The following uses the notation from [http://iotworm.eyalro.net/ IoT Goes Nuclear: Creating a ZigBee Chain Reaction].
Assume first the basic AES-ECB cipher is $<math>CT = E_k(PT)$</math>, where we are encrypting a block with secret key $<math>k$</math>.
AES-CCM combines AES-CTR mode and AES-CBC mode as mentioned. We could consider AES-CTR to be performing the following operation:
</math>
The problem with a straight-forward CPA attack on CTR mode is only 2 bytes vary (the number of bytes with <math>m</math>), so the CPA attack cannot recover all bytes of the key. A solution to this is presented in the paper
== Performing Attack ==