Forgery on Stateless Cmcc with a Single Query

We present attacks against CMCC that invalidate the claimed security of integrity protection and misuse resistance. We exploit the fact zeropadding is used on both the message and authenticated data and demonstrate how one may generate a forgery with a single call to the encryption oracle. From this we calculate the ciphertext of the chosen message, yielding a forgery and so breaking INT-CTXT. In the nonce-reuse setting, existence of a forgery leads directly to a 2-query distinguisher. 1. Description of Stateless CMCC CBC-Mac-Counter-CBC[5] (henceforth CMCC) is a CAESAR[1] submission, and comes in both stateful and stateless forms. In this note we consider the stateless version, which is the recommended con guration, and demonstrate a weakness in the mode of operation itself. As such, our attacks holds across all stateless parameter sets, irrespective of the choice of primitives. 1.1. Notation. Following the original paper, let B be the blocksize in bits,τ the number of authenticity bits and N a Public Message Number which must be a nonce, with recommended values (B, τ, |N |) = (128, 64, 32). No secret message number is used in the stateless version. Let ⊕ and || denote respectively the xor and concatenation of two strings. Constant bytes are provided in hexadecimal and typeset in typewriter font (eg 0xB6). Finally, 0 is the string of α zero bits. Whilst all lengths will be given in bits, as per submission requirements[1] they shall all be exact number of bytes, and thus multiples of 8. Where appropriate, EK represents an encryption oracle, whilst CMCCK is the CMCC encryption function under key K. 1.2. Components. For clarity of notation, we will describe CMCC in terms of the following well known components, each instantiated with an appropriate blockcipher (for which the recommendation is aes): • Let Padb(M) be the function that returns bitstring M padded up to b bits by appending su ciently many zero bits. • Let MSBb(M) be the Most Signi cant Bits function, returning bitstring M truncated to the rst b bits. • Let Ek(m) be the encryption of a single block m with key k using the block cipher. • Let CBCk (M) be the cipher block chaining mode[3] encryption of message M under key k and initial value N . • Let MACk (M) be an unforgable MAC on message M under key k and with initial value N . The recommended instantiation is AES-CMAC[4].