International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: EAX: A Conventional Authenticated-Encryption Mode

Mihir Bellare
P. Rogaway
D. Wagner
Search ePrint
Search Google
Abstract: We propose a block-cipher mode of operation, called EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N,M,H$ are arbitrary, and the mode uses $2\lceil |M|/n \rceil + \lceil |H|/n\rceil + \lceil |N|/n\rceil$ block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple generic-composition method, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX was designed in response to the expressed need of several standardization bodies, including NIST, IETF and IEEE 802.11, for a patent-free AEAD scheme. Such a scheme would have to be conventional, meaning it would make two passes, one aimed at achieving privacy and one aimed at achieving authenticity. EAX aims to fill this need by doing as well as possible within the space of conventional schemes with regard to issues of efficiency, simplicity, elegance, ease of correct use, and provable-security guarantees. EAX is an alternative to CCM.
  title={EAX: A Conventional Authenticated-Encryption Mode},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / modes of operation},
  note={ 12304 received 13 Apr 2003, last revised 9 Sep 2003},
  author={Mihir Bellare and P. Rogaway and D. Wagner},