Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [eax]

An authenticated encryption mode of operation for a block cipher, based on the CTR mode and the OMAC/CMAC MAC algorithm.

EAX mode is an authenticated encryption mode of operation for a block cipher. It takes a block cipher as a primitive, and provides both privacy and integrity services for arbitrary messages.

See the wikipedia page for more information.

19 questions
12
votes
0 answers

Do CCM and EAX provide key commitment?

In an interesting paper called "Partitioning Oracle Attacks" by Julia Len, Paul Grubbs & Thomas Ristenpart an attack is presented on 1.5 pass AEAD schemes that utilize GMAC (GCM, AES-GCM, AES-GCM-SIV) and Poly1305 which is often used with a…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
10
votes
1 answer

How to use GCM mode and associated-data properly

I'm currently migrating a project to use the bouncy castle GCM mode. I understand that using an authenticated mode removes the need for a HMAC, however I want to be sure that I'm using this mode correctly. When applying a HMAC to ciphertext, I…
hunter
  • 4,051
  • 6
  • 29
  • 42
8
votes
2 answers

Does EAX require padding to be secure?

I have been seeing code using "AES/EAX/NoPadding" but I'm also aware that padding schemes are supported for AES-EAX. I would like to know if choosing NoPadding as a padding scheme has security implications for EAX mode of operation. Thanks!
twrch
  • 83
  • 3
7
votes
2 answers

Is using EAX mode with a 64-bit block cipher a bad idea?

EAX mode produces an authentication tag no longer than the length of the underlying cipher's blocksize. So in the case of using Blowfish (a 64-bit block cipher) in EAX mode, the resulting tag would be 8 bytes. Is an 8-byte tag sufficiently long (I…
hunter
  • 4,051
  • 6
  • 29
  • 42
5
votes
1 answer

EAX cipher mode with nonce equal header

I am using EAX AEAD with an 8-byte message header which carries a 32-bit sequence number, a message length, and some other bits that I don't mind exposing. Assuming the sequence number never repeats for the same key, is there any security…
user1055568
  • 167
  • 6
4
votes
2 answers

Is it possible to insert a key derivation function when using EAX?

I am currently investigating use of EAX mode for a dedicated application and following useful clarifications received from my previous post , to consider according to my applicable input security requirements (separate keys for encryption and…
william_fr
  • 653
  • 5
  • 15
4
votes
1 answer

Does EAX use the same keys for encryption and authentication?

I am actually checking use of EAX AEAD mode, and following EAX spec review (scheme definition for my part), my question is: what about the derivation of the authentication and encryption keys? In the described scheme the same input key $K$ appears…
william_fr
  • 653
  • 5
  • 15
4
votes
1 answer

Why is EAX not a generic composition?

In the document http://web.cs.ucdavis.edu/~rogaway/papers/eax.pdf (p. 7) Rogaway et. al. state that EAX is not a generic composition of an encryption and an authentication method. The EAX algorithm is given in the following Image: (the image is…
user120513
  • 175
  • 5
4
votes
1 answer

Authenticated Encryption with smallest Overhead (Input and Output)

I'm searching for the authenticated encryption algorithm that produces/requires the least overhead in total. This includes the authentication tag that it produces and the additional input that has to be sent along the message for a secure use of the…
budderick
  • 435
  • 3
  • 11
4
votes
1 answer

Using scrypt to generate key + IV/nonce together

Is there any security issue in using scrypt for Key + IV/nonce generation? In other words, can I safely use only a salt for scrypt and derive the nonce along with the key? For example: I have data I want to encrypt using password and AES in EAX…
Quark
  • 173
  • 6
4
votes
1 answer

What "Tag Length" should be used for the EAX MAC?

Since EAX is very flexible with regard to the length of the calculated MAC (what they call "tag" is the MAC value right?), and the EAX paper as well as other documentations carefully avoid suggesting any value for the length of the MAC, is there…
Dexter
  • 647
  • 1
  • 6
  • 10
4
votes
1 answer

Authenticating Very Short (Sub-Block) Data

If I'm encrypting very short/small data - like an int or a long (32 or 64 bits), does it make any sense to authenticate the ciphertext, when using an "online" mode of operation (like EAX)? Essentially, guessing the plain text would (assuming no…
Dexter
  • 647
  • 1
  • 6
  • 10
2
votes
1 answer

How is the EAX-mode used in EAP-PSK (RFC 4764)?

According to the specification of RFC 4764, contents in EAP's third message and fourth message are required to be encrypted by AES-128 in EAX mode (also called protected channel). In RFC 4764, the length of ciphertext is as the same as the length of…
Ryan
  • 21
  • 1
2
votes
1 answer

EAX: OMAC and CMAC

OMAC is specified as the underlying algorithm to provide authentication within the EAX authenticated encryption (with associated data). Would that be OMAC1 or OMAC2? If it is OMAC1, does that mean it is identical to AES-CMAC if EAX mode uses the AES…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
2
votes
1 answer

Is this EAX extension weakening the (provable) security of EAX?

I would like to insert a key deriving function into EAX mode, in order to hamper brute-force attacks for a key-size restricted cipher (56 bits). The modification inserts an identical multi-block pattern $S$ behind the corresponding tweaks: Original:…
hidden
  • 21
  • 2
1
2