[Resource Topic] 2003/069: EAX: A Conventional Authenticated-Encryption Mode

Welcome to the resource topic for 2003/069

Title:
EAX: A Conventional Authenticated-Encryption Mode

Authors: M. Bellare, P. Rogaway, D. Wagner

Abstract:

We propose a block-cipher mode of operation, called EAX, for
authenticated-encryption with associated-data (AEAD). Given a nonce N, a
message M, and a header H, the mode protects the privacy of M and the
authenticity of both M and H. Strings N,M,H$ are arbitrary, and the mode uses
2\lceil |M|/n \rceil + \lceil |H|/n\rceil + \lceil |N|/n\rceil block-cipher
calls when these strings are nonempty and n is the block length of the
underlying block cipher. Among EAX’s characteristics are that it is on-line
(the length of a message isn’t needed to begin processing it) and a fixed
header can be pre-processed, effectively removing the per-message cost of
binding it to the ciphertext. EAX is obtained by instantiating a simple
generic-composition method, and then collapsing its two keys into one. EAX is
provably secure under a standard complexity-theoretic assumption.

EAX was designed in response to the expressed need of several
standardization bodies, including NIST, IETF and IEEE 802.11, for a patent-free
AEAD scheme. Such a scheme would have to be conventional, meaning it
would make two passes, one aimed at achieving privacy and one aimed at
achieving authenticity. EAX aims to fill this need by doing as well as
possible within the space of conventional schemes with regard to issues of
efficiency, simplicity, elegance, ease of correct use, and provable-security
guarantees. EAX is an alternative to CCM.

ePrint: https://eprint.iacr.org/2003/069

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .