Re: [Cfrg] CCM

Hi,

The CCM proof is available at

http://csrc.nist.gov/encryption/modes/proposedmodes/ccm/ccm-ad.pdf

via

http://csrc.nist.gov/encryption/modes/proposedmodes/ .

David Hopwood wrote:
> >  - the security proof depends on the fact that the nonce N is independent
> >    of any previous ciphertext. The draft only says that it must be
> >    unique. Actually, it's not sufficient that it be unique: it must
> >    also be impossible for an attacker to influence the choice of nonce.

Actually no, the security proof does not require this at all. In fact, just as
in the OCB proof, the adversary in my attack model is allowed to choose
whatever nonces she wants as long as the same nonce is not used more than once:

"... the adversary A has access to [a CCM] encryption oracle O that on input
([nonce],[header],[message]) returns a ciphertext C. [The adversary] may send
arbitrary queries to the oracle, except that the same nonce must not be used in
more than one query; such a query is immediately rejected by the oracle. Thus
we restrict our attention to /nonce-respecting/ adversaries." (Section 3.2)

The reason why we may allow the adversary to control the nonce is that the only
plaintext-ciphertext pairs the adversary is given "for free" are the ones
corresponding to the CTR encryption of the message. These pairs are tightly
associated with a specific nonce that must not be used again, which implies
that they leak only negligible information about plaintext-ciphertext pairs
associated with nonces to be used in the future.

Jakob

_____________________________________________________
Gratis e-mail resten av livet på www.yahoo.se/mail
Busenkelt!
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg