On the Security of CTR + CBC-MAC

  • Jakob Jonsson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2595)


We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (“counter”) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. We present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB.


AES authenticated encryption modes of operation 


  1. 1.
    J. H. An and M. Bellare. Does Encryption with Redundancy Provide Authenticity? Advances in Cryptology — EUROCRYPT 2001, pp. 512–528, Springer Verlag, 2001.Google Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation. Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), IEEE, 1997.Google Scholar
  3. 3.
    M. Bellare, J. Kilian, P. Rogaway. The Security of the Cipher Block Chaining Message Authentication Code. Journal of Computer and System Sciences, 61 (3), 362–399, 2000.MathSciNetCrossRefGoogle Scholar
  4. 4.
    M. Bellare and C. Namprempre. Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm. Advances in Cryptology — ASIACRYPT 2000, pp. 531–545, Springer-Verlag, 2000.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway. Optimal Asymmetric Encryption-How to Encrypt with RSA. Advances in Cryptology — Eurocrypt’ 94, pp. 92–111, Springer Verlag, 1994.Google Scholar
  6. 6.
    M. Bellare and P. Rogaway. Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Encryption. Advances in Cryptology — ASIACRYPT 2000, pp. 317–330, Springer-Verlag, 2000.Google Scholar
  7. 7.
    J. Daemen and V. Rijmen. AES Proposal: Rijndael. Contribution to NIST, September 1999. Available from
  8. 8.
    W. Diffie and M. Hellman. Privacy and Authentication: An Introduction to Cryptography. Proceedings of the IEEE, 67, pp. 397–427, 1979.CrossRefGoogle Scholar
  9. 9.
    N. Ferguson. Collision Attacks on OCB. Preprint, February 2002.Google Scholar
  10. 10.
    V. Gligor, P. Donescu. Infinite Garble Extension. Contribution to NIST, 2000. Available from
  11. 11.
    H. Handschuh and D. Naccache. SHACAL. Contribution to the NESSIE project, 2000.Google Scholar
  12. 12.
    IEEE Std 1363-2000. Standard Specifications for Public Key Cryptography. IEEE, 2000.Google Scholar
  13. 13.
    ISO/IEC 9797: Information Technology-Security Techniques-Data Integrity Mechanism Using a Cryptographic Check Function Employing a Block Cipher Algorithm. Second edition, 1994.Google Scholar
  14. 14.
    É. Jaulmes, A Joux and F. Valette. On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit-A New Construction. Fast Software Encryption, 9th International Workshop, FSE 2002, to appear.Google Scholar
  15. 15.
    C. S. Jutla. Encryption Modes with Almost Free Message Integrity. Contribution to NIST, 2000. Available from
  16. 16.
    C. S. Jutla. Parallelizable Encryption Mode with Almost Free Message Integrity. Contribution to NIST, 2000. Available from
  17. 17.
    J. Katz and M. Yung. Unforgeable Encryption and Chosen-Ciphertext-Secure Modes of Operation. Fast Software Encryption 2000, pp. 284–299, 2000.CrossRefGoogle Scholar
  18. 18.
    H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). Advances in Cryptology — CRYPTO 2001, pp. 310–331, Springer Verlag, 2001.Google Scholar
  19. 19.
    M. Liskov, R. L. Rivest and D. Wagner. Tweakable Block Ciphers. Advances in Cryptology — CRYPTO 2002, Springer Verlag, 2002.Google Scholar
  20. 20.
    A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.Google Scholar
  21. 21. National Institute of Standards and Technology (NIST). FIPS Publication 81: DES Modes of Operation. December 1980.Google Scholar
  22. 22.
    National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard (SHS). April 1995.Google Scholar
  23. 23.
    National Institute of Standards and Technology (NIST). FIPS Publication 197: Advanced Encryption Standard (AES). November 2001.Google Scholar
  24. 24.
    E. Petrank, C. Racko.. CBC MAC for Real-Time Data Sources. Journal of Cryptology, 13 (3), pp. 315–338, 2000.MathSciNetCrossRefGoogle Scholar
  25. 25.
    P. Rogaway. IEEE 802.11-01/156r0: Some Comments on WHF Mode. March 2002. Available from
  26. 26.
    P. Rogaway, M. Bellare, J. Black and T. Krovetz. OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption. 8th ACM Conference on Computer and Communications Security (CCS-8), pp. 196–205. ACM Press, 2001.Google Scholar
  27. 27.
    D. Whiting, R. Housley and N. Ferguson. IEEE 802.11-02/001r2: AES Encryption & Authentication Using CTR Mode & CBC-MAC. March 2002.Google Scholar
  28. 28.
    D. Whiting, R. Housley and N. Ferguson. Counter with CBC-MAC (CCM), AES Mode of Operation Contribution to NIST, May 2002. Available from

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Jakob Jonsson
    • 1
  1. 1.RSA Laboratories EuropeStockholmUSA

Personalised recommendations