Paper 2003/069

EAX: A Conventional Authenticated-Encryption Mode

M. Bellare, P. Rogaway, and D. Wagner

Abstract

We propose a block-cipher mode of operation, called EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N,M,H$ are arbitrary, and the mode uses $2\lceil |M|/n \rceil + \lceil |H|/n\rceil + \lceil |N|/n\rceil$ block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple generic-composition method, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX was designed in response to the expressed need of several standardization bodies, including NIST, IETF and IEEE 802.11, for a patent-free AEAD scheme. Such a scheme would have to be conventional, meaning it would make two passes, one aimed at achieving privacy and one aimed at achieving authenticity. EAX aims to fill this need by doing as well as possible within the space of conventional schemes with regard to issues of efficiency, simplicity, elegance, ease of correct use, and provable-security guarantees. EAX is an alternative to CCM.

Metadata
Available format(s)
PS
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
modes of operation
Contact author(s)
daw @ cs berkeley edu
History
2003-09-09: revised
2003-04-15: received
See all versions
Short URL
https://ia.cr/2003/069
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2003/069,
      author = {M.  Bellare and P.  Rogaway and D.  Wagner},
      title = {{EAX}: A Conventional Authenticated-Encryption Mode},
      howpublished = {Cryptology {ePrint} Archive, Paper 2003/069},
      year = {2003},
      url = {https://eprint.iacr.org/2003/069}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.