This page contains links to the proposols for block cipher modes of operation (modes, for short) that have been submitted to NIST for consideration.
NIST maintains this page in order to facilitate public review of the modes; comments may be submitted to EncryptionModes@nist.gov.
Appearance of a mode in this list does not constitute endorsement or approval by NIST. See the Current Modes page for descriptions of the modes that are currently approved.
For each proposal below, links are given to the available documentation, as described in the following list of abbreviations:
|
|
(The links within the key table itself refer to the corresponding section of the submission guidelines)
All documentation is provided on a voluntary basis by the submitters. In particular, if there is no active link to an intellectual property statement, then the submitter has not provided one to NIST.
The modes proposals are organized into the four tables below:Mode | Full Mode Name | Available Documentation |
CCM | Counter with CBC-MAC R. Housley, D. Whiting, N. Ferguson (Posted June 3, 2002) |
SP |
AD1 |
AD2 IP | TV | SU |
CS |
Cipher-State R. Schroeppel (Posted May 7, 2004) |
SP |
AD |
IP TV | SU |
CWC |
Carter Wegman (authentication) with Counter (encryption) T. Kohno, J. Viega, D. Whiting (Posted June 9, 2003) |
SP |
AD |
IP TV | SU |
EAX |
A Conventional Authenticated-Encryption Mode M. Bellare, P. Rogaway, D. Wagner (Posted October 3, 2003) |
SP |
AD |
IP TV | SU |
GCM |
Galois/Counter Mode D. McGrew, J. Viega (Revised specifcation posted June 2, 2005) |
SP |
AD1 |
AD2 IP | TV | SU |
IACBC |
Integrity Aware Cipher Block Chaining C. Jutla |
SP |
AD |
IP TV | SU |
IAPM |
Integrity Aware Parallelizable Mode C. Jutla |
SP |
AD1 |
AD2 AD3 | IP | TV | SU |
OCB |
Offset Codebook P. Rogaway |
SP |
AD |
IP CD | TV | SU |
PCFB |
Propagating Cipher Feedback H. Hellström |
SP |
AD |
IP TV | SU |
SIV | Synthetic IV P. Rogaway, T. Shrimpton (Posted September 11, 2007) |
SP | AD | IP TV1 | TV2 | SU |
XCBC |
eXtended Cipher Block Chaining Encryption V. Gligor, P. Donescu |
SP |
AD |
IP TV | SU |
EAX' |
EAX' (EAX-prime) Cipher Mode M. Burns, E. Beroset, A. Moise, T. Phinney |
SP | AD |
IP TV | SU |
RKC | Random Key Chaining (RKC) P. Kaushal, R. Sobti, G. Geetha |
SP | AD | IP TV | SU |
Mode | Full Mode Name | Available Documentation |
OMAC |
OMAC: One-Key CBC T. Iwata, K. Kurosawa (Posted December 20, 2002) |
SP |
AD |
IP TV | SU |
PMAC |
Parallelizable Message Authentication Code P. Rogaway |
SP |
AD |
IP CD | TV | SU |
RMAC |
Randomized MAC E. Jaulmes, A. Joux, F. Valette |
SP |
AD |
IP TV | SU |
TMAC |
Two-Key CBC MAC K. Kurosawa, T. Iwata (Posted July 9, 2002) |
SP |
AD |
IP TV | SU |
XCBC (MAC) |
Extended Cipher Block Chaining MAC J. Black, P. Rogaway |
SP |
AD |
IP TV | SU |
XECB (MAC) |
eXtended Electronic Code Book MAC V. Gligor, P. Donescu |
SP |
AD |
IP TV | SU |
Mode | Full Mode Name | Available Documentation |
2DEM |
2D-Encryption Mode A. A. Belal, M. A. Abdel-Gawad |
SP |
AD |
IP CD | TV | SU |
ABC |
Accumulated Block Chaining L. Knudsen |
SP |
AD |
IP TV | SU |
CTR |
Counter Mode Encryption H. Lipmaa, P. Rogaway, D. Wagner |
SP |
AD |
IP TV | SU |
FCEM | Format Controlling Encryption Mode U. Mattsson (Posted Jun 30, 2009) |
SP |
AD |
IP TV | SU |
FFX | Format-preserving Feistel-based Encryption Mode M. Bellare, P. Rogaway, T. Spies (April 12, 2010: Version 1.1 replacing Version 1.0) |
SP |
SP2 |
AD IP1 | IP2| TV | SU |
IGE |
Infinite Garble Extension V. Gligor, P. Donescu |
SP |
AD |
IP TV | SU |
BPS |
Format Preserving Encryption Proposal E. Brier, T. Peyrin, J. Stern |
SP |
AD |
IP TV | SU |
VFPE |
VISA Format Preserving Encryption VISA USA Inc., Attention John Sheets or Kim R. Wagner |
SP |
AD | IP TV | SU |
CSPEM |
Character Set Preserving Encryption Mode Gary S. Sarasin |
SP |
AD | IP TV | SU |
Mode | Full Mode Name | Available Documentation |
KFB |
Key Feedback Mode J. Håstad, M. Naslund |
SP |
AD |
IP TV | SU |
*AES- hash (Hash) |
AES-hash B. Cohen |
SP |
AD |
IP TV | SU |
* AES-hash as defined in the submission will not be adopted in the current development effort because it requires the Rijndael algorithm with a block size of 256 bits, not 128 bits (as specified in the AES). Rijndael has not been vetted with a block size other than 128 bits. Nevertheless, NIST will consider comments on this proposal and on the issues it raises: whether to develop a hash mode, and whether and how to develop/vet additional variants of the AES.