Exams of IT, GHASH function, IT Certification, Security of generic composition

Avoiding predictability with nonces – Authenticated Encryption
Posted by Whitney Koehler

15.4.2 Avoiding predictability with nonces

Recall that an encryption scheme is called probabilistic if it returns different ciphertexts when the same plaintext is repeatedly encrypted. Otherwise, an attacker could figure out that the same plaintext was encrypted multiple times. To this end, block ciphers and stream ciphers typically use an extra, non-secret but changing parameter called a nonce: a number used only once. Authenticated ciphers are no different, as they also want to avoid the visibility of plaintext patterns in the ciphertext. Therefore, when looking at concrete incarnations of AEAD in the next section (and the next chapter), we will see they require an additional parameter N, the nonce.

15.5 Counter with cipher block chaining message authentication code (CCM)

Counter with cipher block chaining message authentication code (CCM) is a block cipher mode of operation that provides authenticated encryption. It was designed by the American computer scientists Russ Housley and Doug L. Whiting, and Dutch cryptographer Niels Ferguson.

CCM is specified in [180] and can be used with 128-bit block ciphers such as AES. As the name suggests, CCM combines two cryptographic primitives:

  • CTR mode for achieving confidentiality (see Section 14.4.5, CTR mode in Chapter 14, Block Ciphers and Their Modes of Operation)
  • CBC-MAC construction to ensure message authenticity (see Section 14.4.3, CBC-MAC in Chapter 14, Block Ciphers and Their Modes of Operation)

In CCM, the two primitives CTR and CBC-MAC are used in the MAC-then-encrypt composition. In the first step, CBC-MAC is applied to compute the MAC value T for the plaintext message m. The MAC and the plaintext are then encrypted using CTR mode.

In contrast to the general case of MAC-then-encrypt composition illustrated in Figure 15.2, CCM can be used with the same shared secret key k for both encryption and message authentication without weakening the security guarantees, given that the counter values used in CTR do not collide with the initialization vector used in CBC-MAC. The security of this combination has been proven based on the security of the underlying block cipher [180].

Related Post

Leave A Comment