Paper 2013/269

CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

Jonathan Trostle

Abstract

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CCS which is a new family of tweakable enciphering schemes (TES). The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). CMCC is an instantiation of the scheme providing authenticated encryption with associated data (AEAD), that is also nonce misuse resistant, and it leverages existing modes such as CBC, Counter, and CMAC. Our work can be viewed as extending the line of work starting with [HR03] to plaintext sizes smaller than the block cipher block length which is a problem posed in [Hal04]. For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Counter with CBC-MAC (CCM) for computational overhead but has much smaller expansion. We prove CCA2 security and misuse resistant authenticated encryption (MRAE) security for different variants of CMCC. Our contributions include both stateless and stateful versions which enable minimal sized message numbers using different network related trade-offs.

Note: Revised version.