Cryptology ePrint Archive: Report 2003/069
EAX: A Conventional Authenticated-Encryption Mode
M. Bellare and P. Rogaway and D. Wagner
Abstract: We propose a block-cipher mode of operation, called EAX, for
authenticated-encryption with associated-data (AEAD). Given a nonce N, a
message M, and a header H, the mode protects the privacy of M and the
authenticity of both M and H. Strings N,M,H$ are arbitrary, and the mode uses
$2\lceil |M|/n \rceil + \lceil |H|/n\rceil + \lceil |N|/n\rceil$ block-cipher
calls when these strings are nonempty and n is the block length of the
underlying block cipher. Among EAX's characteristics are that it is on-line
(the length of a message isn't needed to begin processing it) and a fixed
header can be pre-processed, effectively removing the per-message cost of
binding it to the ciphertext. EAX is obtained by instantiating a simple
generic-composition method, and then collapsing its two keys into one. EAX is
provably secure under a standard complexity-theoretic assumption.
EAX was designed in response to the expressed need of several
standardization bodies, including NIST, IETF and IEEE 802.11, for a patent-free
AEAD scheme. Such a scheme would have to be conventional, meaning it
would make two passes, one aimed at achieving privacy and one aimed at
achieving authenticity. EAX aims to fill this need by doing as well as
possible within the space of conventional schemes with regard to issues of
efficiency, simplicity, elegance, ease of correct use, and provable-security
guarantees. EAX is an alternative to CCM.
Category / Keywords: secret-key cryptography / modes of operation
Date: received 13 Apr 2003, last revised 9 Sep 2003
Contact author: daw at cs berkeley edu
Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation
Version: 20030909:180059 (All versions of this report)
Short URL: ia.cr/2003/069
[ Cryptology ePrint archive ]