The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency)

We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryptionwith associated-data (AEAD). Given a nonce N , a message M , and a header H , our mode protects theprivacy of M and the authenticity of both M and H . Strings N , M , and H are arbitrary bit strings, andthe mode uses 2 |M |/n + |H|/n + |N |/n block-cipher calls when these strings are nonempty and nis the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (thelength of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectivelyremoving the per-message cost of binding it to the ciphertext.EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keysinto one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this factis novel and involved.EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for afully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one passfor achieving privacy and one for authenticity. EAX is simpler and more efficient than CCM, avoiding, forexample, elaborate padding rules or nonstandard parameters. With EAX we aimed to do as well as possible,within the space of two-pass schemes, with regard to issues of efficiency, simplicity, elegance, ease of correctuse, and provable-security guarantees.