We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let $ \mathcal{A}\mathcal{E} $ \mathcal{A}\mathcal{E} be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use $ \mathcal{A}\mathcal{E} $ \mathcal{A}\mathcal{E} for encrypting long messages. Namely, to encrypt “long” m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext $ \left\langle {\mathcal{A}\mathcal{E}(b),h} \right\rangle $ \left\langle {\mathcal{A}\mathcal{E}(b),h} \right\rangle . More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [[12],[13]]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for $ \mathcal{A}\mathcal{E} $ \mathcal{A}\mathcal{E} , gets back $ \mathcal{A}\mathcal{E} $ \mathcal{A}\mathcal{E} (b) , and outputs $ \left\langle {\mathcal{A}\mathcal{E}(b),h} \right\rangle $ \left\langle {\mathcal{A}\mathcal{E}(b),h} \right\rangle (authenticated decryption is similar). Finally, we also observe that the particular schemes of [[13],[17]] are all special examples of our general paradigm.