6

I have two questions for Clarification for AE mode choice criteria

  • GCM : it appears to be actually the most popular and widely used AE mode of operation. however it is also well-known to be highly sensitive (more than other AE modes ?) to IV uniqueness requirement and completely fails if such requirement is not respected'. I personally in regard with planned target domain of application consider this as a weakness . So such weakness should not weight in the criteria for AE mode selection ? Remain GCM the one of most powerful AE mode despite this weakness ? Isn't EAX or OCB if no more patented a more efficient & secure choice ?

  • CCM : I understood via such mode review that it is based on MacThenEncrypt procedure (CBC-MAC then CTR ) . So why is such mode always presented as candidate AE mode if only Encrypt-Then-Mac procedure seems actually recommended by cryptography experts ?

otus
  • 32,462
  • 5
  • 75
  • 167
william_fr
  • 653
  • 5
  • 15

1 Answers1

5

Regarding GCM mode and the uniqueness of the nonce, it should be noted that EAX mode and OCB mode also require unique nonces. One potential problem EAX mode has, which neither GCM or CCM have, is that it is hard to implement it in such way that you can guarantee that the probability of nonce collisions is zero; only that it is acceptably low. OCB mode has been revised a number of times due to attacks such as this one against one of the earliest versions of OCB mode.

Regarding the security of CCM mode, this paper provides a security proof that explains the use of a CTR-encrypted CBC-MAC, with the conjecture that it is stronger against birthday attacks, compared to an unencrypted CBC-MAC. Hence, as a consequence CBC-MAC-then-CTR-Encrypt is actually stronger than (naive) CTR-Encrypt-then-CBC-MAC. The security of EtA versus AtE is consequently a rather complex matter. Generally it is probably best to regard dedicated proofs for a specific mode, as trumping proofs for the generic compositions. The security properties of CCM are well understood, so I doubt many security experts rule against it just because it is not EtA. A better argument against CCM is that it requires two AES operations per block, while other AE modes only require one.

Henrick Hellström
  • 10,556
  • 1
  • 32
  • 59