Paper 2003/069

EAX: A Conventional Authenticated-Encryption Mode

M. Bellare, P. Rogaway, and D. Wagner


We propose a block-cipher mode of operation, called EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N,M,H$ are arbitrary, and the mode uses $2\lceil |M|/n \rceil + \lceil |H|/n\rceil + \lceil |N|/n\rceil$ block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple generic-composition method, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX was designed in response to the expressed need of several standardization bodies, including NIST, IETF and IEEE 802.11, for a patent-free AEAD scheme. Such a scheme would have to be conventional, meaning it would make two passes, one aimed at achieving privacy and one aimed at achieving authenticity. EAX aims to fill this need by doing as well as possible within the space of conventional schemes with regard to issues of efficiency, simplicity, elegance, ease of correct use, and provable-security guarantees. EAX is an alternative to CCM.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
modes of operation
Contact author(s)
daw @ cs berkeley edu
2003-09-09: revised
2003-04-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {M.  Bellare and P.  Rogaway and D.  Wagner},
      title = {EAX: A Conventional Authenticated-Encryption Mode},
      howpublished = {Cryptology ePrint Archive, Paper 2003/069},
      year = {2003},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.