Editing Block cipher mode of operation (section)

=== Authenticated encryption with additional data (AEAD) modes ===
{{Main|Authenticated encryption}}
A number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive. Examples of such modes are ,<ref>{{cite conference |author-link1=Virgil D. Gligor |first1=Virgil D. |last1=Gligor |first2=Pompiliu |last2=Donescu |title=Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes |conference=Fast Software Encryption 2001 |date=2002 |pages=92–108 |series=Lecture Notes in Computer Science |volume=2355 |url=https://link.springer.com/content/pdf/10.1007%2F3-540-45473-X_8.pdf |doi=10.1007/3-540-45473-X_8 |isbn=978-3-540-43869-4 |publisher=Springer |location=Berlin |editor-last=Matsui |editor-first=M.|doi-access=free }}</ref> {{clarify|text=integrity-aware cipher block chaining (IACBC)|date=August 2020}}, integrity-aware parallelizable mode (IAPM),<ref>{{cite conference |first=Charanjit S. |last=Jutla |title=Encryption Modes with Almost Free Message Integrity |conference=Eurocrypt 2001 |series=Lecture Notes in Computer Science |volume=2045 |date=May 2001 |doi= 10.1007/3-540-44987-6_32 |url=https://iacr.org/archive/eurocrypt2001/20450525.pdf |publisher=Springer|doi-access=free }}</ref> [[OCB mode|OCB]], [[EAX mode|EAX]], [[CWC mode|CWC]], [[CCM mode|CCM]], and [[Galois/counter mode|GCM]]. [[Authenticated encryption]] modes are classified as single-pass modes or double-pass modes.

In addition, some modes also allow for the authentication of unencrypted associated data, and these are called [[AEAD block cipher modes of operation|AEAD]] (authenticated encryption with associated data) schemes. For example, EAX mode is a double-pass AEAD scheme while OCB mode is single-pass.

===={{Anchor|GCM}}Galois/counter (GCM)====
{{Main article|Galois/Counter Mode}}
{{Infobox
|name         = 
|bodystyle    = 
|title        = 
|titlestyle   = 
|image        = 
|imagestyle   = 
|caption      = 
|captionstyle = 
|headerstyle  = background:#ccf;
|labelstyle   = background:#ddf;
|datastyle    =
|header1 = GCM
|label1  = 
|data1   = 
|header2 = 
|label2  = 
|data2   = Galois/counter
|header3 = 
|label3  = Encryption parallelizable
|data3   = Yes
|header4 = 
|label4  = Decryption parallelizable
|data4   = Yes
|header5 = 
|label5  = Random read access
|data5   = Yes
|belowstyle = background:#ddf;
|below = 
}}

Galois/counter mode (GCM) combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is the ease of parallel computation of the Galois field multiplication used for authentication. This feature permits higher throughput than encryption algorithms.

GCM is defined for block ciphers with a block size of 128 bits. Galois message authentication code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length. GCM can take full advantage of parallel processing and implementing GCM can make efficient use of an [[instruction pipeline]] or a hardware pipeline. The CBC mode of operation incurs [[pipeline stall]]s that hamper its efficiency and performance.

Like in CTR, blocks are numbered sequentially, and then this block number is combined with an IV and encrypted with a block cipher {{math|E}}, usually AES. The result of this encryption is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.



{{multiple image
| header = Galois/Counter (GCM)
| width=512
| align = center
| direction = vertical
| image1 = GCM-Galois Counter Mode with IV.svg
| caption1 = GCM mode encryption
}}

The ciphertext blocks are considered coefficients of a [[polynomial]] which is then evaluated at a key-dependent point {{math|H}}, using [[finite field arithmetic]]. The result is then encrypted, producing an [[authentication tag]] that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.

==== Counter with cipher block chaining message authentication code (CCM) ====
{{main|CCM mode}}
''Counter with cipher block chaining message authentication code'' (counter with CBC-MAC; CCM) is an [[authenticated encryption]] algorithm designed to provide both authentication and confidentiality.  CCM mode is only defined for block ciphers with a block length of 128 bits.<ref name="NIST SP800-38C">{{cite tech report
| first = Morris | last = Dworkin
| title = Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality
| institution = [[National Institute of Standards and Technology|NIST]]
| series = NIST Special Publications
| number = 800-38C
| date = May 2004
| doi = 10.6028/NIST.SP.800-38C
| url = http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf
| doi-access = free
}}</ref><ref name="RFC3610">{{cite IETF
| title = Counter with CBC-MAC (CCM)
| rfc = 3610
| first1 = D. | last1 = Whiting
| first2 = R. | last2 = Housley
| first3 = N. | last3 = Ferguson
| publisher = [[Internet Engineering Task Force|IETF]]
| date=September 2003
}}</ref>

==== Synthetic initialization vector (SIV) ====

Synthetic initialization vector (SIV) is a nonce-misuse resistant block cipher mode.

SIV synthesizes an internal IV using the pseudorandom function S2V. S2V is a keyed hash based on CMAC, and the input to the function is:
* Additional authenticated data (zero, one or many AAD fields are supported)
* Plaintext
* Authentication key (K{{sub|1}}).

SIV encrypts the S2V output and the plaintext using AES-CTR, keyed with the encryption key (K{{sub|2}}).

SIV can support external nonce-based authenticated encryption, in which case one of the authenticated data fields is utilized for this purpose. RFC5297<ref>{{cite web |last1=Harkins |first1=Dan |title=Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) |date=October 2008 |url=https://tools.ietf.org/html/rfc5297 |access-date=21 October 2020}}</ref> specifies that for interoperability purposes the last authenticated data field should be used external nonce.

Owing to the use of two keys, the authentication key K{{sub|1}} and encryption key K{{sub|2}}, naming schemes for SIV AEAD-variants may lead to some confusion; for example AEAD_AES_SIV_CMAC_256 refers to AES-SIV with two AES-128 keys and '''not''' AES-256.

==== AES-GCM-SIV ====

[[AES-GCM-SIV]] is a mode of operation for the Advanced Encryption Standard which provides similar performance to Galois/counter mode as well as misuse resistance in the event of the reuse of a cryptographic nonce. The construction is defined in RFC 8452.<ref>{{cite IETF |title=AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption |rfc=8452 |last1=Gueron |first1=S. |date=April 2019 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=August 14, 2019 |doi=10.17487/RFC8452}}</ref>

AES-GCM-SIV synthesizes the internal IV. It derives a hash of the additional authenticated data and plaintext using the POLYVAL Galois hash function. The hash is then encrypted an AES-key, and used as authentication tag and AES-CTR initialization vector.

'''AES-GCM-SIV''' is an improvement over the very similarly named algorithm '''GCM-SIV''', with a few very small changes (e.g. how AES-CTR is initialized), but which yields practical benefits to its security "This addition allows for encrypting up to 2<sup>50</sup> messages with the same key, compared to the significant limitation of only 2<sup>32</sup> messages that were allowed with GCM-SIV."<ref>{{cite journal |last1=Gueron |first1=Shay |last2=Langley |first2=Adam |last3=Lindell |first3=Yehuda |title=AES-GCM-SIV: Specification and Analysis |journal=Cryptology ePrint Archive |date=14 Dec 2018 |volume=Report |issue=2017/168 |url=https://eprint.iacr.org/2017/168 |access-date=19 October 2020}}</ref>