STOC '91 Proceedings of the twenty-third annual ACM symposium on Theory of computing
OCB: a block-cipher mode of operation for efficient authenticated encryption
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
On the Security of CTR + CBC-MAC
SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
Characterization of Security Notions for Probabilistic Private-Key Encryption
Journal of Cryptology
The sum of PRPs is a secure PRF
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Improved security analyses for CBC MACs
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
New proofs for NMAC and HMAC: security without collision-resistance
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
McOE: a family of almost foolproof on-line authenticated encryption schemes
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Hi-index | 0.00 |
In this paper, we present an analysis of the CCM mode of operations and of a slight variant. CCM is a simple and efficient encryption scheme which combines a CBC-MAC authentication scheme with the counter mode of encryption. It is used in several standards. Despite some criticisms (mainly this mode is not online, and requires non-repeating nonces), it has nice features that make it worth to study. One important fact is that, while the privacy of CCM is provably garanteed up to the birthday paradox, the authenticity of CCM seems to be garanteed beyond that. There is a proof by Jonsson up to the birthday paradox bound, but going beyond it seems to be out of reach with current techniques. Nevertheless, by using pseudo-random functions and not permutations in the counter mode and an authentication key different from the privacy key, we prove security beyond the birthday paradox. We also wonder if the main criticisms against CCM can be avoided: what is the security of the CCM mode when the nonces can be repeated, (and) when the length of the associated data or message length is missing to make CCM on-line. We show generic attacks against authenticity in these cases. The complexity of these attacks is under the birthday paradox bound. It shows that the lengths of the associated data and the message, as well as the nonces that do not repeat are important elements of the security of CCM and cannot be avoided without significantly decreasing the security.