On the Security of CTR + CBC-MAC
We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (“counter”) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. We present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB.
KeywordsAES authenticated encryption modes of operation
- 1.J. H. An and M. Bellare. Does Encryption with Redundancy Provide Authenticity? Advances in Cryptology — EUROCRYPT 2001, pp. 512–528, Springer Verlag, 2001.Google Scholar
- 2.M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation. Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), IEEE, 1997.Google Scholar
- 4.M. Bellare and C. Namprempre. Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm. Advances in Cryptology — ASIACRYPT 2000, pp. 531–545, Springer-Verlag, 2000.Google Scholar
- 5.M. Bellare and P. Rogaway. Optimal Asymmetric Encryption-How to Encrypt with RSA. Advances in Cryptology — Eurocrypt’ 94, pp. 92–111, Springer Verlag, 1994.Google Scholar
- 6.M. Bellare and P. Rogaway. Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Encryption. Advances in Cryptology — ASIACRYPT 2000, pp. 317–330, Springer-Verlag, 2000.Google Scholar
- 7.J. Daemen and V. Rijmen. AES Proposal: Rijndael. Contribution to NIST, September 1999. Available from http://csrc.nist.gov/encryption/aes/rijndael/.
- 8.W. Diffie and M. Hellman. Privacy and Authentication: An Introduction to Cryptography. Proceedings of the IEEE, 67, pp. 397–427, 1979.Google Scholar
- 9.N. Ferguson. Collision Attacks on OCB. Preprint, February 2002.Google Scholar
- 10.V. Gligor, P. Donescu. Infinite Garble Extension. Contribution to NIST, 2000. Available from http://csrc.nist.gov/encryption/modes/proposedmodes/.
- 11.H. Handschuh and D. Naccache. SHACAL. Contribution to the NESSIE project, 2000.Google Scholar
- 12.IEEE Std 1363-2000. Standard Specifications for Public Key Cryptography. IEEE, 2000.Google Scholar
- 13.ISO/IEC 9797: Information Technology-Security Techniques-Data Integrity Mechanism Using a Cryptographic Check Function Employing a Block Cipher Algorithm. Second edition, 1994.Google Scholar
- 14.É. Jaulmes, A Joux and F. Valette. On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit-A New Construction. Fast Software Encryption, 9th International Workshop, FSE 2002, to appear.Google Scholar
- 15.C. S. Jutla. Encryption Modes with Almost Free Message Integrity. Contribution to NIST, 2000. Available from http://csrc.nist.gov/encryption/modes/proposedmodes/.
- 16.C. S. Jutla. Parallelizable Encryption Mode with Almost Free Message Integrity. Contribution to NIST, 2000. Available from http://csrc.nist.gov/encryption/modes/proposedmodes/.
- 17.J. Katz and M. Yung. Unforgeable Encryption and Chosen-Ciphertext-Secure Modes of Operation. Fast Software Encryption 2000, pp. 284–299, 2000.Google Scholar
- 18.H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). Advances in Cryptology — CRYPTO 2001, pp. 310–331, Springer Verlag, 2001.Google Scholar
- 19.M. Liskov, R. L. Rivest and D. Wagner. Tweakable Block Ciphers. Advances in Cryptology — CRYPTO 2002, Springer Verlag, 2002.Google Scholar
- 20.A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.Google Scholar
- 21. National Institute of Standards and Technology (NIST). FIPS Publication 81: DES Modes of Operation. December 1980.Google Scholar
- 22.National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard (SHS). April 1995.Google Scholar
- 23.National Institute of Standards and Technology (NIST). FIPS Publication 197: Advanced Encryption Standard (AES). November 2001.Google Scholar
- 25.P. Rogaway. IEEE 802.11-01/156r0: Some Comments on WHF Mode. March 2002. Available from http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-doc.htm.
- 26.P. Rogaway, M. Bellare, J. Black and T. Krovetz. OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption. 8th ACM Conference on Computer and Communications Security (CCS-8), pp. 196–205. ACM Press, 2001.Google Scholar
- 27.D. Whiting, R. Housley and N. Ferguson. IEEE 802.11-02/001r2: AES Encryption & Authentication Using CTR Mode & CBC-MAC. March 2002.Google Scholar
- 28.D. Whiting, R. Housley and N. Ferguson. Counter with CBC-MAC (CCM), AES Mode of Operation Contribution to NIST, May 2002. Available from http://csrc.nist.gov/encryption/modes/proposedmodes/