EAX mode

The EAX mode is the designation for an operating mode for cryptographic block ciphers .

development

It is an authenticated encryption mode with associated data (Authenticated Encryption with Associated Data; AEAD), which was developed to enable both authentication and confidentiality of messages (so-called authenticated encryption ). This is achieved with two passes per block: one pass for secrecy and one pass for authentication. The EAX mode was submitted to NIST on October 3, 2003 for standardization in order to replace the CCM mode as the standard AEAD mode because it lacks various properties and is more complex than EAX.

Encryption and authentication

EAX is a flexible, nonce- using scheme for AEAD that is carried out in two passes, makes no demands on the block cipher used or on the block size, and at the same time allows messages of any length. The size of the generated authentication attachment can be chosen arbitrarily up to the block size. The underlying block cipher is used in CTR mode for encryption and then as OMAC for authentication. Both steps are carried out for each block and combined using the method described in the standard. The type of merging can be seen as a specialization of the more general "EAX2 method", which is described in the underlying paper "The EAX Mode of Operation" for the proof of security.

The reference implementation in the submission to the standard uses AES as a block cipher, so that the EAX mode is often viewed as the mode of AES, but is basically independent of it.

power

Because EAX makes two passes for each block, it is slower than other AEAD methods that only need one pass. Even so, EAX has several useful properties:

• Proven security, based on the security of the underlying block cipher
• no enlargement of the message, except for the authentication attachment, which must also be transmitted
• Since the encryption only uses the CTR mode of the block cipher, the implementation can be simpler in certain cases, which is particularly useful for hardware implementations
• the mode is "online", so it can be used for data streams of unknown length without using more than constant memory
• In addition to the encrypted message, additional data can also be authenticated, which can be used, for example, for session parameters or metadata

The CCM mode, which the EAX is supposed to replace, does not have the last two points mentioned.

Patent situation

The inventors of the EAX mode, Mihir Bellare , Phillip Rogaway and David Wagner have made their proposal available to the public and announced that they are not aware of any patents covering the mode. It is therefore assumed that the EAX mode is patent-free and can be used as required.

Web links

• EAX specifications and Intellectual Property Statement at NIST (PDF; 395 kB)
• EAX specifications, Test Vectors and Intellectual Property Statement (PDF; 742 kB)
• A Critique of CCM - February 2003
• EAX: A Conventional Authenticated-Encryption Mode - Apr 13, 2003, last revised Sep 9, 2003
• The EAX Mode of Operation - January 18, 2004
• ANSI C12 22 site

Implementations

• C ++: Dr. Brian Gladman's cryptographic library implements the EAX mode
• Pascal / Delphi: Wolfgang Ehrhardt's cryptographic library implements the EAX mode
• Java: BouncyCastle implementation of EAX mode
• LibTomCrypt: Collection of various cryptographic methods, including the EAX mode.

Individual evidence

1. ↑ http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf