Why is Key Commitment relevant in Authenticated Encryption?

In a recent ePrint report, Ange Albertini et al. point out a subtle problem that is also relevant for authenticated encryption and AE(AD) ciphers: There are file formats that are not mutually exclusive in the sense that the content of a given file may be valid according to different file formats. In the case of two formats, for example, a respective file refers to a binary polyglot – it is valid for (at least) two different file formats. Two different ciphertexts may be packed into a binary polyglot. Depending on the decryption key, two different but valid plaintext messages can be recovered from the encrypted file. This works independently from the AE(AD) cipher that may otherwise be secure. It goes without saying that this may pose a serious problem and security risk in some situations. There are basically two possibilities to mitigate the risk: Either the file formats can be sharpened in a way that polyglots cannot exist, or – maybe more realistically – the AE(AD) cipher may be extended to additionally provide support for key commitment, meaning that the encryption process must also commit to the key that is being used. This should make it impossible to decrypt a given ciphertext with another key than originally anticipated. There are multiple ways to achieve this, for example, by adding an additional zero block prior to encryption and verifying that this block is recovered after decryption. This is conceptually similar to the quick check used in some OpenPGP implementations. Anyway, it is reasonable to expect that key commitment will become relevant in authenticated encryption in the future.