Score:0

How to understand the "Authenticity" and "Privacy" of CCM-mode encryption scheme?

cn flag

CCM mode refers to CTR+ CBC-MAC encryption mode.

Based on this paper, the adversary's advantages against the authenticity of CCM is:

Eq(1) A

Authenticity: it should be infeasible for an adversary to forge a valid ciphertext without knowing the secret key.

and the adversary's advantage against the privacy of CCM is:

Eq(2) B

Privacy: It should be infeasible for an adversary to derive any information from the ciphertexts without knowing the secret key.

I'm confused about "derive any information from the ciphertexts" in the definition of privacy shown above. Does it mean if privacy is broken, the adversary is able to derive plaintext information from the ciphertext? If so, complete infomation about plaintext or only partial information about plaintext? But I also feel that Eq(2) describes the advesary's ability of differentiating cipertext of CCM from random bitstring, so we are not able to know the plaintext even if privacy is broken.

My second question is about the authenticity. Will break the authenticity lead to leakage of plaintext? In other words, if we want to proof the privacy of the plaintext, do we need to consider the case that the authenticity is broken?

Thank you in advance.

Note: Adv_E^prp(B) is the adversary's advantage on pseudo random permutation (prp).

Score:1
ng flag

The intended meaning of the definition of privacy is

Privacy: It should be infeasible for an adversary to derive from the ciphertexts any information about the corresponding plaintexts, except their length, without knowing the secret key.

That prohibits an adversary could find even partial information about the plaintexts (e.g. if they are identical for several ciphertexts, or if a plaintext contains repeated bytes), again except their length.

If we want to prove the privacy of the plaintext, do we need to consider the case that the authenticity is broken?

That depends on the model under which we want to prove privacy. Under Known Plaintext Attack (and ciphertext-only attack), no. Under the Choosen Plaintext Attack model (which is highly desirable for a modern encryption mode, and applicable to CCM), yes. That's because the attack model assumes an adversary can choose any plaintext and obtain it encrypted, including whatever makes that ciphertext valid and pass an integrity check on the receiver side. CPA security of authenticated encryption requires that privacy remains even if the conditions of use of the cipher are such that authenticity can not be insured.

Chandler avatar
cn flag
Hi thank you. I just don't understand: if the attacker can successfully guess a ciphertext without knowing the key (i.e., break the authenticity), he cannot know anything about the plaintext, so doesn't it mean the privacy can still hold even if the authenticity is broken? So back to my question, it seems to prove the privacy of the plaintext we don't need to consider the case of broken authenticitiy. I'm not sure if I am correct...
fgrieu avatar
ng flag
@Chandler. Yes, "privacy can still hold even if the authenticity is broken", and there are many examples of would-be authenticated encryption that fail this way, either under ciphertext-only attack, or under known-plaintext attack. About: "it seems to prove the privacy of the plaintext we don't need to consider the case of broken authenticity": the chosen-plaintext attack assume adversaries can submit plaintext of their choice for encryption and get the ciphertext. That's assuming broken authenticity, not due to the cryptosystem, but due to how it's used. I'll clarify what I meant.
Chandler avatar
cn flag
Thanks. I got this question when I'm doing game-based security proof for key-exchange protocol which utilizes CCM as the block cipher. It confuses me a lot whether to include the authenticity advantage or privacy advantage of CCM when calculating the adversary's advantage on differentiating the session key from random number. If "privacy can hold even if the authenticity is broken", seems only need to include the privacy advantage in this security proof. CPA aims to find the information about the key, but in my proof the probability of guessing key has already been excluded by previous games.
fgrieu avatar
ng flag
"In a key-exchange protocol which utilizes CCM as the (authenticated, not _block_) cipher (should we) include the authenticity advantage or privacy advantage of CCM when calculating the adversary's advantage on differentiating the session key from random number" is a different question from the one currently asked. The current answer is of little help for this Q. It might depend on the game used to test the protocol, and I can imagine protocols that require an authenticated cipher rather than just a cipher.
Chandler avatar
cn flag
Yes you are right. I'm using authenticated cipher for both authenticity and confidentiality. If you are familiar with game-based security proof, is it possible to provide me some materials (papers, videos, blogs...) about game-based proof? I have already studied victor shoup's tutorial (https://www.shoup.net/papers/games.pdf) and some related paper about key-exchange proof, but still confuse about many details. Thanks you very much.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.