NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Modes Development

Proposed Modes

This page contains links to the proposols for block cipher modes of operation (modes, for short) that have been submitted to NIST for consideration.

NIST maintains this page in order to facilitate public review of the modes; comments may be submitted to EncryptionModes@nist.gov.

Appearance of a mode in this list does not constitute endorsement or approval by NIST. See the Current Modes page for descriptions of the modes that are currently approved.

For each proposal below, links are given to the available documentation, as described in the following list of abbreviations:

Abbreviations for "Available Documentation"

(The links within the key table itself refer to the corresponding section of the submission guidelines)

All documentation is provided on a voluntary basis by the submitters. In particular, if there is no active link to an intellectual property statement, then the submitter has not provided one to NIST.

The modes proposals are organized into the four tables below:
Back to Top

Authenticated Encryption Modes

Mode Full Mode Name Available Documentation
CCM Counter with CBC-MAC
R. Housley, D. Whiting, N. Ferguson
(Posted June 3, 2002)
SP | AD1 | AD2
IP | TV | SU
CS Cipher-State
R. Schroeppel
(Posted May 7, 2004)
SP | AD | IP
TV | SU
CWC Carter Wegman (authentication) with Counter (encryption)
T. Kohno, J. Viega, D. Whiting
(Posted June 9, 2003)
SP | AD | IP
TV | SU
EAX A Conventional Authenticated-Encryption Mode
M. Bellare, P. Rogaway, D. Wagner
(Posted October 3, 2003)
SP | AD | IP
TV | SU
GCM Galois/Counter Mode
D. McGrew, J. Viega
(Revised specifcation posted June 2, 2005)
SP | AD1 | AD2
IP | TV | SU
IACBC Integrity Aware Cipher Block Chaining
C. Jutla
SP | AD | IP
TV | SU
IAPM Integrity Aware Parallelizable Mode
C. Jutla
SP | AD1 | AD2
AD3 | IP | TV | SU
OCB Offset Codebook
P. Rogaway
SP | AD | IP
CD | TV | SU
PCFB Propagating Cipher Feedback
H. Hellström
SP | AD | IP
TV | SU
SIV Synthetic IV
P. Rogaway, T. Shrimpton
(Posted September 11, 2007)
SP | AD | IP
TV1 | TV2 | SU
XCBC eXtended Cipher Block Chaining Encryption
V. Gligor, P. Donescu
SP | AD | IP
TV | SU
EAX' EAX' (EAX-prime) Cipher Mode
M. Burns, E. Beroset, A. Moise, T. Phinney
SP | AD | IP
TV | SU
RKC Random Key Chaining (RKC)
P. Kaushal, R. Sobti, G. Geetha
SP | AD | IP
TV | SU

Back to Top

Authentication Modes

Mode Full Mode Name Available Documentation
OMAC OMAC: One-Key CBC
T. Iwata, K. Kurosawa
(Posted December 20, 2002)
SP | AD | IP
TV | SU
PMAC Parallelizable Message Authentication Code
P. Rogaway
SP | AD | IP
CD | TV | SU
RMAC Randomized MAC
E. Jaulmes, A. Joux, F. Valette
SP | AD | IP
TV | SU
TMAC Two-Key CBC MAC
K. Kurosawa, T. Iwata
(Posted July 9, 2002)
SP | AD | IP
TV | SU
XCBC
(MAC)
Extended Cipher Block Chaining MAC
J. Black, P. Rogaway
SP | AD | IP
TV | SU
XECB
(MAC)
eXtended Electronic Code Book MAC
V. Gligor, P. Donescu
SP | AD | IP
TV | SU

Back to Top

Encryption Modes

Mode Full Mode Name Available Documentation
2DEM 2D-Encryption Mode
A. A. Belal, M. A. Abdel-Gawad
SP | AD | IP
CD | TV | SU
ABC Accumulated Block Chaining
L. Knudsen
SP | AD | IP
TV | SU
CTR Counter Mode Encryption
H. Lipmaa, P. Rogaway, D. Wagner
SP | AD | IP
TV | SU
FCEM Format Controlling Encryption Mode
U. Mattsson
(Posted Jun 30, 2009)
SP | AD | IP
TV | SU
FFX Format-preserving Feistel-based Encryption Mode
M. Bellare, P. Rogaway, T. Spies
(April 12, 2010: Version 1.1 replacing Version 1.0)
SP | SP2 | AD
IP1 | IP2| TV | SU
IGE Infinite Garble Extension
V. Gligor, P. Donescu
SP | AD | IP
TV | SU
BPS Format Preserving Encryption Proposal
E. Brier, T. Peyrin, J. Stern
SP | AD | IP
TV | SU
VFPE VISA Format Preserving Encryption
VISA USA Inc., Attention John Sheets or Kim R. Wagner
SP | AD | IP
TV | SU
CSPEM Character Set Preserving Encryption Mode
Gary S. Sarasin
SP | AD | IP
TV | SU

Back to Top

Other Modes

Mode Full Mode Name Available Documentation
KFB Key Feedback Mode
J. Håstad, M. Naslund
SP | AD | IP
TV | SU
*AES-
hash

(Hash)
AES-hash
B. Cohen
SP | AD | IP
TV | SU

* AES-hash as defined in the submission will not be adopted in the current development effort because it requires the Rijndael algorithm with a block size of 256 bits, not 128 bits (as specified in the AES). Rijndael has not been vetted with a block size other than 128 bits. Nevertheless, NIST will consider comments on this proposal and on the issues it raises: whether to develop a hash mode, and whether and how to develop/vet additional variants of the AES.