EAX mode

Last updated

EAX mode (encrypt-then-authenticate-then-translate [1] ) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm designed to simultaneously provide both authentication and privacy of the message (authenticated encryption) with a two-pass scheme, one pass for achieving privacy and one for authenticity for each block.

Contents

EAX mode was submitted on October 3, 2003, to the attention of NIST in order to replace CCM as standard AEAD mode of operation, since CCM mode lacks some desirable attributes of EAX and is more complex.

Encryption and authentication

Diagram representing encryption under EAX. The message is M, the key is K, the authenticated header is H, the nonce is N, the encrypted message is C, and the authentication tag is T. EAX block cipher mode of operation.svg
Diagram representing encryption under EAX. The message is M, the key is K, the authenticated header is H, the nonce is N, the encrypted message is C, and the authentication tag is T.

EAX is a flexible nonce-using two-pass AEAD scheme with no restrictions on block cipher primitive to be used, nor on block size, and supports arbitrary-length messages. Authentication tag length is arbitrarily sizeable up to the used cipher's block size.

The block cipher primitive is used in CTR mode for encryption and as OMAC for authentication over each block through the EAX composition method, that may be seen as a particular case of a more general algorithm called EAX2 and described in The EAX Mode of Operation [2]

The reference implementation in the aforementioned paper uses AES in CTR mode for encryption combined with AES OMAC for authentication.

Performance

Being a two-pass scheme, EAX mode is slower than a well designed one-pass scheme based on the same primitives.

EAX mode has several desirable attributes, notably:

Notably, CCM mode lacks the last 2 attributes (CCM can process Associated Data, it can't pre-process it).

Patent status

The authors of EAX mode, Mihir Bellare, Phillip Rogaway, and David Wagner placed the work under public domain and have stated that they were unaware of any patents covering this technology. Thus, EAX mode of operation is believed to be free and unencumbered for any use.

Use

A modification of the EAX mode, so called EAX′ or EAXprime, is used in the ANSI C12.22 standard for transport of meter-based data over a network. In 2012 Kazuhiko Minematsu, Stefan Lucks, Hiraku Morita and Tetsu Iwata published a paper that proves the security of the mode with messages longer than the key, but demonstrates a trivial attack against short messages using this mode. The authors stated that they did not know whether the ANSI C12.22 protocols were vulnerable to the attack. [3] [4]

See also

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Articles related to cryptography include:

One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

Offset codebook mode is an authenticated encryption mode of operation for cryptographic block ciphers. OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the integrity-aware parallelizeable mode (IAPM) of authenticated encryption by Charanjit S. Jutla. The OCB2 version was proven insecure, while the original OCB1 as well as OCB3 from 2011 are still considered secure.

CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

<span class="mw-page-title-main">CBC-MAC</span> Message authentication code algorithm

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code (MAC) from a block cipher. The message is encrypted with some block cipher algorithm in cipher block chaining (CBC) mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

In cryptography, CWC Mode is an AEAD block cipher mode of operation that provides both encryption and built-in message integrity, similar to CCM and OCB modes. It combines the use of CTR mode for encryption with an efficient polynomial Carter–Wegman MAC and is designed by Tadayoshi Kohno, John Viega and Doug Whiting.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

Integrity-aware parallelizable mode (IAPM) is a mode of operation for cryptographic block ciphers. As its name implies, it allows for a parallel mode of operation for higher throughput.

<span class="mw-page-title-main">Sponge function</span> Theory of cryptography

In cryptography, a sponge function or sponge construction is any of a class of algorithms with finite internal state that take an input bit stream of any length and produce an output bit stream of any desired length. Sponge functions have both theoretical and practical uses. They can be used to model or implement many cryptographic primitives, including cryptographic hashes, message authentication codes, mask generation functions, stream ciphers, pseudo-random number generators, and authenticated encryption.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

  1. Bellare, M.; Rogaway, P.; Wagner, D. (2003-09-09). "EAX: A Conventional Authenticated-Encryption Mode". IACR . Retrieved 2017-08-15.
  2. Bellare, Mihir; Rogaway, Phillip; Wagner, David (April 2003). "The EAX Mode of Operation (A Two-Pass Authenticated Encryption Scheme Optimized for Simplicity and Efficiency)". Fast Software Encryption (FSE) 2004. Retrieved 2017-08-15.
  3. Minematsu, Kazuhiko; Lucks, Stefan; Morita, Hiraku; Iwata, Tetsu (2013-05-14). "Attacks and Security Proofs of EAX-Prime". IACR. Retrieved 2017-08-15.
  4. Minematsu, Kazuhiko (2012-01-14). "NEC security evaluation report on EAXprime" (PDF). Letter to NIST. Archived from the original (PDF) on 2013-03-02. Via Public Comments, Block Cipher Modes, csrc.nist.gov, archived 2012-05-03.

Software implementations

Hardware implementations