A Conventional Authenticated-Encryption Mode

A Conventional Authenticated-Encryption Mode

M. Bellare and P. Rogaway and D. Wagner

Abstract. We propose a block-cipher mode of operation, EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce $N$, a message $M$, and a header $H$, the mode protects the privacy of $M$ and the authenticity of both $M$ and $H$. Strings $N,M,H \in \{0,1\}^*$ are arbitrary, and the mode uses $2\lceil M/n \rceil + \lceil H/n\rceil + \lceil N/n\rceil$ block-cipher calls when these strings are nonempty and $n$ is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX is an alternative to CCM [19], and is likewise patent-free.

Contact author: [email protected]

Available formats: Postscript (PS) | PDF |