Problem $2.$ Committing encryption. A common mistake is to assume that encryption commits the encryptor to the encrypted message. Let $($E$,$D$)$ be a cipher defined over $($K$,$M$,$C$).$ Suppose Alice chooses some k in K and m in M and publishes c :$=$ E$($k$,$m$).$ This ciphertext c is then stored in a system that prevents any modification to c$.$ Later, Alice is asked to decrypt this c by revealing her key k$.$ We say that the encryption scheme is committing if Alice cannot produce a k$$ in K such that D$($k$,$c$)=$ m$$ where m$=$ m and m$=$ reject.

a$.$ Give a complete game based definition for committing encryption. Your game need only capture the commitment aspect of the scheme, not confidentiality. Hint: in your game, the challenger does nothing, and the attacker should output two keys k and k$,$ along with some other data.

b$.$ Let CTR denote counter mode encryption with a random IV$,$ with key space Ke$.$ Let $($S$,$ V $)$ be a secure MAC with key space Km$.$ Let $($E$,$D$)$ be the derived CTR$-$then$-$MAC cipher whosekeyspaceisKe$\backslash$times Km$.$ Weknowthat$($E$,$D$)$providesauthenticatedencryption$.$ Show that $($E$,$D$)$ is not a committing encryption scheme.

Problem $2.$ Committing encryption. A common mistake is to assume that encryption commits the encryptor to the encrypted message. Let $($E$,$D$)$ be a cipher defined over $($K$,$M$,$C$).$ Suppose Alice chooses some k in K and m in M and publishes c :$=$ E$($k$,$m$).$ This ciphertext c is then stored in a system that prevents any modification to c$.$ Later, Alice is asked to decrypt this c by revealing her key k$.$ We say that the encryption scheme is committing if Alice cannot produce a k$$ in K such that D$($k$,$c$)=$ m$$ where m$=$ m and m$=$ reject.

a$.$ Give a complete game based definition for committing encryption. Your game need only capture the commitment aspect of the scheme, not confidentiality. Hint: in your game, the challenger does nothing, and the attacker should output two keys k and k$,$ along with some other data.

b$.$ Let CTR denote counter mode encryption with a random IV$,$ with key space Ke$.$ Let $($S$,$ V $)$ be a secure MAC with key space Km$.$ Let $($E$,$D$)$ be the derived CTR$-$then$-$MAC cipher whosekeyspaceisKe$\backslash$times Km$.$ Weknowthat$($E$,$D$)$providesauthenticatedencryption$.$ Show that $($E$,$D$)$ is not a committing encryption scheme.