3

A cryptosystem is using AES-128 in CCM mode with random IV.

Suppose an attacker capable of:

  • asking the cryptosystem to encrypt a single plaintext as many times as he wants; and
  • asking the cryptosystem if any ciphertext is valid (ie, if it decrypts to some plaintext)

The attacker knows what is the single plaintext that he can encrypt, but he cannot chose a different one to be encrypted. That plaintext is short -- around 50 bytes.

Each time, the cryptosystem will chose a random IV and use it to encrypt the plaintext, giving the attacker a different ciphertext for that single plaintext.

  1. In this threat model, can the attacker "easily" obtain the secret key?
  2. Can the attacker somehow modify the ciphertext in order to change the plaintext it will decrypt to? (he would have to be able to generate a valid MAC, since the cryptosystem correctly checks the validity of the MAC)

What about the same questions, if the attacker is able to encrypt some different plaintexts? He wouldn't be able to chose them, but he would know them. Suppose he can do it for, like, 10's of different plaintexts.

Bruno Reis
  • 323
  • 1
  • 10

1 Answers1

2

No. The attacker cannot easily recover the secret key. The attacker cannot modify the ciphertext to something that decrypts to some other plaintext. This remains true even if the attacker can encrypt an arbitrary number of chosen plaintexts.

This is known as "IND-CCA2 security" (security against adaptive chosen plaintext/ciphertext attack). CCM satisfies that notion of security. So too do other authenticated encryption schemes, like EAX, GCM, etc.

D.W.
  • 36,982
  • 13
  • 107
  • 196