[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-31510":3,"doc-seo-31510":27},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"file_id":15,"file_url":16,"file_type":17,"file_size":18,"view_count":4,"is_deleted":4,"is_public":19,"is_downloadable":19,"audit_status":19,"page_count":20,"language":21,"language_code":22,"table_of_contents":23,"faqs":24,"seo_title":13,"seo_description":14,"update_tm":25,"read_time":26},31510,687197100911,"Himbo","https://ap-avatar.wpscdn.com/avatar/a000239b6f1da00475?_k=1775820430993990792",8,"Research & Report","Comprehensive Robustness Analysis of GCM, CCM, and OCB3","Robustness analysis for authenticated encryption (AE) schemes, focusing on security under nonce misuse (NM) and Release of Unverified Plaintext (RUP), is developed to address real-world violations of standard prerequisites. A comprehensive study covers widely used standards GCM, CCM, and OCB3, uncovering robustness properties not previously reported. Results prove that both GCM and CCM preserve authenticity under RUP, and CCM retains this resilience even under nonce misuse. Omitting one CCM block cipher call is shown to maintain the robust security while improving efficiency, yielding a complete robustness picture and suggesting new robust AE constructions.","cbCaibVoSrhxFdpm","https://ap.wps.com/l/cbCaibVoSrhxFdpm","pdf",1072435,1,43,"English","en","# Introduction\n## Authenticated encryption and robustness motivations\n## Prior work and robustness notions\n## Standard overview: GCM, CCM, OCB3\n## Contributions and results","[{\"question\":\"What robustness issues does the document analyze for authenticated encryption schemes?\",\"answer\":\"It analyzes robustness under nonce misuse (NM) and Release of Unverified Plaintext (RUP), which correspond to violations of nonce-respecting and decryption error-handling prerequisites.\"},{\"question\":\"How do GCM and CCM behave under RUP?\",\"answer\":\"Both GCM and CCM maintain authenticity even when releasing unverified plaintext (INTegrity under RUP), regardless of nonce length for GCM.\"},{\"question\":\"What efficiency improvement is introduced for CCM and why is it still secure?\",\"answer\":\"The document shows that CCM can omit one block cipher call while still maintaining the robust security features, resulting in improved efficiency compared with the proposal.\"}]",1779656427,108,{"code":4,"msg":28,"data":29},"ok",{"site_id":30,"language":22,"slug":31,"title":13,"keywords":32,"description":14,"schema_data":33,"social_meta":84,"head_meta":86,"extra_data":88,"updated_unix":25},105,"comprehensive-robustness-analysis-of-gcm-ccm-and-ocb3","",{"@graph":34,"@context":83},[35,52,66],{"@type":36,"itemListElement":37},"BreadcrumbList",[38,42,46,49],{"item":39,"name":40,"@type":41,"position":19},"https://docshare.wps.com","Home","ListItem",{"item":43,"name":44,"@type":41,"position":45},"https://docshare.wps.com/document/","Document",2,{"item":47,"name":12,"@type":41,"position":48},"https://docshare.wps.com/document/research-report/",3,{"item":50,"name":13,"@type":41,"position":51},"https://docshare.wps.com/document/comprehensive-robustness-analysis-of-gcm-ccm-and-ocb3/31510/",4,{"url":50,"name":13,"@type":53,"author":54,"headline":13,"publisher":56,"fileFormat":59,"description":14,"dateModified":60,"datePublished":60,"encodingFormat":59,"isAccessibleForFree":61,"interactionStatistic":62},"DigitalDocument",{"name":9,"@type":55},"Person",{"url":39,"name":57,"@type":58},"DocShare","Organization","application/pdf","2026-05-24",true,{"@type":63,"interactionType":64,"userInteractionCount":4},"InteractionCounter",{"@type":65},"ViewAction",{"@type":67,"mainEntity":68},"FAQPage",[69,75,79],{"name":70,"@type":71,"acceptedAnswer":72},"What robustness issues does the document analyze for authenticated encryption schemes?","Question",{"text":73,"@type":74},"It analyzes robustness under nonce misuse (NM) and Release of Unverified Plaintext (RUP), which correspond to violations of nonce-respecting and decryption error-handling prerequisites.","Answer",{"name":76,"@type":71,"acceptedAnswer":77},"How do GCM and CCM behave under RUP?",{"text":78,"@type":74},"Both GCM and CCM maintain authenticity even when releasing unverified plaintext (INTegrity under RUP), regardless of nonce length for GCM.",{"name":80,"@type":71,"acceptedAnswer":81},"What efficiency improvement is introduced for CCM and why is it still secure?",{"text":82,"@type":74},"The document shows that CCM can omit one block cipher call while still maintaining the robust security features, resulting in improved efficiency compared with the proposal.","https://schema.org",{"og:url":50,"og:type":85,"og:title":13,"og:site_name":57,"og:description":14},"article",{"robots":87,"canonical":50},"index,follow",{"doc_id":7,"site_id":30}]