CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion

In some wireless environments, minimizing the size of messages is paramount due to the resulting signiﬁcant energy savings. We present CCS which is a new family of tweakable en-ciphering schemes (TES). The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). CMCC is an instantiation of the scheme providing authenticated encryption with associated data (AEAD), that is also nonce misuse resistant, and it leverages existing modes such as CBC, Counter, and CMAC. Our work can be viewed as extending the line of work starting with [HR03] to plaintext sizes smaller than the block cipher block length which is a problem posed in [Hal04]. For many existing AEAD schemes, a successful forgery leads directly to a loss of conﬁdentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not result in a loss of conﬁdentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Counter with CBC-MAC (CCM) for computational overhead but has much smaller expansion. We prove CCA2 security and misuse resistant authenticated encryption (MRAE) security for diﬀerent variants of CMCC. Our contributions include both stateless and stateful versions which enable minimal sized message numbers using diﬀerent network related trade-oﬀs.


Introduction
The current paradigm of providing confidentiality and integrity protection for distributed applications through the use of encryption combined with MAC's (Message Authentication Codes) is reasonably efficient for many environments.In particular, for network message sizes that range from several hundred bytes or more, having MAC's that utilize 8-20 bytes is not unduly inefficient.For resource constrained environments, where message lengths are often less than one-hundred bytes, existing MAC's impose a more significant overhead.Since it requires more energy to send longer messages, it is important to reduce message sizes in protocols used by wireless devices.This need becomes even more critical for low bandwidth networks.
A key reason that MAC's need to be long is that the most popular symmetric block cipher modes can be predictively modified by an attacker.Counter mode (CTR) can be modified by flipping bits so the attacker can precisely control the changes to the message.Cipher Block Chaining (CBC) can be modified such that changes to one block are predictable while the preceding block is randomized (see [Bellovin] for attacks that utilize this property).Also, the most common schemes for CCA (Chosen Ciphertext Attack) security  utilize a CPA (Chosen Plaintext Attack) encryption scheme combined with a MAC (Message Authentication Code) [DolvDwkNaor].
In this paper we present a new symmetric encryption scheme, Chosen Ciphertext Secure (CCS), that utilizes a pseudorandom function (PRF) (e.g., AES but other choices are possible).Our construction uses multiple invocations of the PRF so that any modifications to ciphertext result in a randomized plaintext.We will show that this property implies that our scheme has CCA2 security.CCS is a tweakable enciphering scheme (TES) [16,HR03].We obtain CCA2 security with a small concrete security bound using only 2-3 bytes of ciphertext expansion. 1e will make use of variable length input pseudorandom functions f i that have a fixed length output size.In order to better understand the intuition behind our scheme, consider the case where the plaintext is the concatenation of the strings P 1 and P 2 where each string's length equals the pseudorandom function output size (e.g., 16 bytes in the case of AES).Our encryption scheme is: where the ciphertext is X 1 , X 2 , and M is a public message number (or the tweak [16]).For maximum security, M is unique, with high probability, for each message encrypted under a given key K. Then if the adversary flips some bits in X 1 , the corresponding bits in X are flipped during decryption, and this produces random changes to P 1 during decryption (see 2nd equation).The first equation is then applied which results in random changes to P 2 .A similar argument applies if we flip one or more bits in X 2 .Since changes to any bits in the ciphertext result in random changes to the plaintext, it follows that the decryption oracle in the CCA2 security experiment (or inverse permutation in the definition of TES security) has limited usefulness to the adversary.
For longer messages, the plaintext P is split into the equal length substrings P 1 , . . ., P k , (the lengths may differ by one byte if necessary) and we have: where the resulting ciphertext is X 1 , . . ., X k .
A common scenario is one where some packet loss and/or packet reordering may occur so that the communication peers aren't fully synchronized.We present two versions of our scheme with different trade-offs to handle loss of synchronization.The stateless version uses a public message number and its size is constrained thus limiting the number of messages that can be encrypted under a single key while avoiding resuse of the message numbers.The stateful version uses a private message number which is encrypted and the last few bytes of the resulting encryption are sent with the ciphertext.This mechanism enforces a different trade-off; the limit here is on the maximum amount of disorder between encryption order and decryption order.It also hides the number of messages previously sent.If the communication peers are synchronized, then CCS requires no additional overhead for message numbers.
The k = 2 construction above can also be applied to longer messages (see Section 3.3).We describe a particular instantiation of CCS: CBC-MAC-CTR-CBC (CMCC) mode.CMCC is a general purpose authenticated encryption mode [BellrNamp].We apply CBC encryption in the first equation above (and replace f 2 with f 3 ), use a MAC followed by a CTR mode variant in the 2nd equation, and CBC encryption again in the 3rd equation.We prove that CMCC is misuse resistant [RogwyShrmptn]: encryptions using the same message number, plaintext, and associated data are identifiable to the adversary as such, but security is preserved if the same message number is reused where either the plaintext or associated data is distinct.Since changes to the ciphertext randomize the resulting plaintext, with high probability, we achieve authentication by appending a string consisting of τ bits set to zero to the plaintext prior to encryption.We also consider the case where the authentication string is the MAC of the plaintext and associated data: CMCC with MAC or CWM.For CWM, we obtain stronger security bounds.Relative to SIV [RogwyShrmptn], CMCC has smaller ciphertext expansion.

Definitions for Authenticated Encryption
We give motivation for our definition of authenticated encryption.
Consider OCB or a counter mode variant (e.g., GCM) with a 4 byte authentication tag.Then for the CCA2 security game, submit the message (plaintext) with all 1's and also the message with all 0's.The adversary obtains a ciphertext response corresponding to one of the plaintexts.Then randomly flip bits in this ciphertext for each new ciphertext query and attach a random authentication tag.Then the probability of winning is q(2 −32 ).The reason is that this bound is the probability that one of the submitted ciphertexts is valid.If it's valid then we get the plaintext back which shows us the bits that we flipped.And if the flipped bits are zero, then the original message had all 1's and vice versa.Now compare this to CMCC with a 4 byte zero bit authentication string.Then our CCA2 security bound is approximately q(2 −64 ) for a 12 byte message.Thus CMCC has much stronger CCA2 security given a short authentication tag.If we run the same attack against CMCC as in the preceding paragraph, then the probability of a valid ciphertext is approximately the same.But the corresponding plaintext would be randomized with high probability and thus would give us no information about the challenge plaintext.For a 2 byte authentication tag, the numbers would be q(2 −16 ) and q(2 −56 ).
The MRAE-AE definition in [RogwyShrmptn] does not distinguish between the security levels in the two cases above, but the PRI (Pseudo Random Injection) definition in [RogwyShrmptn] does distinguish them.
This distinction becomes more important given short authentication tags; in particular, classifying a forgery as a a complete loss of security is not always appropriate.Depending on the application, a single forgery may not be enough to disrupt the application (e.g., VoIP), and depending on the encryption scheme, it may be detectable during higher layer protocol checks.Our security definition should be general enough to handle the case of a zero length authentication string where changes to the ciphertext randomize the resulting plaintext so that the upper layer protocol checks detect and reject the message.(None of our security bounds include any factor related to upper layer protocol checks.) Our definition gives the Adversary encryption and decryption oracles (real world) vs. a random injection function and its inverse and asks the Adversary to distinguish between the two (see Section 2).This definition is the same as the PRI definition in [RogwyShrmptn].

Applications
For constructing a secure channel (with both confidentiality and authentication) using our encryption scheme, it follows that we can shorten or eliminate our MAC tag since the adversary cannot make a predictable change to the encrypted message, as in many counter-mode based schemes.
(These other schemes depend on the MAC to detect such a change).With our scheme, a change to the packet is highly likely to cause the packet to be rejected due to a failure to satisfy application protocol checks.Another possibility (e.g., Voice over IP (VoIP)) is that the randomized packet will have a minimal effect.With only a small probability can the adversary achieve a successful integrity attack.Since network transmission and reception incurs significant energy utilization, it follows that we can expect to achieve significant energy savings.Our analytical results for wireless sensor networks show that energy utilization is proportional to packet length, and that the cryptographic computational processing impact on energy use is minor.
If we consider VoIP, a 20 byte payload is common.The transport and network layer headers (IP, UDP, and RTP) bring another 40 bytes, but compression [cRTP, Bormann] is used to reduce these fields down to 2-4 bytes.The link layer headers add another 6 bytes.Thus the total packet size is 30 bytes, assuming the UDP checksum of 2 bytes is included.In this case, by omitting the recommended 10 byte authentication tag and using CMCC with 2 bytes of expansion, we obtain a 1/5 savings in message size and corresponding savings in energy utilization.(Actually, the savings is larger since encryption schemes send randomness (e.g., an IV) as well.For example, CCM [WhitHousFerg] sends a 13 byte nonce with each message.)Furthermore if the encryption boundary is just after the CID field (which is used to identify the full headers), then the UDP checksum is encrypted and acts as a 2 byte authentication tag.Even if the adversary was lucky enough to obtain the correct checksum, the resulting Voice payload would be noise, with high probability.
Wireless sensor networks also use short packets [VuranAkyldz] to maximize resource utilization; these packets are often in the range of 10-30 bytes.For the adversary, large numbers of queries are likely to be either impossible or highly anomalous in these constrained low bandwidth networks.

Our Contributions
Our contributions are as follows: 1. We give a new family of private key encryption schemes with minimal ciphertext expansion.
We obtain CCA2 security with a small concrete security bound using only 2-3 bytes of ciphertext expansion, for a full range of message sizes.Our work can be viewed as extending the line of work starting with [HR03] to plaintext sizes smaller than the block cipher block length.Halevi posed this problem in [Hal04].When message numbers are not reused for CMCC, we obtain a security bound which is dominated by q/β where β is the minimum of the block length and half the length of the plaintext plus the length of the authentication tag for the challenge ciphertext (here we allow a zero length authentication tag).When message numbers are not reused and we include an authentication tag with τ bits, then we obtain a bound dominated by 1/β if invalid queries result in session termination, q/β if invalid queries do not result in session termination, q/(2 τ β) if the authentication tag is computed using a keyed MAC algorithm (CWM) but invalid queries are allowed and 2 −τ /β for CWM where invalid queries result in session termination.
2. We instantiate the CCS construction with a new block cipher mode: CMCC.CMCC is a general purpose misuse resistant authenticated encryption mode.We define security for misuse resistant authenticated encryption and prove a security bound for CMCC.CMCC has less ciphertext expansion than SIV [RogwyShrmptn].
3. We give both stateless and stateful versions of our schemes where we minimize message number sizes in both versions.As discussed above, each version enables a different trade-off based on the network and application parameters.
4. We give a rough comparison for CPU overhead, network overhead, and energy consumption between CCM and CMCC, where energy is based on a wireless sensor node, the Mica2Dots platform.Here we assume an 8 byte authentication tag for CCM and a 2 byte authentication string for CMCC.This gives a comparable level of CCA2 security for plaintexts in the 12-16 byte range (see Remark above).Authentication security is increased beyond 2 bytes for CMCC given the higher layer protocol checks.The exact strength is dependent on the specific protocols including the application layer.For some protocols, a 2 byte authentication string would not be sufficient for authentication and would have to be increased in length.On the other hand, a protocol such as VoIP has application layer checks and a randomized voice packet will not constitute a successful attack.Thus a 2 byte authentication string for CMCC may be sufficient for an application such as VoIP.

Related Work
There was originally work in the IETF IPsec Working Group on a confidentiality-only mode; the original version of ESP provided confidentiality without integrity protection [Atknsn].However, [Bellovin] showed that CBC and stream-cipher like constructions were vulnerable to attacks that could be prevented by adding a MAC.Given a message with redundancy, the idea that authenticity can be obtained by enciphering it with a strong pseudorandom permutation goes back to [RogwyBellr].The authors formally prove a bound on adversary advantage against authenticity which requires that the probability that an arbitrary string decodes to a valid message is low.In [AnBellr], the authors show that public redundancy is not always sufficient and that private (keyed) redundancy leads to stronger authentication properties.Struik [Struik] presented application requirements and constraints, independently of this work at roughly the same time this work was started.
In [Desai], Desai gives CCA-secure symmetric encryption algorithms that don't use a MAC and don't provide explicit integrity protection outside of the CCA-security.CMCC shares this CCAsecurity without a MAC property.The most efficient one is UFE which utilizes variable length pseudorandom functions.Its ciphertext expansion is |r| bits where r is a uniform random value; security can be compromised if the same r is used for multiple messages.Since r is uniform random, collisions are likely after 2 |r|/2 messages.The UFE security bound is q(q + 1)/2 |r| .If the adversary can make 2 20 queries, then Theorem 4.1 gives a security bound around 2 −60 for CMCC, given a 20 byte message.UFE would require a 13 byte ciphertext expansion to assure the same security level.
Rogaway and Shrimpton introduced misuse resistant authenticated encryption (MRAE) in the seminal paper [RogwyShrmptn], where they present the MRAE schemes SIV and PTE.SIV includes a MRAE scheme where the expansion includes the block cipher block size (e.g., 16 byte) IV plus the nonce.Thus CMCC is a MRAE scheme with smaller expansion (which is important for short messages), and comparable security for applications that require less than a 16 byte MAC.Some applications can utilize a 4 byte or smaller MAC and meet security requirements.The RFC 5297 specification of SIV has the same number of block cipher invocations as CCM.Our security definition is the same as the PRI security definition in [RogwyShrmptn].
CMCC uses the same authentication construction as PTE.However, the TES that [RogwyShrmptn] recommends for PTE is not capable of encrypting messages with less than the block size of the underlying block cipher.
Collisions in the IV [RogwyShrmptn] (or random message number in [Desai]) will result in loss of privacy for the affected messages.Thus security is increased if the IV is long (e.g., 16 bytes for SIV).In other words, decreasing ciphertext expansion results in less security.Security for our scheme increases as message length grows, so privacy is stronger when ciphertext expansion is minimal, given message lengths between 10 and 32 bytes.The parameter X in our scheme is similar to the σ parameter in [Desai] and to the IV in [RogwyShrmptn].These last two parameters create ciphertext expansion whereas X does not.Our scheme is targeted at environments where minimizing ciphertext expansion is valuable.
CMC [HR03] is the first of the tweakable enciphering schemes (TES), originally motivated by the problem of disk encryption.CMC sandwiches a masking layer (involving xor and a pass over the message blocks) in between two encryption layers.CMC plaintexts must be a multiple of the block cipher length.EME [HR04] and EME * [Hal04] are improved schemes with the latter able to encrypt any length equal or longer than the block length.Halevi [Hal04] poses the open problem of encrypting short plaintexts with lengths less than the block length.
Naor and Reingold [NR] initiated another approach for constructing a TES: hash-ECB-hash.The schemes here include PEP [CS06b], TET [Hal07], HEH [Sarkar], iHCTR and HOH [Sarkar].The hashing layers use finite field multiplications so they obtain a performance advantage over the earlier schemes when finite field operations become significantly faster than block cipher operations.A third approach, hash-CTR-hash, is embodied in HCTR [WFW05] and HCH [CS06a].Shrimpton and Terashima [ShrmptnTrshm] use a 3 round unbalanced Feistel network approach to obtain schemes TCT1 and TCT2 where the latter has BBB (Beyond Birthday Bound) security for longer messages (messages of length ≥ 2n where the underlying blockcipher has length n.Both schemes are STPRP's (Strong Tweakable PRP's, e.g., the adversary may reuse tweaks.) Since our scheme uses encryption only in the forward direction combined with xor, our construction is able to handle messages of varying lengths including lengths shorter than the underlying block length which is an advantage over CMC and the above schemes.The stateful version of our scheme includes the integration of a minimal sized message number that enables the number of messages previously sent to be hidden.We also require one less block cipher invocation then CMC and EME*.The EME ciphers are more parallelizable.
There is additional work in the area of small domain encryption including [Ristpt].

Organization
In Section 2, we give basic cryptographic definitions.In Section 3, we present our tweakable enciphering scheme CCS; we also give the CMCC instantiation including the authenticated encryption scheme with minimal ciphertext expansion.Section 4 gives the proof that CMCC has CCA2 security and provides misuse resistant authenticated encryption.Section 5 gives our performance analysis and results, including a comparison of energy utilization between CMCC and CCM, for wireless sensor nodes.In Section 6 we draw conclusions.

Pseudorandomness
The concatenation of two strings S and T is denoted by S||T, or S, T where there is no danger of confusion.
We write w ← W to denote selecting an element w from the set W using the uniform distribution.We write x ← f () to denote assigning the output of the function f , or algorithm f , to x. S C denotes the complement of set S.
Throughout the paper, the adversary is an algorithm which we denote as A.
We follow [GGM86] as explained in [Shoup] for the definition of a pseudo-random function: Let l 1 and l 2 be positive integers, and let F = {h L } L∈K be a family of keyed functions where each function Given an adversary A which has oracle access to a function in H l 1 ,l 2 or F. The adversary will output a bit and attempt to distinguish between a function uniformly randomly selected from F and a function uniformly randomly selected from H l 1 ,l 2 .We define the PRF-advantage of A to be where the maximum is over adversaries that submit at most q queries and run in time t.
Intuitively, F is pseudo-random if it is hard to distinguish a random function selected from F from a random function selected from H l 1 ,l 2 .
We also define Adv prp F (q, t) in the same manner where the comparison is with a random permutation and F is a family of keyed permutations.

Authenticated Encryption (AE) and Misuse Resistant Authenticated Encryption (MRAE)
Given plaintext (message) set P, associated data set AD, ciphertext set C, key set K, and message number set For our security definition, we define the ideal world object as a random injective function.The expansion function is e : N × AD × P → N. The expansion function depends only on the length of its arguments.Let Inj N ,A e (P, C) be the set of injective functions f from N × AD × P into C such that |f (N, A, P )| = |P | + e(N, A, P ).
Let Π = (K, E, D) be an AE with message space P, associated data set AD, message number set N , and expansion e.The AE-advantage of adversary A against Π is (.,.,.) ⇒ 1] when encryption oracle queries use unique message numbers and A is restricted to asking q queries totaling µ blocks in running time t.f −1 (N, A, C) = P if f (N, A, P ) = C and returns ⊥ if no such triple (N, A, P ) exists.We define MRAE-advantage and Adv M RAE(q,t,µ) Π analogously except encryption oracle queries are allowed to repeat message numbers.We also define Adv AE(q,t,µ) Π = max Adv AE(q,t,µ) Π (A) over all adversaries A that ask q queries totaling µ blocks in time t.We define Adv M RAE(q,t,µ) Π = max Adv M RAE(q,t,µ) Π (A) over all adversaries A that ask q queries totaling µ blocks in time t for the MRAE environment where message numbers may be repeated in encryption oracle queries.We will also consider the case where the game is restricted if the adversary submits a decryption oracle query which returns ⊥; in this case, the adversary will not be allowed to make additional oracle queries prior to its output.

CCA Encryption
Given the encryption scheme Π, we define the CCA2 encryption experiment Exp CCA2 (Π, q, t, A) here: 1. K ← K 2. The adversary A is given oracle access to E K () and D K ().
3. The adversary outputs a pair of inputs N 0 , A 0 , P 0 and N 1 , A 1 , P 1 where P 0 and P 1 have the same length.
) is computed and given to A.
5. The adversary continues to have oracle access to E K () and D K ().However, the adversary is not allowed to query the decryption oracle with the ciphertext C. The adversary is limited to q total queries (including the queries issued before the challenge ciphertext is generated) and running time t..The adversary may not reuse a message number N in encryption oracle queries with the same key.
If D K (N, A, C) = P, for adversary query N, A, C then the adversary will not subsequently submit N, A, P to E K ().The encryption scheme Π is defined to have CCA2 security for ( , q, t, µ) if for all adversaries A limited to q queries, time t, and µ total encryption and decryption blocks, P r[Exp CCA2 (Π, q, t, µ, A) = 1] ≤ 1/2 + .We define Adv CCA2 Π,q,t,µ (A) = P r[Exp CCA2 (Π, q, t, µ, A) = 1] − 1/2.We also consider the case where the Adversary is not allowed to make additional oracle queries after it submits a decryption query which returns ⊥ .

CCS
In this section, we present CCS.CCS includes a stateless version with public message numbers, and a stateful version with private message numbers.CCS is based on a variable input length pseudorandom function (we give examples of these later in the paper).The terminology f i refers to a keyed pseudorandom function (keyed with key K i ).M is the message number.
We assume f i maps an arbitrary length domain string to a fixed length output string, where the output length is the same across all i.We call the output length the output block size.k is the number of bytes in the plaintext divided by the output block size (in bytes), and then rounded up to the nearest integer.If this integer is one, then k = 2 : We will segment a plaintext message P into k input blocks.The input block size for P is the largest size less than or equal to the output block size such that the message P can be divided into k input blocks each with the input block size or one byte less than the input block size if needed.If P divides into k equal sized blocks, then input block size = |P |/k.We define α to be 2 raised to the input block size, in bits.As an example, consider a pseudorandom function constructed using the AES encryption algorithm [AES].The output block size is 16 bytes.If P has 33 bytes, then k = 3, the input block size is 11 bytes, and α = 2 88 .

Informal Design Intuition for Message Numbers
M is a per message value that can be selected by the caller of the encryption API.Our goal is to allow the caller to use any strategy or algorithm for selecting M. For the k > 2 case, the caller must not reuse M ; reusing M will result in a loss of CPA security.The k = 2 case is misuse resistant when the authentication field is included; security is maintained provided that the same message number is not reused with the same key and plaintext.When the caller explicitly selects M, then the scheme uses M as the public message number and is stateless.
We also allow the caller to use private message numbers.In this case, for private message number i where encryption key K is shared by the communication peers for the block cipher E (we assume the block size is 16 bytes).If the sender and receiver communication is synchronized, then M doesn't need to be transmitted.Otherwise, we send the least significant 2-3 (IL) bytes of the value M i as described above except we eliminate M i values from the sequence if the least significant IL byte(s) duplicate a previous M j 's least significant IL byte(s) where (γ −j) ≤ 2(window size)+1 given M i as the γth element in the sequence (after eliminating previous last IL-byte duplicates and M j is the jth element of the resulting sequence).In other words, M i 's that are close together are selected to have distinct least significant byte(s).This does require a small amount of additional computation to compute the sequence of M i values but doesn't require significant additional work over the case where the least significant bytes are allowed to collide (since 2(window size) + 1 will be less than the birthday bound).The window size parameter (w s) controls how much the encryptor and decryptor are allowed to fall out of synchronization.Private message numbers allow the number of messages previously sent to be hidden and also minimize the size of the ciphertext but the scheme is stateful.

CCS Specification
LSB j (x) and M SB j (x) denote the j least significant bytes and j most significant bytes of byte string x respectively.The two communication peers are denoted as the initiator (init) and responder (resp), respectively.There are two channels; one with the initiator as the encryptor and the responder as the decryptor, and the other with the initiator as the decryptor and the responder as the encryptor.We will describe the private message number (stateful) case; for public message numbers (stateless case), K1 , K2 , E K1 , and E K2 are not used, and Sections 3.2.2,3.2.3, and 3.2.6 are not needed.Also, M replaces the message number tag T in Sections 3.2.4 and 3.2.5.

Key Generation
Keys K1 and K2 are randomly generated for the pseudorandom permutations E Ki i = 1, 2 and the randomly generated keys L 1 , . . ., L k determine the PRF's f 1 , . . ., f k .The key K = K1 , K2 , L 1 , . . ., L k .E Ki is a permutation on the set of binary strings with l bits.

Creating the Sequences of M Values
Let x be the encryptor, x ∈ {init, resp}.

Encryption
Given private message number i where i = SeqN o x [M ].We set T = LSB IL (M ).T is the message number tag.We assume P is a plaintext byte string (the number of bits in P is divisible by 8).For k ≥ 2, the plaintext P is split into the equal length substrings, where length is the input block size, P 1 , . . ., P k ; (the lengths may differ by one byte per our discussion above, but for convenience we will assume they are equal length for the remainder of the paper and all of our results hold with only minor changes in the non equal case) the encryptor computes the following values sequentially (but the 2nd through 2nd to last values can be computed in parallel): For a pseudorandom function based on an underlying cryptographic algorithm with a block size (e.g., an AES based prf), padding may be necessary.In this case, we pad using the padding algorithm from the CMAC specification [CMAC].

Channel Assumption
The decryption algorithm returns ⊥ if the ciphertext was created using a message number M that was too far out of synchronization.The following assumption guarantees that decryption is successful (i.e., does not output ⊥).
Let y ∈ {init, resp} where y = x.The next ciphertext that is decrypted, Given the channel assumption, there exists M such that LSB IL ( M ) = T, and the algorithm for creating the sequence ensures that M is unique.
Table 1 summarizes the parameters for the stateful scheme.

CMCC
Although our emphasis has been on utilizing CCS to protect short messages in energy constrained environments, we now discuss further a specific instantiation of the k = 2 case of CCS: For stateless version encryption, we initially utilize CBC mode and obtain the value X.Here we utilize E K to create the CBC IV W from the message number M. This prevents the adversary from being able to manipulate M and P 1 in a way that allows collisions in X values to be created.Then we apply a MAC algorithm to W, X and use the result as the IV for a variant of counter mode encryption to encrypt P 1 and obtain X 2 .Note that if the message has length less than or equal to 32 bytes, then the output of the MAC function is xor'd with P 1 to obtain X 2 and additional counter blocks are not needed.Finally we create the other half of the ciphertext, X 1 using CBC mode applied to X 2 and exclusive-or with X.
For stateful encryption, the only difference is in how the message numbers are handled: the message number tag is T = LSB IL (E K (i)) for message number i.This follows the description in Section 3.2.
Figures 1 -3 describe the stateless version of CMCC, and Figures 4 -5 describe the stateful version.

Notation
We use ⊕ to denote bitwise xor.When we xor two strings with different lengths, the longer string is first truncated to the length of the shorter string.b j is the bit b repeated j times.S j denotes the bit string S repeated j times.Thus (0110) 2 = 01100110.A and B is the logical AND operation on two equal length strings A and B. The notation R 128 = 0 120 10000111 denotes the bit string with 120 zero bits, followed by the bits 1,0,0,0,0,1,1, and 1. x << n denotes the left shift operator (filling vacated bits with zero bits), after shifting the string x by n bits to the left.|S| denotes the length of the string S. B denotes the block length of the underlying block cipher (128 bits for AES).E k denotes encryption using the block cipher and input key k.
LSB j (x) and M SB j (x) denote the j least significant bytes and j most significant bytes of byte string x respectively.

Padding
We will apply the padding scheme from the AES-CMAC algorithm to our mode when CBC encryption is performed.One difference is that we will sometimes need to pad by a full block length (B/8 bytes)2 and we use the same padding scheme as when the padding is between 1 and B/8 − 1 bytes.
1. Given the CBC encryption key K, and byte strings S 1 and S 2 , where |S 1 | ≤ |S 2 |.We define pad(S 1 ) S 2 as follows: 2. pad length is the number of bits (which is a multiple of 8) needed to bring S 1 up to the length of S 2 and then bring S 1 up to a multiple of the block size.More formally, where mod values are taken between 1 and B.
If pad length = 0, then |S 1 | is a multiple of B; let F be the last block of S 1 .We define pad(S 1 ) S 2 to be S 1 with its last block replaced with F ⊕ K1.
If 1 ≤ pad length ≤ B, then we append the following string to the last (possibly empty) block F of S 1 : 10 pad length−1 .pad(S 1 ) S 2 is S 1 with the last block of S 1 replaced with F ||10 pad length−1 ⊕ K2.

Proof of Security
We first give some examples illustrating attacks against CMCC.We will then prove CCA2 security for CMCC (with a zero length authentication tag); the bound is dominated by q/β.When message numbers are not reused and we include an authentication tag with τ bits, then we obtain a bound dominated by 1/β if invalid queries result in session termination, q/β if invalid queries do not result in session termination, q/(2 τ β) if the authentication tag is computed using a keyed MAC algorithm (CWM) but invalid queries are allowed and 2 −τ /β for CWM where invalid queries result in session termination.
We then prove MRAE security for CMCC.The main difference is that ciphertext queries that do not return invalid can be used to create new plaintexts that satisfy a relation (see examples below) that is less likely to be satisfied given a random injection.We also give a stronger MRAE security bound for CWM.
To give more insight into the best attacks and security properties of CMCC, we utilize the following examples.Example 1: Without the encoding step (for the zero bit authentication tag), CMCC is not MRAE secure (the adversary advantage is large in the MRAE security game).To illustrate this fact, the adversary submits a plaintext query followed by a ciphertext query using the same message number M and value X 2 .Both queries are twice the block length of the underlying block cipher.The adversary can compute X 1 ⊕ X1 = X ⊕ X.The adversary then creates two new plaintexts by modifying both P 2 and P2 so that the two corresponding ciphertexts have equal X values.Note that the two plaintexts have distinct P 1 values (P 11 and P 12 ).The adversary submits both plaintexts along with the message number M and receives the two ciphertexts whose X 2 values xor to P 11 ⊕ P 12 .This relation is only satisfied with probability 1/α for a random injection and thus the adversary advantage is large.
Example 2: Given a collision of X values for two plaintext queries in the MRAE security game (message numbers may be reused).Then the adversary can modify the respective P 2 values to create two new plaintexts such that the corresponding ciphertexts have equal X values.Then the adversary can win with high probability as in the preceding example.This attack works even if the zero bit authentication tag is being used.Thus q(q − 1)/2α will be part of the security bound for CMCC MRAE security.
We now prove CCA2 security (no message number reuse) for CMCC.The intuition for the proof is as follows: We cannot, except for padding based collisions in CBC(W, P 1 ) (based on encoding distinct P 1 values to identical encoded values), create two new plaintexts that will yield identical X Figure 2: CMCC Encryption: Encryption inputs are plaintext P, key K = K, L 3 , L 2 , L 1 , public message number N, and associated data A. CBC(IV, P, Key) is CBC encryption with initialization vector IV, plaintext P, and key Key.M AC(P, Key) is the CMAC MAC algorithm [CMAC] with plaintext P and key Key.pad() is the padding algorithm defined in Section 3.3.E K is the block cipher with key K. |P | is a multiple of 8. U is obtained from V by zeroing bits 31 and 63 to enable faster addition (prevent carries) [Hrkn].and (1 64 ||0 1 ||1 31 ||0 1 ||1 31  values.The reason is that M is fresh for the challenge ciphertext.Given the challenge ciphertext, we have the q/β bound for X collisions and P 1 collisions involving plaintext and ciphertext queries respectively.We also have the bound for collisions in the counter mode blocks and CBC blocks.Other than these events, X is fresh and CBC(W, P 1 ) is also fresh so P 1 and P 2 aren't leaked to the adversary (W is fresh for all plaintext queries, and P 1 is fresh for all the ciphertext queries).
Let χ(m) = 1 if m > 128 0 otherwise.Theorem 4.1 The adversary is restricted to q queries and time t; given α = 2 8m where Len is the byte length of the challenge ciphertext and m = Len/2 .B is the block length and µ is the total number of blocks in all the query plaintexts and ciphertexts.Let β = min{α, 2 B }. Let the CMCC MAC function be CMAC [CMAC] and s is the maximum number of CMAC blocks in a query; c 1 is a constant.The stateless and stateful versions of CMCC (where the authentication string Z can be any length including zero length) are CCA2 secure for ( , q, µ) with Proof sketch: case i: challenge ciphertext has α < 2 B .We may replace CMAC with a random function which gives rise to the term (5s 2 + 1)q 2 /2 B + Adv prp E (sq + 1, t + c 1 sq) [IwataKrswa] in the security bound.Similarly, we may replace the block cipher used in CBC encryption for computing X 1 with a random function giving us the Adv prp E (2sq, t)+ 2sq(2sq − 1)/2 B+1 term.Let the challenge ciphertext be M, X 1 , X 2 .Given q e encryption queries and q d decryption queries where q e + q d = q.
Figure 4: CMCC Stateful Encryption: Encryption inputs are plaintext P, key K = K, L 3 , L 2 , L 1 , private message number i, and associated data A. State initialization is per the Key Generation, Initial State, and Creating the Sequence of Secret Message Numbers subsections above.CBC(IV, P, Key) is CBC encryption with initialization vector IV, plaintext P, and key Key.M AC(P, Key) is the CMAC MAC algorithm [CMAC] with plaintext P and key Key.pad() is the padding algorithm defined in Section 3.3.E K is the block cipher with key K. |P | is a multiple of 8. U is obtained from V by zeroing bits 31 and 63 to enable faster addition (prevent carries) [Hrkn].
Let Bad 1 be the event where the Y value for the challenge ciphertext equals the Y value for one of the encryption query ciphertexts.(We will see that the adversary's optimal strategy will not have any Y collisions between the challenge ciphertext and the ciphertext query ciphertexts.)Let Bad 2 be the event where the returned P 1 value for a ciphertext query equals the P 1 value for the challenge ciphertext.For the computation of V , if event Bad 1 does not occur, then the random MAC function is invoked on a fresh value and V is uniformly distributed.Thus X 2 leaks no information about P 1 or X.Also, the random function for computing X 1 leaks no information about X or P 2 , given that Bad 2 does not occur.(The optimal adversary strategy for ciphertext queries is to submit queries of the form M, X1 , X 2 for X1 = X 1 .)Thus where we assume no encoding (padding of P 1 for decryption queries) collisions which accounts for the q/2 B term.case ii: the challenge ciphertext has α ≥ 2 B : We have potential counter mode block collisions.In this case, |X| > B, counter block collisions are detectable, and µ/2 + q 2 /2 B+2 is a bound on the probability of these collisions.

Remark:
The above theorem is stated generally, and includes the case where the MAC function for computing V does not make use of the value W (stateless case) or M (stateful case).For our implementation of CMCC, the MAC is computed over the string W |Y (stateless case) and thus Bad 1 in the above theorem cannot occur.The security bound is still unchanged though as discussed in the theorem proof.The authentication tag is either not present (zero length) or is present where invalid queries do not terminate the session.
Theorem 4.2 The adversary is restricted to q queries; given α = 2 8m where Len is the byte length of the challenge ciphertext and m = Len/2 .B is the block length and µ is the total number of blocks in all the query plaintexts and ciphertexts.Let β = min{α, 2 B }. Let the CMCC MAC function be CMAC [CMAC] and s is the maximum number of CMAC blocks in a query; c 1 is a constant.The stateless and stateful versions of CMCC where the authentication string Z has nonzero length τ is CCA2 secure where the security bound is If we have CMCC with MAC (CWM) where the string Z is replaced with a keyed MAC computed over the plaintext and associated data, then the security bound (where invalid queries do not terminate the session) is For CWM where an invalid query terminates the session, the security bound is Finally, if α ≤ 2 τ , then the security bound is Proof sketch: We first note that distinct W values (since message numbers are not reused) eliminates the possibility that W |Y values for distinct queries are equal.Thus the adversary's optimal strategy is to make ciphertext queries (except for the challenge plaintexts).
Suppose that an invalid query results in session termination.Then the security bound is where the first term represents the Adversary's probability of success for obtaining a ciphertext query based collision for P 1 values (finite geometric series).The other terms are the same terms from the proof of Theorem 4.1.The first term is very close to 1/β.Thus the 2nd security bound is still the same as for Theorem 4.1.Then the security bound from Theorem 4.1 is modified to reflect that the ciphertext queries will be invalid, with high probability, for the third and fourth security bounds.The last security bound reflects that the ciphertext query attack cannot produce a valid ciphertext with matching X 2 , M, and P 1 values, given the constraint, since matching X 2 , M, P 1 , and P 2 values (P 2 must consist of only zero bits) implies that X values match.Thus X 1 values must also match which is a contradiction; therefore the returned P 1 value cannot match the P 1 value from the challenge ciphertext.
Remark: For the stateless scheme, if there is a field in the associated data which is distinct for each message (e.g., sequence number field), then this can be utilized for the message number and the advantage is that no additional bytes for the message number are sent over the network.
Lemma 4.3 Given the experiment S where adversary A attempts to distinguish between a block cipher E and a random function.We also consider the experiment S : here an adversary B attempts to distinguish between a random function and a first instance of a block cipher for q/2 queries, and then between the random function and a 2nd instance of a block cipher for the remaining q/2 queries (the block cipher is randomly rekeyed for the last q/2 queries).B has an oracle for a random function for the first q/2 queries if and only if it again has an oracle for the random function during the 2nd set of q/2 queries.Then |P r(B random (q, t) = 1) − P r(B E K 1 ,E K 2 (q, t) = 1)| ≤ Adv prf E (q, t) Proof: For the first q/2 queries, we have |P r(B random (q/2, t 1 ) = 1) − P r(B Theorem 4.4 Let µ be the total number of blocks in the adversary queries, and B is the cipher block length.Let β = min{α, 2 B }. Let the CMCC MAC function be CMAC [CMAC].Let s be the maximum number of CMAC blocks in a query; c 1 is a constant.CMCC encryption (stateless version) is a misuse resistant authenticated encryption scheme with MRAE-advantage bounded by q(q − 1)/2α + q(q − 1)/2β + 1 given that the adversary is restricted to q queries, E is the underlying block cipher for CMAC (e.g., AES), α = 2 8m where Len is the byte length of the minimal length query response, m = Len/2 , assuming up to x − 1 invalid ciphertexts do not result in session termination, and τ is the number of bits in the authentication tag.
Remark: Intuitively, there are three types of relations that distinguish CMCC from a random injection: 1.For messages where |α| is shorter than the block length, and M = M , we have the relation X 2 ⊕ X2 = P 1 ⊕ P1 with higher probability equal to 1/α + (α − 1)/α 2 for CMCC versus 1/α for the random injection.The reason is that we may have a collision of X values with probability 1/α and if that does not occur, the resulting V values may still be equal in the first log 2 (α) bits.
Proof: case i: All plaintexts have length less than or equal to 2 * B − τ bits: We use a games based proof to establish the bound claim for the theorem.Game G 0 is depicted in Figure 6.Game G 0 gives the adversary the CMCC encryption and decryption oracles and the adversary's probability of success is equal to the adversary's MRAE-advantage against CMCC.
Game G 1 is the same as game G 0 except we replace the CMAC MAC function with a random function.Now consider an adversary A E,D where E and D are either the game G 0 encrypt and decrypt oracles or the game G 1 encrypt and decrypt oracles.When A submits P , A, N, then X 1 , X 2 is returned and we give the distinguisher D X 2 ⊕ P 1 = F (P, A, N ) where F is either CMAC applied to a function of P, A, N or a random function.When A submits X 1 , X 2 , A, N then P is returned and we give the distinguisher D X 2 ⊕P 1 = F (P, A, N ) where F is either CMAC applied to a function of P, A, N or a random function.When A outputs b, D also outputs b (b ∈ {0, 1}).Then A s probability of success is bounded by the probability bound for any adversary to distinguish CMAC from a random function which is (5s 2 + 1)q 2 /2 B + Adv prp E (sq + 1, t + c 1 sq) [IwataKrswa] where E is the underlying block cipher, e.g., AES, and s is the maximum number of blocks in any query. Thus is the same as game G 1 except the block ciphers used in CBC encryption for computing X 1 and X are replaced with random functions.Consider the game H where adversary B distinguishes between the following: 1.A random function 2. A block cipher E K 1 for q/2 queries and then the block cipher is rekeyed (E K 2 ) for the 2nd set of q/2 queries.Denote this as Suppose D is a distinguisher such that D runs in time t, makes q queries, and will distinguish between the xor sum of two block cipher encryptions (each block cipher is independently keyed) and the xor sum of two random function invocations.For an adversary A that attempts to distinguish between games G 1 and G 2 , A can submit X 1 ⊕ P 2 to D for each query that A makes.When A outputs a bit b, D outputs the same bit b.Then A s probability of success is bounded by D s probability of success.
Given the adversary B for the game H.At the end of the sequence of queries, B gives the exclusive or sum of queries i and q/2 + i, 1 ≤ i ≤ q/2 to D. D outputs a bit b and B outputs the same bit b.Then |P r(D random xor sum (q/2, t) = 1) − P r(D block cipher xor sum (q/2, t)

Thus we obtain
1. Initialize is modified: Initially we set QD(N, A) = ∅ for all N, A. QD(N, A) is a subset of the plaintexts.
2. The line: if (U ! = Z) return ⊥; otherwise Q = P ||Z and return Plaintext P , A, N is replaced with: 3. If the adversary submits the encryption query P, A, N, then we set QD(N, A) = QD(N, A) ∪ {P }.
Then the advantage of A in distinguishing G 3 and G 2 is bounded by the probability of obtaining a valid response from the decryption oracle.Consider the adversary's optimal strategy for obtaining a valid ciphertext response in game G 2 : For each query with a distinct X 2 value, the value X will be uniform random since the block cipher has been replaced with a random function.Thus the value P 2 will be uniform random and the probability of a valid response is 2 −τ .On the other hand, if the same X 2 values are submitted for all of the ciphertext queries, then the X values are related via the differences in the X 1 values and there is a possibility of P 1 collisions with a chance for either a valid or invalid response.In other words, the probability is greater than 2 −τ .If an initial plaintext query is submitted, and the X 2 , N values are used in the subsequent ciphertext queries, with the last τ bits of X 1 being identical to the last τ bits of the plaintext query X 1 value, then a collision in P 1 values ensures a valid response.Thus this is the optimal adversary strategy for obtaining a valid ciphertext response.
The bound, assuming at most x − 1, 1 ≤ x ≤ q, invalid ciphertext queries prior to session termination, is Game G 4 is the same as game G 3 except the line X = CBC(W, pad(P 1 ) P 2 , L 3 ) ⊕ P 2 , is replaced with X = CBC(W, pad(P 1 ) P 2 , L 3 ) ⊕ P 2 ; if X ∈ set of used X, bad 5 = true and reselect X : X Game G 5 is depicted in Figure 7. Then game G 5 and game G 4 are indistinguishable except that collisions are possible in the strings S 2 where C includes S 1 ||S 2 .When such a collision occurs, the games are distinguishable; the bound on collisions is q(q − 1)/2β.It is possible in game G 4 that a ciphertext query that is not invalid will return a plaintext and another encrypt query with a different plaintext returns the same ciphertext.This last sequence is not possible in game G 5 .However, the bound from Game G 3 allows us to assume that no valid ciphertext queries occur.
Thus the bound claimed in the theorem statement holds.case ii: At least some plaintexts have length greater than 2 * B − τ bits: We note that this case is a suboptimal strategy for the adversary.Here we modify the bound by adding in the χ(m)µ 2 /2 B−1 and q 2 /2 B+1 terms for counter mode block collisions and padding collisions for plaintexts of different lengths, respectively.The term 2q(2q − 1)/2 B+1 from above is generalized to 2sq(2sq − 1)/2 B+1 .

Performance Analysis for Wireless Sensor Networks
We discuss and compare performance to other schemes (e.g.CCM [WhitHousFerg] and others) for short messages, including energy utilization.Energy utilization is important for low power constrained devices and we use the measurements from [WanGurEblGupShtz] to make an estimate for energy consumption on wireless sensor platforms.We compare CCM to CMCC for energy utilization.
In [WanGurEblGupShtz], the authors measure energy utilization for a variety of cryptographic algorithms due to CPU utilization and networking for the Berkeley/Crossbow motes platform, stateless version as well.CCM eliminates R prf invocations with precomputation, so CMCC has an advantage for messages with 32 bytes or less (for number of prf invocations given precomputation), but CCM has an advantage for longer messages.Table 4 assumes (1) that CCM uses the minimal recommended length MAC tag of 8 bytes which increases the length of the message by 8 bytes while CMCC includes the 2 byte message number tag T as described above along with a 2 byte authentication string for a total of 4 bytes (2) that both CCM and CMCC are applied to the full length message which will cause our measurements to favor CCM slightly,3 and (3) Messages are less than 2 16 bytes so CCM sends a 13 byte nonce with each message.
The amount of energy used for CCM is Thus we see that energy utilization is proportional to message length.For faster schemes (e.g., OCB, etc.), the more efficient computations will result in an even closer correlation between message length (including the MAC bytes) and energy utilization.The reason is that the main energy use is in the networking, and reducing the computational load will result in a higher percentage of energy use by networking.
We haven't included length fields in either CCM or CMCC as part of the comparison.Including such fields would give results very close to the ones above.

Implementation
We have completed an initial implementation as part of our submission to the Caesar competition for authenticated encryption.Details can be accessed at http://groups.google.com/group/cryptocompetitions.

Conclusions
We have presented CCS which is a new family of tweakable enciphering schemes (TES).The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes).CMCC is an instantiation of the scheme providing provably secure misuse resistant authenticated encryption, and it leverages existing modes such as CBC, Counter, and CMAC.Our work can be viewed as extending the line of work starting with [HR03] to plaintext sizes smaller than the block cipher block length which is a problem posed in [Hal04].Depending on the environment, we obtain CCA2 security with only 2-3 bytes of expansion (for the message number).Since changes to the ciphertext randomize the plaintext, we can leverage the protocol checks in higher layer protocols as additional authentication bits allowing us to reduce the length of the authentication tag.
We have given a comparison of energy utilization in wireless sensor networks between CMCC and CCM and showed that energy use is proportional to packet length.Thus CMCC can achieve significant energy savings when applied to protocols that send short messages due to its small ciphertext expansion.Our contributions include both stateless and stateful versions which enable minimal sized message numbers using different network related trade-offs.

6.
The adversary outputs a bit b.The output of the experiment is 1 if b = b and 0 otherwise.

u
init = u resp = 0. init e = init d = resp e = resp d = 0. (init e and init d are part of the initiator state; resp e and resp d are part of the responder state.)IL is the number of bytes of ciphertext expansion.w s is initialized to a positive integer.m 1 = 2(w s) + 1. Initially the sequences of M values, Seq(init) and Seq(resp) are empty.
Let y ∈ {init, resp} where y = x.Given C||T where C = X 1 || . . .||X k .There exists at most one M in Seq(x) such that LSB IL ( M ) = T and |SeqN o x [ M ] − y d | ≤ w s.If it exists, then set M = M and compute the sequence 1 ) and output Dec K (C, T ) = P 1 || . . .||P k .Otherwise, output Dec K (C, T ) =⊥ .If Dec K (C, T ) =⊥, then we say M is the message number used to decrypt C, T ; SeqN o x [M ] is the corresponding private message number.In this case, if SeqN o x [M ] > y d , then set y d = SeqN o x [M ].

Figure 3 :
Figure 3: CMCC Decryption: Decryption inputs are ciphertext X 1 X 2 , key K = K, L 3 , L 2 , L 1 , public message number N, and associated data A.
for definition.Decrypt(C, A, N ): See Figure 3 for definition.Output: Return the adversary's output.

Table 1 :
Number of plaintext segments: P= P 1 || . ..||P k .αα = 2 |P i | , i = 1, . .., k.Mper message value obtained by using PRP on private message number E Summary of Parameters for Stateful CCS Scheme which is misuse resistant and optimized for energy constrained environments.As before, we will have a stateless version with public message numbers, and a stateful version with private message numbers.Also as before, the scheme is identical to k ≥ 2 when the message has 32 bytes or less.The stateless version has full misuse resistance against reuse of the message numbers, whereas the stateful version has resistance as well, but some private message numbers may result in decryption failures if too far outside the decrypt window.
CBC-MAC-Counter-CBC (CMCC) mode.CMCC is a general purpose authenticated encryption mode

Table 4 :
Message Length No. CCM prf calls No. CMCC prf calls CCM energy use CMCC energy use Energy utilization (µJ) for sending network messages with CCM and CMCC protection, Mica2dot platform.