the expected differential probabilities for each 1-round or 7-round aesenc function.The arrows in blue indicate the 7-round aesenc functions.

Figure 6 :
Figure 6: Collision-finding problem for CMT-1 attacks against Adiantum.The left and right figures show the prepending and appending versions, respectively.

Figure 7 :
Figure 7: Collision-finding problem for CMT-1 attacks for HCTR2.The left and right figures show the appending and prepending versions, respectively.

Table 1 :
Our Results, where n = τ = 128.The second to fourth columns denote the attack complexity and the last denotes the bit security.CMT-x A (P) denotes CMT-x security for 0 τ Appending (Prepending).Proofs are given for general AEZ and Adiantum with 0 n prepending.For general AEZ, we present a fine-grained CMT-1 analysis for τ < n (Sect.3.3).