Editing Block cipher mode of operation (section)

==Other modes and other cryptographic primitives==
Many more modes of operation for block ciphers have been suggested. Some have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and should never be used. Still others don't categorize as confidentiality, authenticity, or authenticated encryption – for example key feedback mode and [[one-way compression function#Davies.E2.80.93Meyer|Davies–Meyer]] hashing.

[[NIST]] maintains a list of proposed modes for block ciphers at ''Modes Development''.<ref name="AESBlockDocumentation" /><ref>{{cite web |url=http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html |title=Modes Development – Block Cipher Techniques – CSRC |date=4 January 2017 |publisher=Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce |access-date=28 April 2018 |url-status=live |archive-url=https://web.archive.org/web/20170904011624/http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html |archive-date=4 September 2017}}</ref>

Disk encryption often uses special purpose modes specifically designed for the application. Tweakable narrow-block encryption modes ([[Disk encryption theory#Liskov.2C Rivest.2C and Wagner .28LRW.29|LRW]], [[Xor–encrypt–xor|XEX]], and [[XTS mode|XTS]]) and wide-block encryption modes ([[Disk_encryption_theory#CBC–mask–CBC_(CMC)_and_ECB–mask–ECB_(EME)|CMC]] and [[Disk_encryption_theory#CBC–mask–CBC_(CMC)_and_ECB–mask–ECB_(EME)|EME]]) are designed to securely encrypt sectors of a disk (see [[disk encryption theory]]).

Many modes use an initialization vector (IV) which, depending on the mode, may have requirements such as being only used once (a nonce) or being unpredictable ahead of its publication, etc.  Reusing an IV with the same key in CTR, GCM or OFB mode results in XORing the same keystream with two or more plaintexts, a clear misuse of a stream, with a catastrophic loss of security.  Deterministic authenticated encryption modes such as the NIST [[Key Wrap]] algorithm and the SIV (RFC 5297) AEAD mode do not require an IV as an input, and return the same ciphertext and authentication tag every time for a given plaintext and key.  Other IV misuse-resistant modes such as [[AES-GCM-SIV]] benefit from an IV input, for example in the maximum amount of data that can be safely encrypted with one key, while not failing catastrophically if the same IV is used multiple times.

Block ciphers can also be used in other [[cryptographic protocol]]s. They are generally used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically secure, care must be taken to design these modes of operation correctly.

There are several schemes which use a block cipher to build a [[cryptographic hash function]]. See [[one-way compression function]] for descriptions of several such methods.

[[Cryptographically secure pseudorandom number generator]]s (CSPRNGs) can also be built using block ciphers.

[[Message authentication code]]s (MACs) are often built from block ciphers. [[CBC-MAC]], [[One-key MAC|OMAC]] and [[PMAC (cryptography)|PMAC]] are examples.