Why does using keyed-$PRF$-derived inputs in a (non-committing) $\texttt{nc-AEAD}$ not provide commitment?

Question

A definition for committing security in authenticated encryption can be described in relation to a security parameter $\lambda_{com}$, where the per-guess probability of finding distinct input tuples

$$ (K, \space N, \space A, \space M) \space\neq\space (K', \space N', \space A', \space M') $$

for which

$$ (C, \space T) \space\leftarrow\space \texttt{nc-AEAD}_{enc}(K, \space N, \space A, \space M) $$

$$ = $$

$$ (C', \space T') \space\leftarrow\space \texttt{nc-AEAD}_{enc}(K', \space N', \space A', \space M') $$

is ~$2^{-\lambda_{com}}$. For the purposes of this post, let's aim to set the committing security parameter $\lambda_{com}$ equal to the authentication security parameter $\lambda_{auth}$ provided by the particular $\texttt{nc-AEAD}$ scheme.

---

My questions are in relation to a previous answer which cites BH22's generic transformation from non-committing to committing $\texttt{AEAD}$. One approach suggested in the paper is summarized in the answer as:

First turning a non-committing AEAD scheme $\textsf{SE}$ into a key-committing $\textsf{CMT-1}$ scheme $\textsf{SE-1}$ by using a collision-resistant hash for the final tag production. Then, treating the $\textsf{SE-1}$ scheme to another generic transformation to a fully committing $\textsf{CMT-4}$ AEAD scheme $\textsf{SE-4}$ by replacing the encryption key $K$ with a keyed-hash output $L \leftarrow H(K, (N, A))$ & the associated data $A$ with an empty string $\epsilon$. This results in $\textsf{SE-1}(K, N, A, M)$ being transformed into $\textsf{SE-4}(L, N, \epsilon, M)$.

1. If the polynomial tag was left to be calculated normally by the $\texttt{nc-AEAD}$ (eg. $\textsf{SE}$), why isn't the above definition of commitment satisfied when instead of using $\textsf{SE-4}(L, \space N, \space\epsilon, \space M)$ where $L \space\leftarrow\space H(K, \space (N, \space A))$, all of the non-message inputs are derived from the collision-resistant keyed-hash function such that

$$ \textsf{SE}(K, \space N, \space A, \space M) \rightarrow \textsf{SE}(K_L, \space N_L, \space A_L, \space M) $$

where

$$ (K_L, \space N_L, \space A_L) \leftarrow H(K, \space (N, \space A))$$

and

$$ |A_L| \space \ge \space 2 \cdot \lambda_{com} $$

---

$\hspace{1.3em}$ What I'm able to gather about polynomial hashes being non-committing is that knowing the key allows for the other inputs to be chosen specifically in relation to it such that they can be used to validate the ciphertext and tag $(C', \space T') = (C, \space T)$. But, deriving all the non-message inputs using a collision-resistant keyed-hash would seem to complicate this capacity of free choice by pseudo-randomly binding them all together.

2. Shouldn't finding two distinct keys $ \{ K, \space K' \} $ which derive the same, or other chosen non-message inputs with the above method be as difficult as finding a collision, or second preimage, in the keyed-hash function?

---

$\hspace{1.3em}$ Considering the most widely deployed $\texttt{nc-AEAD}$'s, their key $K$ and nonce $N$ alter the ciphertext and tag, while the associated data $A$ only alters the tag. These schemes are also stream ciphers, meaning the message can easily be changed according to any derived keystream to create a chosen ciphertext $C' = C$. But,

3. Wouldn't doing that and creating the same authentication tag $T' = T$ be as difficult as breaking the authentication security of the $\texttt{nc-AEAD}$, since the associated data is bound to the other non-message inputs and is thus outside of the control of such a motivated party?

$\hspace{1.3em}$ This part of the talk by one of the original authors seems to suggest this could be the case. Since, as they say, if a scheme commits to $(K, \space N, \space A)$, then commitment to the message $M$ is implied by the correctness property of the $\texttt{nc-AEAD}$.

---

Motivation:

When all the non-message inputs are bound into a pseudo-random tuple $(K_L', \space N_L', \space A_L')$, the party can't use knowledge of $K_L'$ to determine $N_L'$ or $A_L'$. This polynomial-time party only gets one choice of $M'$ per unique tuple $(K', \space N', \space A')$, everything else is predetermined. This party can either choose $M'$ such that $C' = C$, or it can choose $M'$ such that $T' = T$. But, choosing $M'$ such that $(C', \space T') = (C, \space T)$ should be similarly as difficult as finding a forgery on the transcript $(C, \space T)$ with random inputs of the correct form.

IND-CCA2 assumes an adversary $\mathcal{A}^{\\\$}$ has an encryption and decryption oracle with no knowledge of $K$. This is distinct from an adversary $\mathcal{A}^\text{K}$ which does have knowledge of $K$. I think it's possible to show that if it were feasible for $\mathcal{A}^\text{K}$ to pseudo-randomly land on a valid distinct input tuple, then $\mathcal{A}^{\\\$}$ could also just guess randomly at inputs to win the security game with non-negligible advantage. It doesn't seem that any $\texttt{nc-AEAD}$ can be IND-CCA2 secure for which such forgeries with securely randomized inputs are feasible.

Attack #0: Commitment Attack on $\texttt{nc-AEAD-DKNA}$ by $\mathcal{A}^K$

0. Create an arbitrary transcript $(C, \space T) \space\leftarrow\space \textsf{SE}(K, \space N, \space A, \space M)$
1. Discover an algorithm $x' \leftarrow \textsf{collide}(H, \space n, \space x)$ which can use knowledge of input $x$ from $y \leftarrow H(x)$ to determine a distinct input $x'$ such that $y' \leftarrow H(x')$ has $n$ chosen bits set to $n$ chosen values, and completes after ~$2^{\lambda_{com}} = \exp(n) - \delta(n, \space q_H)$ targeted queries to $H$
2. Calculate $(\overbrace{K', \space (N', \space A')}^{x'}) \leftarrow \textsf{collide}(H, \space n, \space (\overbrace{K, \space (N, \space A)}^{x}))$
3. Derive $(\overbrace{K_L', \space N_L', \space A_L'}^{y'}) \leftarrow H(\overbrace{K', \space (N', \space A')}^{x'})$
4. Choose $M'$ such that $C = M' \oplus \textsf{SE.keygen}(K_L', \space N_L', \space A_L')$
5. Create transcript $(C, \space T') \space\leftarrow\space \textsf{SE}(K_L', \space N_L', \space A_L', \space M')$
6. $T' = T$ at the cost of $\exp(n) - \delta(n, \space q_H)$ targeted queries to $H$, where $n$ is the number of bits in $(K_L', \space N_L', \space A_L')$ which need to be controlled in order to carry out the commitment attack on $\texttt{nc-AEAD-DKNA}$. And, $\delta$ is the function which determines how many fewer queries $\mathcal{A}^K$ has to make to $H$ due to knowledge of $K$ than $\mathcal{A}^{\\\$}$ does.

Attack #1: Commitment & IND-CCA3 Attacks on $\texttt{nc-AEAD-DKNA}$ by $\mathcal{A}^{\\\$}$

0. On an arbitrary $M$, query encryption oracle $(C, \space T) \space\leftarrow\space \mathcal{O}_{enc}(M)$
1. Choose a random possible $(K', \space N', \space A')$
2. Derive $(K_L', \space N_L', \space A_L') \leftarrow H(K', \space (N', \space A'))$
3. Choose $M'$ such that $C = M' \oplus \textsf{SE.keygen}(K_L', \space N_L', \space A_L')$
4. Create transcript $(C, \space T') \space\leftarrow\space \textsf{SE}(K_L', \space N_L', \space A_L', \space M')$
5. $T' = T$ with a probability bounded in difference from $\mathcal{A}^K$'s in Attack #0 by the probability of $\mathcal{A}^{\\\$}$ finding a forgery after $\delta(n, \space q_H)$ more random queries to $H$. If $\delta$ is at most a low-degree polynomial function but Attack #0 is still feasible and succeeds in under exponential time, then the minimum number of bits $n$ from $\exp(n)$ to control for a commitment attack on the particular $\texttt{nc-AEAD}$ must be bound $\ll 128$. In which case $\mathcal{A}^{\\\$}$ also needs a less than exponential number of random queries to $H$ to find a valid forgery, and therefore $2^{-\lambda_{auth}} \neq \mathsf{negl.}$ On the other hand, if $\delta$ is greater than polynomial, or of high degree, then $H$ cannot possibly be a strong cryptographic hash function.

Attack #2: IND-CCA2 Attack on $\texttt{nc-AEAD-DKNA}$ by $\mathcal{A}^{\\\$}$

0. Choose a random possible $C \not\in \left\{ \mathcal{O}_{enc}(M_0)_0, \space\ldots, \space\mathcal{O}_{enc}(M_{q_{enc}-1})_0 \right\}$
1. Choose a random possible $(K', \space N', \space A')$
2. Derive $(K_L', \space N_L', \space A_L') \leftarrow H(K', \space (N', \space A'))$
3. Choose $M'$ such that $C = M' \oplus \textsf{SE.keygen}(K_L', \space N_L', \space A_L')$
4. Create transcript $(C, \space T') \space\leftarrow\space \textsf{SE}(K_L', \space N_L', \space A_L', \space M')$
5. Receive a valid decryption oracle query $M \space\leftarrow\space \mathcal{O}_{dec}(C, \space T')$ without prior plaintext awareness with the same probability $\mathcal{A}^{\\\$}$ can create a valid $T' = T$ in Attack #1

---

Aside:

To have a common reference for this method, I'll be using the name $\texttt{DKNA}$, as in $\texttt{AES-GCM-DKNA}$ or $\texttt{ChaCha20-Poly1305-DKNA}$.

UPDATE 2024-07-15:

After emailing several context commitment researchers about this construction, Viet Tung Hoang responded. Excerpts from the conversation follow:

Your method (deriving (K_L, N_L, A_L) and then running a base AE scheme on them) is not secure, if the base AE scheme is GCM. In particular, for given distinct (K_L, N_L, A_L) and (K'_L, N'_L, A'_L), you can find a one-block ciphertext core C so that the two tags will be the same. You then can decrypt the ciphertext C || T to recover the two corresponding messages. The details are left as an exercise.

~ Viet Tung Hoang

So, I did some more reading and thinking, but couldn't figure out how this made sense with the attacks illustrated in this post. So, I asked for confirmation:

Can you confirm: In the attack you outline, it is trivial to create a single block ciphertext from distinct derived inputs, and a chosen $M'$, which collide honest-dishonest ciphertext-tag tuples such that $(C, T)=(C', T')$?

~ Me

Finally, the response made sense to me:

First, you seem to think that the adversary is given M and has to find M’. No, it can choose both M and M’. Next, as the prior email hinted, express the tag collision as a linear equation of the ciphertext core C (not the full ciphertext) and find C. Then decrypt it to get M and M’.

~ Viet Tung Hoang

The attacker model I was using is wrong. A priori it implicitly committed to the message $M$ by asking $\mathcal{A}^K$ to match its $(C, \space T)$-tuple. From what I understand now, $\mathcal{A}^K$ can begin without $M$ and only the arbitrary query-tuple $_{i}Q = ((K_L, \space N_L, \space A_L), \space (_{i}K'_L, \space _{i}N'_L, \space _{i}A'_L))$, then solve backwards to reveal multiple $\{_{i}M, \space _{i}M', \space \ldots\} \in \mathcal{_{i}M}^K$ which create colliding $(_{i}C, \space _{i}T) = (_{i}C', \space _{i}T')$ and that are likely distinct for each $_{i}Q$. (Ouch, these context commitment attacks are brutal.)

Answer 1

1. If I understand your question correctly, your scheme parses the output of the collision-resistant hash function as $(K_L, N_L, A_L)$ and then generates the final output as $\mathsf{SE}(K_L, N_L, A_L, M)$. This does not help in improving the commitment security of the AEAD scheme: since $\mathsf{SE}$ is not CMT-4 secure in the first place, there's no guarantee that you won't find $K, N, A, M$ and $K', N', A', M'$ such that $H(K, N, A) \ne H(K', N', A')$ but $\mathsf{SE}(H(K, N, A), M) = \mathsf{SE}(H(K', N', A'), M')$. Of course, for specific modes, there may be ways to argue that your transformation provides commitment security, but it doesn't work as a generic transformation (which is what BH22 achieves).
2. Again, hashing the inputs can only work as a generic transformation if you assume some level of commitment security in the first place, because otherwise, you don't necessarily need colliding inputs for colliding outputs.
3. In the provable security analysis of AEAD, authentication security is usually considered against an unknown secret key, while in commitment attacks the adversary can freely choose the keys. The two attack models are different, and breaking the commitment security usually doesn't imply a lack of authentication security.