Paper 2003/069
EAX: A Conventional Authenticated-Encryption Mode
M. Bellare, P. Rogaway, and D. Wagner
Abstract
We propose a block-cipher mode of operation, called EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N,M,H$ are arbitrary, and the mode uses $2\lceil |M|/n \rceil + \lceil |H|/n\rceil + \lceil |N|/n\rceil$ block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple generic-composition method, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX was designed in response to the expressed need of several standardization bodies, including NIST, IETF and IEEE 802.11, for a patent-free AEAD scheme. Such a scheme would have to be conventional, meaning it would make two passes, one aimed at achieving privacy and one aimed at achieving authenticity. EAX aims to fill this need by doing as well as possible within the space of conventional schemes with regard to issues of efficiency, simplicity, elegance, ease of correct use, and provable-security guarantees. EAX is an alternative to CCM.
Metadata
- Available format(s)
- PS
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- modes of operation
- Contact author(s)
- daw @ cs berkeley edu
- History
- 2003-09-09: revised
- 2003-04-15: received
- See all versions
- Short URL
- https://ia.cr/2003/069
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2003/069, author = {M. Bellare and P. Rogaway and D. Wagner}, title = {{EAX}: A Conventional Authenticated-Encryption Mode}, howpublished = {Cryptology {ePrint} Archive, Paper 2003/069}, year = {2003}, url = {https://eprint.iacr.org/2003/069} }