On the security of the CCM encryption mode and of a slight variant

  • Authors:

  • Pierre-Alain Fouque;Gwenaëlle Martinet;Frédéric Valette;Sébastien Zimmer

  • Affiliations:

  • École normale supérieure, Paris, France;DCSSI Crypto Lab, Paris, France;CELAR, France;École normale supérieure, Paris, France

  • Venue:
  • ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

In this paper, we present an analysis of the CCM mode of operations and of a slight variant. CCM is a simple and efficient encryption scheme which combines a CBC-MAC authentication scheme with the counter mode of encryption. It is used in several standards. Despite some criticisms (mainly this mode is not online, and requires non-repeating nonces), it has nice features that make it worth to study. One important fact is that, while the privacy of CCM is provably garanteed up to the birthday paradox, the authenticity of CCM seems to be garanteed beyond that. There is a proof by Jonsson up to the birthday paradox bound, but going beyond it seems to be out of reach with current techniques. Nevertheless, by using pseudo-random functions and not permutations in the counter mode and an authentication key different from the privacy key, we prove security beyond the birthday paradox. We also wonder if the main criticisms against CCM can be avoided: what is the security of the CCM mode when the nonces can be repeated, (and) when the length of the associated data or message length is missing to make CCM on-line. We show generic attacks against authenticity in these cases. The complexity of these attacks is under the birthday paradox bound. It shows that the lengths of the associated data and the message, as well as the nonces that do not repeat are important elements of the security of CCM and cannot be avoided without significantly decreasing the security.