0

CCM mode refers to CTR+ CBC-MAC encryption mode.

Based on this paper, the adversary's advantages against the authenticity of CCM is:

Eq(1) A

Authenticity: it should be infeasible for an adversary to forge a valid ciphertext without knowing the secret key.

and the adversary's advantage against the privacy of CCM is:

Eq(2) B

Privacy: It should be infeasible for an adversary to derive any information from the ciphertexts without knowing the secret key.

I'm confused about "derive any information from the ciphertexts" in the definition of privacy shown above. Does it mean if privacy is broken, the adversary is able to derive plaintext information from the ciphertext? If so, complete infomation about plaintext or only partial information about plaintext? But I also feel that Eq(2) describes the advesary's ability of differentiating cipertext of CCM from random bitstring, so we are not able to know the plaintext even if privacy is broken.

My second question is about the authenticity. Will break the authenticity lead to leakage of plaintext? In other words, if we want to proof the privacy of the plaintext, do we need to consider the case that the authenticity is broken?

Thank you in advance.

Note: Adv_E^prp(B) is the adversary's advantage on pseudo random permutation (prp).

Chandler
  • 39
  • 5

1 Answers1

1

The intended meaning of the definition of privacy is

Privacy: It should be infeasible for an adversary to derive from the ciphertexts any information about the corresponding plaintexts, except their length, without knowing the secret key.

That prohibits an adversary could find even partial information about the plaintexts (e.g. if they are identical for several ciphertexts, or if a plaintext contains repeated bytes), again except their length.

If we want to prove the privacy of the plaintext, do we need to consider the case that the authenticity is broken?

That depends on the model under which we want to prove privacy. Under Known Plaintext Attack (and ciphertext-only attack), no. Under the Choosen Plaintext Attack model (which is highly desirable for a modern encryption mode, and applicable to CCM), yes. That's because the attack model assumes an adversary can choose any plaintext and obtain it encrypted, including whatever makes that ciphertext valid and pass an integrity check on the receiver side. CPA security of authenticated encryption requires that privacy remains even if the conditions of use of the cipher are such that authenticity can not be insured.

fgrieu
  • 149,326
  • 13
  • 324
  • 622