The EAX Mode of Operation

  • Mihir Bellare
  • Phillip Rogaway
  • David Wagner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3017)


We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings NM, and H are arbitrary bit strings, and the mode uses 2 lceil |M|/nrceil + lceil |H|/nrceil + lceil |N|/ nrceil block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext.


Authenticated encryption CCM EAX message authentication CBC MAC modes of operation OMAC provable security 


  1. 1.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science. IEEE, Los Alamitos (1997)Google Scholar
  2. 2.
    Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: New methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995)Google Scholar
  3. 3.
    Bellare, M., Goldreich, O., Krawczyk, H.: Stateless evaluation of pseudorandom functions: Security beyond the birthday barrier. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences (JCSS) 61(3), 362–399 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Proceedings of the 9th Annual Conference on Computer and Communications Security. ACM, New York (2002)Google Scholar
  6. 6.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 317. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation (A two- Pass authenticated-encryption scheme optimized for simplicity and efficiency). Full version of this paper, available via,
  9. 9.
    Black, J.A., Rogaway, P.: CBC MACs for arbitrary-length messages: The threekey constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 197. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Helix: Fast encryption and authentication in a single cryptographic primitive. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 330–346. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Gligor, V., Donescu, P.: Integrity-aware PCBC encryption. In: Malcolm, J.A., Christianson, B., Crispo, B., Roe, M. (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 153–171. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  12. 12.
    Gligor, V., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. Presented at the 2nd NIST Workshop on AES Modes of Operation, Santa Barbara, CA, August 24 (2001)Google Scholar
  13. 13.
    Hawkes, P., Rose, G.: Primitive specification for SOBER-128. Cryptology ePrint Archive Report 2003/48 (April 2003)Google Scholar
  14. 14.
    Iwata, T., Kurosawa, K.: OMAC: One-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Iwata, T., Kurosawa, K.: Personal communications (January 2002)Google Scholar
  16. 16.
    Jonsson, J.: On the security of CTR + CBC-MAC. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 76–93. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 529. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Katz, J., Yung, M.: Unforgeable encryption and adaptively secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, p. 284. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Kohno, T., Viega, J., Whiting, D.: A high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how Secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 310. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    McGrew, D., Viega, J.: Flexible and efficient message authentication in hardware and software (2003), Available from (manuscript)
  23. 23.
    Petrank, E., Rackoff, C.: CBC MAC for real-time data sources. Journal of Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th Annual Conference on Computer and Communications Security (CCS-9), pp. 98–107. ACM, New York (2002)CrossRefGoogle Scholar
  25. 25.
    Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security (TISSEC) 6(3), 365–403 (2003)CrossRefzbMATHGoogle Scholar
  26. 26.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM) (June 2002), Available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Phillip Rogaway
    • 2
    • 3
  • David Wagner
    • 4
  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA
  2. 2.Department of Computer ScienceUniversity of California at DavisDavisUSA
  3. 3.Department of Computer Science, Faculty of ScienceChiang Mai UniversityChiang MaiThailand
  4. 4.Department of Electrical Engineering and Computer ScienceUniversity of California at BerkeleyBerkeleyUSA

Personalised recommendations