Context-Committing Security of Leveled Leakage-Resilient AEAD

. During recent years, research on authenticated encryption has been thriving through two highly active and practically motivated research directions: provable leakage resilience and key-or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weishäupl studied generic compositions of encryption schemes and message authentication codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC ( EtM ) and MAC-then-Encrypt ( MtE ) are not committing while Encrypt-and-MAC ( EaM ) is, under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions. Instead, while various leakage-resilient schemes follow blueprints inspired by generic compositions, they often tweak them for security or efficiency. In this paper, we study two blueprints, the first one based on EtM for one of the strongest possible levels of leakage resilience. The second one is a single-pass framework based on leveled implementations. We show that, with a careful selection of the underlying primitives such as with identical encryption and authentication keys and a collision-resistant PRF as the MAC , these blueprints are committing. Our results do not contradict the results by Struck and Weishäupl since we pose more, but practically-motivated, requirements on the components. We demonstrate the practical relevance of our results by showing that our results on those blueprints allow us to easily derive proofs that several state-of-the-art leakage-resilient schemes are indeed committing, including TEDT and its descendants TEDT2 and Romulus-T , as well as the single-pass scheme Triplex .


Introduction
Authenticated Encryption with Associated Data (AEAD) has become a fundamental component in modern security applications, providing both confidentiality and authenticity.
However, as AEAD schemes and their analyses mature, attackers continuously seek new ways to exploit their security.Additionally, new applications introduce fresh security challenges.Consequently, two areas of research have gained prominence: 1. Leakage-resilient AEAD: This area focuses on security notions and schemes where the adversary can observe different forms of auxiliary leakage that may depend on sensitive or secret information.The objective is to construct schemes that maintain confidentiality and authenticity even in the presence of certain leakage.

Context-committing AEAD:
This area addresses scenarios where the adversary has access to, and can manipulate secret keys.For example, it deals with situations where the ciphertext allows for correct decryption under multiple contexts, where a context consists of the key K, the nonce N , and associated data A.
Leakage-resilient AEAD.This area of research has blossomed for almost two decades.
In this work, we focus on recent developments, and on the schemes discussed by Bellizia et al. in [BBC + 20] in particular.Therein, the authors categorized modern leakage-resilient AEAD schemes into four grades, with a focus on so-called leveled implementations.In such schemes, a few functions are assumed to be either leak-free or heavily protected, while the rest of the construction can leak a lot of information.In this work, we will focus on two relevant types of schemes: • Grade-3 schemes: These schemes usually follow the pattern of Encrypt-then-MAC (EtM), using a hash function and two calls to a heavily protected Tweakable Block Cipher (TBC) implementation.They target Ciphertext Integrity with Misuse and Decryption Leakage (CIML2) security and indistinguishability against Chosen-Ciphertext Adversaries with misuse resilience and decryption Leakage (CCAmL2) security.Examples of schemes in this category are TEDT [BGP + 20] and ISAP [DEM + 17].
• Grade-2 schemes: These schemes usually employ a single-pass AEAD scheme, a hash function, and two heavily protected TBC calls.They target CIML2 security and indistinguishability against Chosen-Ciphertext Adversaries with misuse resilience and encryption Leakage (CCAmL1) security.An example is Triplex [SPS + 22].
Because they cover many practical schemes, those two grades serve as the basis for the blueprints we study in this paper.
Context-Committing AEAD.In recent years, a series of attacks such as the Facebook message-franking attack [DGRW18], and the partitioning-oracle attack [LGR21] have shown vulnerabilities in the usage of conventionally secure AEAD schemes.Those works shared a common root cause: the existence of ciphertexts that can be decrypted correctly under multiple keys, which was out of the scope of conventional AEAD security but is necessary for security in the respective uses in practice.
To address this gap, Bellare and Hoang introduced commitment security in [BH22], which requires each ciphertext to commit to the key (CMT-1) or to the entire context (CMT-4) that produced it.Among the notions Bellare and Hoang proposed, CMT-4 represents the strongest and therefore most desirable form for designers.It is formalized through the following game.Given an AEAD scheme Π with an encryption function E, an adversary has the task of providing two contexts, i.e. tuples (K, N, A, M ) and (K ′ , N ′ , A ′ , M ′ ), consisting of a key, nonce, associated data, and message each.The adversary wins the game if the contexts differ, i.e. (K, N, A, M ) ̸ = (K ′ , N ′ , A ′ , M ′ ) but they both encrypt to the same ciphertexts: Π.E(K, N, A, M ) = Π.E(K ′ , N ′ , A ′ , M ′ ).
Connecting Both Areas.At first glance, the overlap between leakage-resilient and contextcommitting AEAD is unclear as there has been little exploration of their potential synergies.With their recent work, Struck and Weishäupl [SW24] began to shed light on relations to investigating the generic compositions of Encryption and Message Authentication Code (MAC) schemes to develop schemes that are both leakage-resilient and committing.Their study revealed that EtM and MAC-then-Encrypt (MtE) are not committing in general.They also demonstrated that Encrypt-and-MAC (EaM) can achieve committing properties under weak assumptions on the underlying schemes.Additionally, they presented a transformation that converts an AEAD scheme into a leakage-resilient and context-committing scheme.In a separate work, Krämer, Struck and Weishäupl [KSW23] have shown that the Grade-3 scheme ISAP is committing.
Contribution.While black-box compositions such as EtM, EaM, or MtE are valuable for studying generic constructions and inspiring instantiations, real-world schemes often deviate from them.In particular, many leakage-resilient schemes are based on blueprints that take inspiration from generic compositions but incorporate small changes tailored to specific security goals or higher efficiency.In this paper, we explore two such blueprints.The first blueprint is based on EtM and aims to achieve the highest level of leakage resilience.The second blueprint targets leveled single-pass implementations.We demonstrate that, with a careful selection of underlying primitives, both blueprints can be committing.
While our findings on the first blueprint may seem to contradict the negative result in [SW24] on EtM, two differences in the underlying assumptions help clarify.Firstly, in [SW24], the authors considered a black-box composition where the encryption function and the MAC use independent keys, whereas we require a strict dependency between both.Secondly, our result requires a certain type of MAC in the scheme, namely a collision-resistant Pseudo-Random Function (PRF).
Those additional requirements are not impractical.Our result on EtM generalizes [FOR17, Theorem 3] and [GLR17, Theorem 3], where the authors demonstrated similar restrictions on keys and MACs.The results on both blueprints allow us to easily derive that several leakage-resilient schemes are committing, including TEDT and its descendants TEDT2 and Romulus-T, as well as the single-pass scheme Triplex.
For schemes that follow our blueprints, showing their commitment security reduces to showing the collision resistance of their building blocks.For this purpose, we study the collision resistance of several leakage-resilient MACs used in EtM-based schemes, including Hash-then-BC (HBC), Hash-then-TBC (HTBC), and LRMAC1.For single-pass schemes, we examine instead the collision resistance of more components, including their functions for Key Derivation (KDF), Encryption (Enc), and Tag Generation (TGF).
Our analysis poses a few cryptographic assumptions on the used components.For keyed primitives, we operate in the ideal-cipher model, which is unavoidable in the chosenkey setting of committing security.For hash functions and compression functions, we require either collision and everywhere-preimage resistance, or collision resistance only.For LRMAC1, which requires only collision resistance, this matches the assumption on the hash function in the original MAC proof.For HBC, we require collision and everywhere-preimage resistance, which is still more concrete than the random-oracle model used in the original proof.For HTBC, we require collision and everywhere-preimage resistance, while the MAC proof requires collision and range-oriented preimage resistance.While our assumptions are slightly stronger, they are close to practice, as everywhere-preimage resistance can be seen as a worst-case analysis of range-oriented preimage resistance and is therefore, expected to lead to a similar bound for any secure standard hash function.

Preliminaries
In this section, we define some necessary security notions of functions in general and hash functions in particular, e.g., collision resistance, preimage resistance, and right collision resistance.Thereupon, we recall the definitions for the primitives we need for authenticated encryption.
General Notation.For a set X , we write X $ ← − X to denote that a value X is sampled uniformly at random from X and independent from other values.An adversary A is a computationally bounded algorithm that shall win a security game against a challenger.We call A t-bounded if it runs in time at most t.We indicate that A outputs X by A ⇒ X. W.l.o.g., we assume that adversaries never ask pointless queries, i.e. queries to which they can compute the answers themselves.In the following, we will introduce standard primitives and security notions.Throughout this section, we will denote non-empty sets and spaces by calligraphic uppercase variables and use K (or K h ), M, C, X , as spaces for keys, plaintexts, ciphertexts, and hash values, respectively.

Security Notions for Keyed Hash Functions
Collision Resistance (CR).Let H : K h × M → X be a hash function and

Right Collision Resistance (RCR).
Let X l × X r be nonempty sets of spaces X l and X r .Let H : K h × M → X l × X r be a hash function and K h $ ← − K h .H is called (ϵ rcr , t)right collision-resistant (RCR) if for every t-bounded adversary A, the probability that We can define Left Collision Resistance (LCR) analogously.In the following, we extend the definition to a hash function with multiple inputs, where the collision resistance property holds for a subset of the inputs.

Collision Resistance on a Subset of the Inputs (Partial CR).
Let M 1 , M 2 , . . .M n denote nonempty sets or spaces and define Note that if i < n, then (M i+1 , . . ., M n ) and (M ′ i+1 , . . .,M ′ n ) may or may not be equal.If i = n, the definition is equivalent to standard collision resistance.In general, a function can be collision-resistant on any subset of the inputs, and the inputs are explicitly given in the collision-resistance property.We will call a hash function "partial right collision-resistant" (partial RCR) if it achieves right collision resistance on a subset of inputs.
Everywhere Preimage Resistance.Let H : K h × M → X be a hash function and

Primitives Tweakable Block Cipher (TBC).
A TBC is a mapping E : K × T w × {0, 1} n → {0, 1} n such that for any choice of K ∈ K and T w ∈ T w , E(K, T w , •) is a permutation over {0, 1} n .If T w = ∅, then E : K × {0, 1} n → {0, 1} n is a Block Cipher (BC).We will sometimes write E T K (X) and E K (X) for E(K, T, X) and E(K, X), respectively.In this paper, we will analyze constructions in the ideal-cipher model, where E or E will be selected randomly from the set of all possible cipher families with the same domain and range.

Pseudo-random Function (PRF) and Pseudo-Random Number Generator (PRNG).
A PRF is a deterministic mapping F : K × X → Y. Let Func(X , Y) be the set of all functions with domain X and range Y.In the PRF game, a challenger samples K $ ← − K and ρ $ ← − Func(X , Y) and provides an adversary A with access to either F K or ρ.The PRF advantage of A on F K is defined as We call F an (ϵ PRF , t)-secure PRF if for all t-bounded adversaries A, and a positive integer ℓ as inputs and outputs Y ∈ {0, 1} k+ℓ .In the PRNG game, a challenger samples K $ ← − K and ρ $ ← − Func(K × N, Y) and, on input of a length ℓ, outputs either G(K, ℓ) or ρ(K, ℓ).Then, the PRNG advantage of an adversary A against G is defined as Later, we will use a generalization with multiple output-length parameters ℓ 1 , ℓ 2 where Y = {0, 1} ℓ1 × {0, 1} ℓ2 and so on.

Hash-function-based Message Authentication Codes (MACs). Let MAC
⊤} be the verification function that takes a message M ∈ M and a would-be tag T ∈ T and returns ⊤ if MAC s,K (M ) = T and ⊥ otherwise.In other contexts, security notions such as unforgeability and/or pseudo-randomness are needed, but in the context of this paper, we are interested only in collision resistance, which we define for hash-function-based MACs as follows.

Collision Resistance for Hash-function-based MACs. Let
In all collision games in the remainder, we will drop the hash key K h that is released to the adversary and assume that it is given to the adversary at the beginning of the game.Authenticated Encryption.A nonce-based Authenticated Encryption scheme supporting Associated Data (nAEAD) is a pair of functions Π = (E, D) with associated sets K, N , A, M, C, denoting the key space, nonce space, associated data space, message space, and ciphertext space, respectively.The elements of C comprise of a pair (C, T ), with T ∈ {0, 1} σ .The encryption algorithm and decryption algorithms E and D are deterministic functions input and D : K × N × A × C → M ∪ {⊥}, where the special symbol ⊥ indicates that (C, T ) was deemed invalid.We sometimes write E N,A K (M ) and All AEAD schemes considered in this work are assumed to be correct and tidy.
CMT-4 Security.The two prevalent notions of committing security in the literature are • CMT-1 security: A commitment to only the key K.
• CMT-4 security: A commitment to the complete context (K, N, A, M ).
Since we consider only CMT-4 security, we define it more formally here.Note that Bellare and Hoang [BH22] demonstrated that incorporating the message M into the context is unnecessary, as committing to (K, N, A) is equivalent to committing to (K, N, A, M ).
In the CMT-4 game against an AEAD scheme Π, an adversary Π (A) to denote the probability that A wins the CMT-4 game where A has access to the ideal primitives and hash keys used by Π.

KDF Enc
Hash TGF The EtM blueprint for leakage-resilient context-committing nAEAD.The gray components are assumed to be strongly protected.

The EtM-based Blueprint
The first blueprint we look at is based on EtM but tailored to leakage resilience.It is close to the FGHF ′ construction by Degabriele et al. [DJS19], which itself is an instance of N2 [NRS14].In the following, let K e , K m , N , A, M, C, IV, FV, and T be nonempty sets or spaces for encryption keys, MAC keys, nonces, associated data, plaintexts, ciphertexts, initial values, forward values, and tags, respectively.A leveled leakage-resilient EtM scheme requires two leak-free fixed-input-length primitives: 1.A key-derivation function KDF : K e × N → IV, which takes the nonce and the encryption key and generates an initial value for the encryption phase.
2. A tag-generation function TGF : K m × F V → T , which takes the MAC key and a fixed-length hash of the ciphertext, nonce, and associated data, and generates the verification tag using a PRF.
The scheme also uses an encryption scheme Enc : K × IV × M → C and a collisionresistant hash function Hash : N ×A×C → F V. However, these two primitives are assumed to have unlimited leakage when considering CIML2 security.The high-level blueprint is depicted in Figure 1 and the encryption of EtM[KDF, Enc, Hash, TGF](K, N, A, M ) under K = (K e , K m ) is defined as We observe three important properties.First, since the MAC, consisting of Hash and TGF, follows the Hash-then-PRF paradigm, it already binds the triplet (N, A, C) to any given key K m .However, K e is not part of the binding.Second, if the two parts of the key K e and K m are independent, the adversary can fix (K m , C, T, N, A) and find two pairs (K e1 , M 1 ) and (K e2 , M 2 ) to break the commitment.This implies that even if the keys are dependent, we must ensure that the EtM scheme commits to (K e , K m ) and the MAC is collision-resistant.In Section 4, we shall show that under these restrictions, EtM is indeed context-committing.Moreover, we shall show that three of the prominent leakage-resilient Hash-then-PRF MACs are indeed collision-resistant PRFs.Two of these MACs will require a stronger assumption on the hash function, where the hash function resists not only collision but also preimage attacks, while all three require a stronger assumption on the TGF, as the analysis has to be conducted in the ideal-cipher model.However, we will show that the KDF does not affect the committing security.
The KET blueprint for single-pass leveled leakage-resilient context-committing nAEAD.The gray components are assumed to be strongly protected.

The Single-pass Blueprint KET
The second blueprint we will consider is used for single-pass schemes.Similar to EtM, the scheme includes leak-free KDF and TGF functions and an encryption function Enc with unlimited leakage.The encryption function is responsible for generating both the ciphertext C as well as the hash value F V .This blueprint Π[KDF, Enc, TGF] denoted as KET is depicted in Figure 2 and its encryption of (N, A, M ) under a key tuple (K e , K m ) is defined as follows: We can observe some requirements on the components.CIML2 security requires that the TGF is collision-resistant for a given key K. Similarly as EtM, this means that the scheme commits to (N, A, M ) for K. Similarly as for EtM, further issues arise when considering the keys.If the TGF is not collision-resistant, then we can find However, if K m depends on K e , the success of the attack depends on the properties of the KDF and the interaction between the KDF and the Enc function.Alternatively, it may be possible to relax the requirements on the KDF if the TGF is collision-resistant.

CMT-Security of EtM-based AEAD Schemes
The first blueprint we will study concerns EtM-type constructions with a MAC that follows the Hash-then-PRF design.
Then, we call Π an EtM scheme.
In [SW24], the EtM (or N2 [NRS14]) scheme is shown to be not context-committing in general.We show that the EtM scheme is nevertheless CMT-4-secure when KeyGen is right collision-resistant (which precludes independent keys K e and K m ) and MAC is collision-resistant.Similar results were already shown for complete robustness (CROB) and binding security.Thus, Theorem 1 is adapted from [FOR17, Theorem 3] and [GLR17, Theorem 3].

Table 1: Examples for functions
Theorem 1.Let Π[KeyGen, Enc, MAC] be an EtM scheme such that KeyGen is (ϵ k , t 1 )right collision-resistant and MAC is (ϵ maccr , t 2 )-collision-resistant for some t 1 = O(t) and t 2 = O(t).Then, for any t-bounded CMT-4 adversary A against Π, it holds that Proof.Suppose an adversary A outputs challenge values (K 1 , N 1 , A 1 , M 1 ) and (K 2 , N 2 , A 2 , M 2 ) with corresponding ciphertexts (C 1 , T 1 ) and (C 2 , T 2 ).We bound the probability that (C 1 , T 1 ) = (C 2 , T 2 ) = (C, T ).We define a sequence of hybrid games G 0 through G 2 as follows, where we introduce Boolean variables E i , for i ∈ {0, 1, 2} such that E i is true if and only if the adversary wins in Game G i .
Game G 0 .This is the original cmt4 game in the real world.
The probability of this event is at most Since this is impossible from the assumption that the encryption scheme is correct and tidy, it follows that Finally, the adversary wins Game G 2 if it is successful with C).This can happen only if there is a collision against the MAC given none of the previous conditions occurs.As a result, we can upper bound the probability by To sum up, which yields our claim in Theorem 1.

Collision Resistance of Hash-then-BC (HBC)
The MAC Hash-then-BC [BGP + 19] is defined as follows.Given a hash function H : First, we define the collision-resistance game as follows.The adversary A gets the hash-function key K h at the beginning of the game.From here on, we drop all further occurrences of hash-function keys and will proceed similarly in all following games.A asks q e chosen-key queries to the ideal-cipher oracle E and obtains the corresponding outputs.If a query At the end of its interactions, A outputs two pairs (K m1 , M 1 ) and (K m2 , M 2 ) and wins if and only if Theorem 2. Let E : K m × {0, 1} n → {0, 1} n be an ideal cipher and H : M → {0, 1} n be a (ϵ cr , t 1 )-collision-resistant and (ϵ epre , t 2 )-everywhere-preimage-resistant hash function.
Then for any adversary A that runs in time t and makes q e ≤ 2 n−1 queries to the ideal cipher, such that t 1 = O(t + q e ) and t 2 = O(t + q e ), HBC[H, E] is (ϵ, t)-collision-resistant for ϵ ≤ q e ϵ epre + ϵ cr + 2q 2 e + 1 2 n .Proof.Suppose A outputs (K m1 , M 1 ) and (K m2 , M 2 ) such that HBC[H, E](K m1 , M 1 ) = HBC[H, E](K m2 , M 2 ).We define a sequence of hybrid games as follows: Let E i be the event that the adversary wins in Game G i for i ∈ {0, . . ., 3}.
Game G 0 .The real-world game.
Game G 1 .Game G 1 is almost identical to Game G 0 but terminates if one of the following events happens during the ideal-cipher queries of A.
• Two forward queries with different keys produce the same output.The probability of this event is upper bounded by qe 2 /(2 n − q e ) ≤ q 2 e /2 n .• A backward query with input T is followed by a forward query with output T with a different key.The probability of this event is at most q 2 e /2 n .It follows that ).The probability of this event is at most Game G 3 .We define that Game G 3 keeps a set X = {X i : i ∈ [q e ]}, where the values represent the responses of backward ideal-cipher queries with key K i and input Y i .Game G 3 is almost identical to G 2 except that G 3 terminates also if H(M 1 ) ∈ X or H(M 2 ) ∈ X .Then, from the definition of everywhere-pre-image resistance, we have Finally, we study the probability that A wins in Game G 3 .Then, one of the following cases must have occurred.
• Case 1: , there exists an adversary against the collision resistance of the hash function H. Otherwise, if H(M 1 ) ̸ = H(M 2 ), a collision of the tags T 1 = T 2 is impossible since E is a permutation for the same key K m .This case cannot happen: if a hash collision existed, the game would terminate.
• Case 2: K m1 ̸ = K m2 .In this case, a collision can happen only if Note that H(M 1 ) ̸ ∈ X and H(M 2 ) ̸ ∈ X by assumption.Thus, a collision can happen only randomly with a probability of Our result follows from the sum of the individual bounds.
1} n be an ideal cipher and H : M → {0, 1} τ × {0, 1} n be a (ϵ cr , t 1 )-collision-resistant and (ϵ epre , t 2 )-everywhere-preimageresistant hash function.Then, for any adversary A that runs in time t and makes q e ≤ 2 n−1 queries to the ideal cipher, such that t 1 = O(t + q e ) and t 2 = O(t . Again, we define a sequence of hybrid games G 0 through G 3 and define E i as the event that the adversary wins in game G i .
Game G 0 .This is the real-world game.
Game G 1 .Game G 1 differs from G 0 in the fact that it terminates if one of the following events happens during the ideal-cipher queries.
• Two forward queries with different keys produce the same output.This probability is bounded by q 2 e /2 n .
• A backward query with input T is followed by a forward query with output T with a different key.This probability is also bounded by q 2 e /2 n .
We obtain Game G 2 .Game G 2 is almost identical to G 1 but adds the fact that it terminates if The probability of this event can be bounded by Game G 3 .We adopt the definition of the set of backward-query responses X from Game G 3 of the proof of HBC.Besides it, Game G 3 adds to G 2 only the fact that G 3 also terminates if From the definition of everywhere-pre-image resistance, we obtain Finally, we study the probability that A wins in Game G 3 .Similar to Theorem 2, the adversary cannot win if (K m1 , W 1 ) = (K m2 , W 2 ).However, if For this event, we have to consider two mutually exclusive cases that cover all possibilities as follows.
• Case 1: M 1 = M 2 .In this case, we have H(M 1 ) = H(M 2 ) = (V, W ). Thus, the adversary will be successful if it can find two keys K m1 , K m2 such that E(K m1 , W, V ) = E(K m2 , W, V ).This is impossible since the game would terminate as defined in either G 1 or G 3 .
• Case 2: , the game would terminate as defined in G 2 .Otherwise, a collision can happen only if If these two queries had appeared in any ideal-cipher queries, the conditions that allowed this collision to occur would have led the game to terminate.
) holds but at least one of these queries must have not appeared in any ideal-cipher query, as the game would have terminated otherwise.If none of the above happens, then a collision can happen only randomly with probability at most Our claim in Theorem 3 follows from adding E 3 to the transition differences.

Collision Resistance of TEDT Variants
TEDT.The authentication part of the original TEDT [BGP + 20] (depicted in Figure 3) and Romulus-T [IKMP20] follow exactly our HTBC format.Therein, the hash function H is based on Hirose's compression function and Merkle-Damgård strengthening, which outputs a 2n-bit value V ∥W .Note that for any tuple of key and nonce, the adversary can choose a suitable message to achieve any desirable ciphertext.Thus, finding (K 1 , U 1 ) and (K 2 , U 2 ), where U i ← pad(N i , A i , C i , P K) and P K denotes the public key for multi-user security, that lead to the same tag T is equivalent to breaking CMT-4 security.
TEDT2.The authentication function of TEDT2 [Lis21] (depicted in Figure 4) also follows our HTBC format, except for the fact that 8∥N ∥W is used as a tweak in the final TBC call.Let N 1 and N 2 be two nonces corresponding to the same (C, T ) output.Then, we will have two cases: Then, the analysis is exactly the same as in Theorem 3.
Case 2: N 1 ̸ = N 2 .In this case, N can be seen as part of the hash output.Thus, in this case, the commitment can be broken only by finding a collision in the ideal-cipher queries.Then, we consider two subcases depending on ideal-cipher queries concerning the T -producing TBC call: • Both queries are forward ideal-cipher queries: Here, the adversary will be successful only if it can find two different tweaks producing the same tag.The success probability is upper bounded by q 2 e 2 n .• At least one of the queries is a backward ideal-cipher query: In this case, the success probability can be upper bounded by ϵ epre .
Thus, the analysis is the same as for HTBC with a hash function H ′ (N, A, C) = N ∥H(A, C).

Collision Resistance of LRMAC1
The MAC LRMAC1 [BGPS21] is defined as follows.Let H : M → {0, 1} τ × {0, 1} n be a hash function and LRMAC1[H, E] computes the authentication tag as We define the collision-resistance game similarly as in the case of HBC.
Theorem 4. Let E : K m × {0, 1} τ × {0, 1} n → {0, 1} n be an ideal cipher and H : M → {0, 1} τ × {0, 1} n be a (ϵ cr , t 1 )-collision-resistant hash function.Then, for any adversary A that runs in time t and makes q e ≤ 2 n−1 queries to the ideal cipher, such that . Again, we will define a sequence of hybrid games and use E i as the event that the adversary wins in game G i .
Game G 0 .The real-world game.
Game G 1 .The game terminates if one of the following events happens during the ideal-cipher queries.
• Two forward queries with different keys produce the same output.This probability is bounded by q 2 e /2 n .• A backward query with input T outputs 0 n .This probability bounded by 2q e /2 n .

It follows that
).The probability of this event is bounded by Finally, we study the probability that A wins in G 2 .We have to consider only the case that V 1 ̸ = V 2 as V 1 = V 2 would lead the game to terminate.
Increasing the tag size and bit-security level.In all considered MACs, the security is bounded by half of the tag size.One way around this limitation is to use a Double-Block-Length (DBL) construction for the TGF.For instance, the TGF of LRMAC1 can be replaced by E(K, H(M ), 0 n )∥ E(K, H(M ), 1 n ), that is Hirose's DBL compression function with an initial value of 0 n [Hir06].The construction is still invertible and compatible with CIML2 security.Similar standard constructions can be found for HBC and HTBC.

CMT-4 Security of Single-pass Leveled Schemes
In this section, we study the second blueprint KET from Figure 2. We call this blueprint KET as a short-hand for its three components: a KDF, an Enc function, and a TGF.KET can be seen as the paradigm underlying single-pass leveled leakage-resilient schemes such as Triplex [SPS + 22] or Multiplex [PSS24].
In this section, we establish three goals.First, we show that the KET composition is CMT-4-secure when each component satisfies a specific set of collision-resistance properties.Second, we show that it can fulfill the compact commitment, wherein verifying the tag suffices to verify the commitment.Finally, we show that if the keys used in the first and last components are identical (or generated by KeyGen having specific CR properties), we can relax the collision-resistance requirements for certain components.

CMT-4 Security of the Generic KET scheme
We begin with the generic KET scheme wherein the keys in the KDF and the TGF are independent, i.e. no constraints are imposed on their keys.For such schemes, we demonstrate that achieving CMT-4 security requires collision resistance in all three components, KDF, Enc, and TGF, with the minor relaxation that we require only right collision resistance for Enc, i.e. collision resistance for the part of its outputs that are used in the TGF.Definition 2. Let Π[KeyGen, KDF, Enc, TGF] be a nonce-based AEAD scheme.If, for a given key K ∈ K, a nonce N ∈ N , associated data A ∈ A, and a message M ∈ M, it encrypts M to a ciphertext (C, T ) as then, we call Π a KET-1 scheme.
We will study four relevant variants of this scheme which differ in their assumptions posed on their individual components.Table 2 summarizes their properties.
Case 1: K m1 ̸ = K m2 .In this case, there must be a collision against the TGF.
• Case 2a: Then, there is a collision against the TGF.
• Case 2b: In this case, there is a right collision against the Enc function.
Case 3: Again, we study two subcases.
• Case 3a: Then, there is a collision against the TGF.
• Case 3b: Then, there is a right-output collision against the Enc function.
• Case 3c: Then, there is a collision against the KDF.
For each of the cases above, the advantage of the adversary is bounded by the collision resistance property of the individual components, as given in Equation 1.

CMT-4 Security of the KET-1a scheme
Theorem 5 does not require any collision resistance property for KeyGen and holds even when the keys K e and K m are independent.However, if KeyGen is left-collision-resistant, we can lift the requirement of full i.e. (F V, K m )-collision resistance from the TGF.Instead, left collision resistance on the values F V will suffice, as captured by the following theorem.
• Case 1a: Then, there is a collision against the TGF.
• Case 1b: Then, there is a right collision against Enc.
• Case 2a: Then, there is a collision against the TGF.
• Case 2b: Then, there is a right collision against the Enc.
• Case 2c: Then, there is a collision against the KDF, as For each of the cases above, the advantage of the adversary is bounded by the collision resistance property of its respective three components, as given in Equation 2.
Next, we consider variants of KET that use the nonce as an additional input of the encryption function.For those variants, collision resistance of the KDF is not necessary.This is intuitive since we can view the next scheme as KET-1a where N is appended to the output of the KDF.Theorem 7. Let Π[KeyGen, KDF, Enc, TGF] be an KET-2 scheme such that • the KeyGen function is (ϵ k , t 1 )-right collision-resistant, • and Enc is (ϵ ′ enc , t 2 )-right collision-resistant, and Then, for any adversary A running in time at most t against the CMT-4 security of Π, it holds that ) with corresponding ciphertexts (C 1 , T 1 ) and (C 2 , T 2 ).We bound the probability that (C 1 , T 1 ) = (C 2 , T 2 ) = (C, T ).We consider the following disjoint cases.
• Case 1a: K m1 = K m2 .Then, there is a right collision on K m against the KeyGen function.
• Case 2a: Then, there is a collision against the TGF.
• Case 2b: Then, there is a right-output collision against Enc.
For each of the cases above, the advantage of the adversary is bounded by the collision resistance property of the three components, as given in Equation 3.
Finally, we consider a special case of KET-2 that we call KET-2a, where Enc is only collision-resistant when IV , A, or C change, i.e. it may be easy to find (IV, A, C, N 1 ) and (IV, A, C, N 2 ) such that F V 1 = F V 2 .However, if (IV 1 , A 1 ) ̸ = (IV 2 , A 2 ), then collisions are hard to find.The following theorem demonstrates that, despite this restrictive assumption on the collision resistance of Enc, we can still attain CMT-4 security by imposing a milder condition.In this case, it is essential to also assume that KDF is collision-resistant.
Theorem 8. Let Π[KeyGen, KDF, Enc, TGF] be a KET-2a scheme such that e Enc is RCR only on input (IV, A), and , and t 4 = O(t).Then, for any adversary A running in time at most t against the CMT-4 security of Π, it holds that Proof.Suppose an adversary A outputs challenge values (N 1 , A 1 , K 1 , M 1 ) and (N 2 , A 2 , K 2 , M 2 ) with corresponding ciphertexts (C 1 , T 1 ) and (C 2 , T 2 ).We bound the probability that (C 1 , T 1 ) = (C 2 , T 2 ) = (C, T ) with the following cases.
• Case 1a: K m1 = K m2 .Then, there is a right-output collision against the KeyGen function, i.e. on K m .
Case 2: Then, there is a collision against the TGF.
-Otherwise, if IV 1 = IV 2 and N 1 ̸ = N 2 holds, there is collision against the KDF.
-Finally, if IV 1 = IV 2 and N 1 = N 2 hold, we must have A 1 ̸ = A 2 by injectivity of Enc over the message space when the other parameters remain unchanged.A 1 ̸ = A 2 implies that there will be a collision against (IV, A)-right-output collision of Enc.
For each of the cases above, the advantage of the adversary is bounded by the collision resistance property of the four components, as given in Equation 4.

Triplex as an Instantiation of KET-2
In this section, we demonstrate the usefulness of the KET blueprint by showing that the recent single-pass scheme Triplex [SPS + 22] can be viewed as an instance of KET-2.
Triplex.Triplex operates with a KDF that consists of three TBCs, a protected call followed by two parallel calls to an unprotected TBC.The KDF takes a key K = sk∥pk -that combines a secret part sk with a public part pk for higher multi-user security -and a nonce N and produces a 2n-bit output IV = h 1 ∥k 1 .The encryption function of Triplex takes various inputs including pk, N , A, M , and IV = h 1 ∥k 1 , and outputs a ciphertext C along with F V = V ∥W .Its TGF is essentially a single TBC call.It takes sk as the key, V ∥W as the tweak, and a fixed input 0 n to generate a tag T .Note that both Enc and KDF take N as input and both the KDF and the TGF use the same key sk.
There are multiple ways to view Triplex, and each one leads to the application of a different theorem.We will view the CMT-4 security of Triplex as an application of Theorem 7. We can consider pk as part of the nonce instead of the key since it is not utilized as a key anywhere.This simplification allows us to view Triplex as a specific instance of the generic KET-2 construction.According to Theorem 7, for achieving CMT-4 security, we need to demonstrate collision resistance of the TGF and right-output collision resistance of Enc.
Corollary 1.Let Π[KDF, Enc, TGF] denote Triplex.Then, there exists an (ϵ cr , t 1 )-collisionresistant hash function H, such that for any adversary A running in time at most t against the CMT-4 security of Triplex, it holds that
Proof.First, we will redefine the KDF function of Triplex.This is done by moving the two parallel TBC calls from out of the KDF into the Enc function.We denote the modified KDF and Enc functions as KDF ′ and Enc ′ , respectively, as visiaulized in Figure 5.This change does not affect the scheme's security but only moves the boundary of where the KDF ends and Enc begins.In this representation, KDF is not collision-resistant, and we apply Theorem 7. We know that ϵ k = 0 since sk is used as both K e and K m .Moreover, the collision resistance of the TGF is similar to that of the TGF used in LRMAC1.In other words, we obtain from the analysis of Theorem 4 that ϵ tgf ≤ q 2 e + 2q e + 5 2 n .
What remains is to bound ϵ enc .Note that the function Enc ′ can be visualized as shown in Finally, the hash function H used in Triplex is the Merkle-Damgård with Permutation (MDP) hash function [HPY07] instantiated with Hir, Hirose's double-block-length function [Hir06].From the indifferentiability of this MDPH hash function, we have that ϵ cr is negligible, which implies the commitment security of Triplex.

Conclusion
In this paper, we studied the CMT-4 security of two families of leveled leakage-resilient schemes: Grade-3 schemes based on EtM and single-pass Grade-2 schemes.In both cases, we give positive results.We show that EtM is committing as long as the keys satisfy a particular definition of dependence and the MAC is collision-resistant.We give positive results on the collision resistance of different leakage-resilient MACs: HBC, HTBC and LRMAC1, and apply this to show the CMT-4 security of TEDT.We also discuss how to increase the security by increasing the tag size.For single-pass schemes, we give different variants with different assumptions on their components and show that the recently proposed scheme, Triplex, achieves CMT-4 security up to half the tag size.
We believe our work shows an interesting connection between context commitment and leakage-resilient schemes.Even though the two security goals are different and not implied by each other, the underlying design principles allow for efficient schemes that achieve both goals.
An interesting future direction is to study how to design leakage-resilient schemes that are also committing beyond half the tag size.Another direction is to study if there is a connection that can be derived between CIML2 security and CMT-4 security.

Figure 6 :
Figure 6: Alternative visualization of the modified encryption function Enc ′ of Triplex.
Figure 6, wherein the bottom part is the Triplex hash function of the input pad(IV, N, pk, A, C) for some injective padding function.The top symmetric encryption (SE) component computes ciphertext C being input to the hash function.Thus, if N 1 = N 2 , the top part (SE) is bijective and FV -collision-resistant.If N 1 ̸ = N 2 , it is still F V -collision-resistantsince N is part of the input to the hash function.Then, ϵ enc ≤ ϵ cr .

Collision Resistance of Leveled Leakage-resilient MACs In
[BGPS21]nd Insecure Examples of KeyGen.Theorem 1 shows that CMT-4 security of EtM schemes relies on the right collision resistance of the KeyGen function as well as the collision resistance of the MAC.KeyGen functions with low ϵ k can be found easily.For concreteness, we listed a few intuitive secure examples in Table1, alongside two negative examples with ϵ k = 1.The next section can therefore concentrate on the collision resistance of MACs in and for EtM-based schemes.thissection,we show the collision resistance of HBC [BGP + 19], HTBC [BGP + 19] (the MAC used in TEDT and Romulus-T), and LRMAC1[BGPS21].While we are unaware of concrete AEAD schemes that employ LRMAC1, establishing its suitability for CMT-4-secure AEAD is relevant as it offers useful leakage resilience.

Table 2 :
Different variants of KET and the requirements on their components for CMT-4 security.(R)CR = (right) collision resistance.