On the Security of the CCM Encryption Mode and of a Slight Variant
In this paper, we present an analysis of the CCM mode of operations and of a slight variant. CCM is a simple and efficient encryption scheme which combines a CBC-MAC authentication scheme with the counter mode of encryption. It is used in several standards. Despite some criticisms (mainly this mode is not online, and requires non-repeating nonces), it has nice features that make it worth to study.
One important fact is that, while the privacy of CCM is provably garanteed up to the birthday paradox, the authenticity of CCM seems to be garanteed beyond that. There is a proof by Jonsson up to the birthday paradox bound, but going beyond it seems to be out of reach with current techniques. Nevertheless, by using pseudo-random functions and not permutations in the counter mode and an authentication key different from the privacy key, we prove security beyond the birthday paradox.
We also wonder if the main criticisms against CCM can be avoided: what is the security of the CCM mode when the nonces can be repeated, (and) when the length of the associated data or message length is missing to make CCM on-line. We show generic attacks against authenticity in these cases. The complexity of these attacks is under the birthday paradox bound. It shows that the lengths of the associated data and the message, as well as the nonces that do not repeat are important elements of the security of CCM and cannot be avoided without significantly decreasing the security.
KeywordsCCM CBC-MAC Counter mode
Unable to display preview. Download preview PDF.
- 2.Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, October 1997, pp. 394–403. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
- 3.Bellare, M., Goldreich, O., Mityagin, A.: The Power of Verification Queries in Message Authentication and Authenticated Encryption. Eprint cryptology archive 2004/309 (2004), http://eprint.iacr.org
- 4.Bellare, M., Impagliazzo, R.: A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, With Applications to PRF-PRP conversion. Crytology ePrint archive, Report 1999/024, http://eprint.iacr.org
- 6.Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005)Google Scholar
- 7.Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004)Google Scholar
- 8.Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)Google Scholar
- 9.Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. In: Proc. of the 23rd STOC, ACM Press, New York (1991)Google Scholar
- 10.Dworkin, N.M.: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, NIST Special Publication 800-38C (May 2002)Google Scholar
- 11.Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998)Google Scholar
- 19.Rogaway, P., Wagner, D.: A Critique of CCM, Eprint cryptology archive 2003/070 (February 2003), http://eprint.iacr.org
- 20.Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004)Google Scholar
- 21.Special Publication, N.: 800-38C. Recommendation for Block Cipher Modes of Operation: The CCM Mode for Athentication and Confidentiality (May 2004), http://csrc.nist.gov/CryptoTollkit/modes/
- 22.Whiting, D., Housley, R., Ferguson, N.: IEEE 802.11-02/001r2: AES Encryption and Authentication Using CTR Mode and CBC-MAC (March 2002)Google Scholar