 My name is Julia Lenn, and in this talk abstract, I will present an overview of authenticated encryption with key identification. This is joint work with Paul Grubbs and Thomas Stempart. To begin, we recall the definition of authenticated encryption with associated data, or AAD. This cryptographic primitive assumes that two parties share a secret key. The sender chooses a nonce and associated data and encrypts the plaintext message using their secret key. They can then send the nonce, associated data, and ciphertext to the recipient, who can decrypt using the secret key to recover the plaintext message. Here we require that an attacker who does not know the secret key and sees the ciphertext will not be able to recover the plaintext. However, notice that there are a couple of assumptions being made with this model. The first assumption is that the adversary has no way of knowing or even guessing the secret key. Moreover, the second assumption is that decryption only ever gets a single secret key as input. But looking at how AAD is used in practice, these assumptions do not actually always capture or fully model its use cases. In particular, the first assumption about the adversary not knowing the secret key does not capture the security goal of key robustness, which was first introduced for the authenticated encryption setting by Farsham or Landy in Roshi in 2017. At a high level, an AAD scheme that is not key robust or key committing means that an adversary can compute a ciphertext such that it can successfully decrypt under two different keys. And recent work has shown that many AAD schemes are not key robust and that this can actually lead to vulnerabilities in practice. As a quick summary of these vulnerabilities, Grubbs et al. and Dotus et al. showed attacks on Facebook Messenger's message-franking protocol. In prior work, we described a new type of attack that we call partitioning oracle attacks and showed how to use this attack to exploit key robustness vulnerabilities in Chattersocks proxy servers and early implementations of the opaque password authenticated key exchange protocol. And finally, Albertini et al. described vulnerabilities with envelope encryption and subscribed with Google when they used AAD schemes that are not key robust. Moreover, when we look at the assumption that decryption only ever gets a single secret key, we see this also does not model practice. For instance, the Google Tink API gives decryption a set of keys and requires decryption to first determine which key is the correct one before decrypting. Furthermore, we've seen systems in practice in which decryption must choose from a set of keys and does this insecurely. In particular, we previously showed this as an issue with multi-user Chattersocks and also Albertini et al. showed this as an issue with key management services. All together, while in practice, we've seen various techniques for key identification during decryption. It's unclear what security properties some of these approaches achieve. To date, there has been no formal investigation of their security properties or efficacy, especially in the presence of adversarial keys. The ad hoc solutions for identifying the intended key deployment practice can be inefficient. And as we've seen in some cases, vulnerable to practical attacks. We therefore initiate the formal study of AAD that supports key identification by extending non-spaced AAD into this setting. In this talk, we'll go over our formalization of a new cryptographic primitive called AAD with key identification or AADKI. Decryption now takes in a vector of secret keys and a ciphertext and must both identify the correct secret key and decrypt the ciphertext. We'll next introduce new security definitions for the AADKI setting. Notably, our definitions allow an adversary to specify malicious keys to better model possible attacks. And lastly, we'll analyze the security of existing key identification approaches as well as suggest new ones.