596:
27:
1525:
7005:
3171:
3157:
1649:
1635:
1137:
1125:
3014:
3000:
2238:
2224:
1511:
1235:
1221:
1077:
1063:
3108:
be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk". However, today CTR mode is widely accepted, and any problems are considered a weakness of the underlying block cipher, which is expected to be secure regardless of systemic bias in its input. Along with CBC, CTR mode is one of two block cipher modes recommended by Niels
Ferguson and Bruce Schneier.
1113:
2208:
3360:
It might be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks. Some felt that such resilience was desirable in the face of random
3131:
in many cases, since the attacker may be able to manipulate the entire IV–counter pair to cause a collision. Once an attacker controls the IV–counter pair and plaintext, XOR of the ciphertext with the known plaintext would yield a value that, when XORed with the ciphertext of the other block sharing
330:
In CBC mode, the IV must be unpredictable (random or pseudorandom) at encryption time; in particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the
3421:
Many modes use an initialization vector (IV) which, depending on the mode, may have requirements such as being only used once (a nonce) or being unpredictable ahead of its publication, etc. Reusing an IV with the same key in CTR, GCM or OFB mode results in XORing the same keystream with two or more
3027:
Each output feedback block cipher operation depends on all previous ones, and so cannot be performed in parallel. However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel
563:
GCM is defined for block ciphers with a block size of 128 bits. Galois message authentication code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length. GCM can take full
334:
For some keys, an all-zero initialization vector may generate some block cipher modes (CFB-8, OFB-8) to get the internal state stuck at all-zero. For CFB-8, an all-zero IV and an all-zero plaintext, causes 1/256 of keys to generate no encryption, plaintext is returned as ciphertext. For OFB-8, using
3107:
block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to
2631:
CFB may also self synchronize in some special cases other than those specified. For example, a one bit change in CFB-128 with an underlying 128 bit block cipher, will re-synchronize after two blocks. (However, CFB-128 etc. will not handle bit loss gracefully; a one-bit loss will cause the decryptor
2260:
The CFB mode also requires an integer parameter, denoted s, such that 1 ≤ s ≤ b. In the specification of the CFB mode below, each plaintext segment (Pj) and ciphertext segment (Cj) consists of s bits. The value of s is sometimes incorporated into the name of the mode, e.g., the 1-bit CFB mode, the
1565:
take advantage of this property by prepending a single random block to the plaintext. Encryption is done as normal, except the IV does not need to be communicated to the decryption routine. Whatever IV decryption uses, only the random block is "corrupted". It can be safely discarded and the rest of
1545:
Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous block, not the plaintext, so one does not need to decrypt the previous block before using it as
559:
Galois/counter mode (GCM) combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is the ease of parallel computation of the Galois field multiplication used for authentication. This feature permits higher throughput than encryption algorithms.
3376:
Many more modes of operation for block ciphers have been suggested. Some have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and should never be used. Still others don't categorize as confidentiality, authenticity, or authenticated encryption –
452:
block, producing a final ciphertext block that is the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be the same size as the original plaintext data, and for applications that
3126:
If the IV/nonce is random, then they can be combined with the counter using any invertible operation (concatenation, addition, or XOR) to produce the actual unique counter block for encryption. In case of a non-random nonce (such as a packet counter), the nonce and counter should be concatenated
3035:
Using OFB mode with a partial block as feedback like CFB mode reduces the average cycle length by a factor of 2 or more. A mathematical model proposed by Davies and Parkin and substantiated by experimental results showed that only with full feedback an average cycle length near to the obtainable
2627:
CFB-1 is considered self synchronizing and resilient to loss of ciphertext; "When the 1-bit CFB mode is used, then the synchronization is automatically restored b+1 positions after the inserted or deleted bit. For other values of s in the CFB mode, and for the other confidentiality modes in this
1620:
mode was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, as well as when encrypting. In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted. Like with CBC mode, an
3122:
CTR mode has similar characteristics to OFB, but also allows a random-access property during decryption. CTR mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.
218:
The cryptographic community observed that compositing (combining) a confidentiality mode with an authenticity mode could be difficult and error prone. They therefore began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive (an encryption
3229:
chained in MAC-Then-Encrypt order, any bit error should completely abort decryption and must not generate any specific bit errors to decryptor. I.e. if decryption succeeded, there should not be any bit error. As such error propagation is less important subject in modern cipher modes than in
1550:
be parallelized. Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact. This peculiarity is exploited in different
1537:
CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as
723:, with a few very small changes (e.g. how AES-CTR is initialized), but which yields practical benefits to its security "This addition allows for encrypting up to 2 messages with the same key, compared to the significant limitation of only 2 messages that were allowed with GCM-SIV."
296:
An initialization vector (IV) or starting variable (SV) is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
2009:
681:
SIV can support external nonce-based authenticated encryption, in which case one of the authenticated data fields is utilized for this purpose. RFC5297 specifies that for interoperability purposes the last authenticated data field should be used external nonce.
712:
AES-GCM-SIV synthesizes the internal IV. It derives a hash of the additional authenticated data and plaintext using the POLYVAL Galois hash function. The hash is then encrypted an AES-key, and used as authentication tag and AES-CTR initialization vector.
579:, usually AES. The result of this encryption is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.
300:
An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a
708:
is a mode of operation for the
Advanced Encryption Standard which provides similar performance to Galois/counter mode as well as misuse resistance in the event of the reuse of a cryptographic nonce. The construction is defined in RFC 8452.
326:
For OFB and CTR, reusing an IV causes key bitstream re-use, which breaks security. This can be seen because both modes effectively create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the key and IV only.
2622:
2516:
1928:
1795:
738:
Different cipher modes mask patterns by cascading outputs from the cipher block or other globally deterministic variables into the subsequent cipher block. The inputs of the listed modes are summarized in the following table:
3031:
It is possible to obtain an OFB mode keystream by using CBC mode with a constant string of zeroes as input. This can be useful, because it allows the usage of fast hardware implementations of CBC mode for OFB mode encryption.
331:
IV (or the previous block of ciphertext) before the next plaintext is specified, they can check their guess about plaintext of some block that was encrypted with the same key before (this is known as the TLS CBC IV attack).
3127:(e.g., storing the nonce in the upper 64 bits and the counter in the lower 64 bits of a 128-bit counter block). Simply adding or XORing the nonce and counter into a single value would break the security under a
2410:
3426:
algorithm and the SIV (RFC 5297) AEAD mode do not require an IV as an input, and return the same ciphertext and authentication tag every time for a given plaintext and key. Other IV misuse-resistant modes such as
3438:. They are generally used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically secure, care must be taken to design these modes of operation correctly.
347:(PRF) construction called S2V on the input (additional data and plaintext), preventing any external data from directly controlling the IV. External nonces / IV may be fed into S2V as an additional data field.
2710:
with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many
2643:
CFB, OFB and CTR share two advantages over CBC mode: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though
338:
Some modes (such as AES-SIV and AES-GCM-SIV) are built to be more nonce-misuse resistant, i.e. resilient to scenarios in which the randomness generation is faulty or under the control of the attacker.
731:
Many modes of operation have been defined. Some of these are described below. The purpose of cipher modes is to mask patterns which exist in encrypted data, as illustrated in the description of the
2628:
recommendation, the synchronization must be restored externally." (NIST SP800-38A). I.e. 1-bit loss in a 128-bit-wide block cipher like AES will render 129 invalid bits before emitting valid bits.
3217:, CBC can be decrypted in the attack by guessing encryption secrets based on error responses. The Padding Oracle attack variant "CBC-R" (CBC Reverse) lets the attacker construct any valid message.
2203:{\displaystyle {\begin{aligned}C_{i}&={\begin{cases}{\text{IV}},&i=0\\E_{K}(C_{i-1})\oplus P_{i},&{\text{otherwise}}\end{cases}}\\P_{i}&=E_{K}(C_{i-1})\oplus C_{i},\end{aligned}}}
2014:
1944:
On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this does not affect the decryption of subsequent blocks. For this reason, PCBC is not used in
Kerberos v5.
1450:
1326:
397:
to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is trivial, for example, if the plaintext is a
3431:
benefit from an IV input, for example in the maximum amount of data that can be safely encrypted with one key, while not failing catastrophically if the same IV is used multiple times.
3364:
However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected. If resistance to random error is desirable,
2832:
2775:
1203:
with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an
1034:). The message is divided into blocks, and each block is encrypted separately. ECB is not recommended for use in cryptographic protocols: the disadvantage of this method is a lack of
96:
Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded
2892:
2981:
2304:
1104:
has supposedly been encrypted, the overall image may still be discerned, as the pattern of identically colored pixels in the original remains visible in the encrypted version.
3143:(IV) in the other diagrams. However, if the offset/location information is corrupt, it will be impossible to partially recover such data due to the dependence on byte offset.
2942:
1999:(CFB) mode, in its simplest form uses the entire output of the block cipher. In this variation, it is very similar to CBC, turning a block cipher into a self-synchronizing
433:
suggest two possibilities, both simple: append a byte with value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the last block with
4199:
William F. Ehrsam, Carl H. W. Meyer, John L. Smith, Walter L. Tuchman, "Message verification and transmission error detection by block chaining", US Patent 4074066, 1976.
1621:
initialization vector is used in the first block. Unlike CBC, decrypting PCBC with the incorrect IV (initialization vector) causes all blocks of plaintext to be corrupt.
1490:
1366:
1546:
the IV for the decryption of the current one. This means that a plaintext block can be recovered from two adjacent blocks of ciphertext. As a consequence, decryption
89:
to a full block if it is smaller than the current block size. There are, however, modes that do not require padding because they effectively use a block cipher as a
69:(IV), for each encryption operation. The IV must be non-repeating, and for some modes must also be random. The initialization vector is used to ensure that distinct
3656:
2640:
Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized.
167:
provide confidentiality, but they do not protect against accidental modification or malicious tampering. Modification or tampering can be detected with a separate
4460:
6985:
6815:
3452:
2522:
2416:
350:
AES-GCM-SIVs synthesize an internal IV by running POLYVAL Galois mode of authentication on input (additional data and plaintext), followed by an AES operation.
4555:. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce. 4 January 2017.
145:
4094:
1801:
1668:
472:
A number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive. Examples of such modes are ,
417:
to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as
444:
CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since the modes work by
271:
62:. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
3191:"Error propagation" properties describe how a decryption behaves during bit errors, i.e. how error in one bit cascades to different decrypted bits.
645:
algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.
335:
all zero initialization vector will generate no encryption for 1/256 of keys. OFB-8 encryption returns the plaintext unencrypted for affected keys.
85:, but during transformation the block size is always fixed. Block cipher modes operate on whole blocks and require that the final data fragment be
323:
For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages.
1096:
A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a
693:, naming schemes for SIV AEAD-variants may lead to some confusion; for example AEAD_AES_SIV_CMAC_256 refers to AES-SIV with two AES-128 keys and
313:. Some block ciphers have particular problems with certain initialization vectors, such as all zero IV generating no encryption (for some keys).
2310:
258:
Modes of operation are defined by a number of national and internationally recognized standards bodies. Notable standards organizations include
54:. A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of
4556:
3927:
3584:
263:
259:
129:
4354:
4291:
6653:
5583:
3422:
plaintexts, a clear misuse of a stream, with a catastrophic loss of security. Deterministic authenticated encryption modes such as the NIST
3361:
errors (e.g., line noise), while others argued that error correcting increased the scope for attackers to maliciously tamper with a message.
1199:
Ehrsam, Meyer, Smith and
Tuchman invented the cipher block chaining (CBC) mode of operation in 1976. In CBC mode, each block of plaintext is
656:
SIV synthesizes an internal IV using the pseudorandom function S2V. S2V is a keyed hash is based on CMAC, and the input to the function is:
6573:
5522:
4603:
4243:
3721:
507:(authenticated encryption with associated data) schemes. For example, EAX mode is a double-pass AEAD scheme while OCB mode is single-pass.
5961:
3411:
3407:
3395:
5990:
448:
the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last
5828:
3394:
Disk encryption often uses special purpose modes specifically designed for the application. Tweakable narrow-block encryption modes (
267:
7033:
3525:
624:
that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.
575:
Like in CTR, blocks are numbered sequentially, and then this block number is combined with an IV and encrypted with a block cipher
179:. The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC.
5349:
4705:
316:
It is recommended to review relevant IV requirements for the particular block cipher mode in relevant specification, for example
3378:
6589:
5339:
4833:
3871:
3747:
3691:
3559:
275:
5502:
5476:
5344:
5240:
504:
4500:
3644:
6350:
5317:
3856:. Fast Software Encryption 2001. Lecture Notes in Computer Science. Vol. 2355. Berlin: Springer. pp. 92–108.
1377:
1253:
6517:
4453:
3776:
7038:
6646:
5890:
5576:
4184:
4157:
4130:
3623:
3210:
382:
378:
120:
The earliest modes of operation, ECB, CBC, OFB, and CFB (see below for all), date back to 1981 and were specified in
4399:
Davies, D. W.; Parkin, G. I. P. (1983). "The average cycle size of the key stream in output feedback encipherment".
3206:
Specific bit errors in stream cipher modes (OFB, CTR, etc.) are trivial. They affect only the specific bit intended.
3036:
maximum can be achieved. For this reason, support for truncated feedback was removed from the specification of OFB.
5486:
4596:
4530:
1542:. Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.
5954:
5365:
4209:
4018:
3958:
279:
3670:
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2017-01-01), Conrad, Eric; Misenar, Seth; Feldman, Joshua (eds.),
6864:
6795:
6558:
6043:
5995:
5885:
4433:
4408:
4306:
4274:
4083:
3918:
503:
In addition, some modes also allow for the authentication of unencrypted associated data, and these are called
317:
236:
228:
208:
196:
149:
137:
2781:
2724:
6345:
3991:"Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)"
3792:"Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)"
6639:
6563:
5569:
4633:
3711:
3574:
3515:
3497:
3446:
3226:
154:
Recommendation for Block Cipher Modes of
Operation: The XTS-AES Mode for Confidentiality on Storage Devices
133:
6980:
6935:
6738:
6332:
5974:
5970:
5429:
4589:
3487:
3458:
3442:
2838:
168:
3671:
2948:
2271:
6859:
5947:
5859:
5718:
5446:
5356:
5334:
4647:
3920:
Recommendation for Block Cipher Modes of
Operation: The CCM Mode for Authentication and Confidentiality
422:
3848:
6975:
6228:
5451:
5307:
5260:
4735:
370:
82:
6033:
4552:
3576:
2898:
2039:
6965:
6955:
6810:
6568:
6404:
6103:
6098:
5854:
5517:
5399:
5274:
4643:
4333:
4312:
3492:
3222:
642:
497:
467:
406:
398:
220:
109:
6960:
6950:
6743:
6703:
6696:
6681:
6676:
6491:
6311:
5456:
5245:
4616:
3399:
3128:
1035:
617:
4235:
3713:
3615:
3608:
6748:
6691:
6599:
5985:
5548:
5424:
5419:
5371:
3645:"ISO/IEC 10116:2006 – Information technology – Security techniques – Modes of operation for an
3435:
3415:
2003:. CFB decryption in this variation is almost identical to CBC encryption performed in reverse:
1456:
1332:
386:
360:
344:
184:
86:
4385:
2718:
Because of the symmetry of the XOR operation, encryption and decryption are exactly the same:
156:. Other confidentiality modes exist which have not been approved by NIST. For example, CTS is
7008:
6854:
6800:
6614:
6264:
6218:
6108:
6066:
6051:
5926:
5900:
5753:
5538:
5361:
5220:
4798:
4373:
3365:
3214:
3140:
2712:
1552:
1204:
674:
SIV encrypts the S2V output and the plaintext using AES-CTR, keyed with the encryption key (K
291:
66:
3198:
Random bit errors occur independently in any bit position with an expected probability of ½.
6970:
6894:
6284:
6188:
6138:
6113:
5921:
5441:
5324:
5250:
4933:
4913:
4032:
3972:
565:
121:
97:
59:
43:
3213:
may intelligently combine many different specific bit errors to break the cipher mode. In
8:
6723:
6609:
6486:
6435:
6374:
6274:
6193:
6153:
6133:
5849:
5404:
5381:
4700:
3470:
3136:
2645:
2617:{\displaystyle P_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus C_{i},}
2511:{\displaystyle C_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus P_{i},}
1934:
1539:
516:
493:
425:, which do not cause any extra ciphertext, at the expense of some additional complexity.
418:
302:
232:
204:
157:
4334:"SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques"
3517:
6839:
6823:
6765:
6543:
6527:
6476:
6061:
5916:
5389:
5297:
5009:
4938:
4908:
4853:
3683:
1149:
ECB mode can also make protocols without integrity protection even more susceptible to
627:
621:
78:
3888:
3605:
3194:
Bit errors may occur intentionally in attacks or randomly due to transmission errors.
405:
which contains no null bytes except at the end. Slightly more complex is the original
213:
Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC
6899:
6889:
6755:
6420:
5109:
4808:
4768:
4763:
4730:
4690:
4638:
4429:
4404:
4302:
4270:
4180:
4153:
4126:
3867:
3687:
3619:
3555:
977:
653:
Synthetic initialization vector (SIV) is a nonce-misuse resistant block cipher mode.
176:
1923:{\displaystyle P_{i}=D_{K}(C_{i})\oplus P_{i-1}\oplus C_{i-1},P_{0}\oplus C_{0}=IV.}
1790:{\displaystyle C_{i}=E_{K}(P_{i}\oplus P_{i-1}\oplus C_{i-1}),P_{0}\oplus C_{0}=IV,}
201:
Recommendation for Block Cipher Modes of
Operation: The CMAC Mode for Authentication
6834:
6686:
6507:
6461:
6223:
5698:
5481:
5376:
5255:
5114:
4994:
4963:
4657:
4424:
Jueneman, Robert R. (1983). "Analysis of certain aspects of output feedback mode".
4344:
4022:
3962:
3931:
3897:
3857:
3844:
3679:
3201:
Specific bit errors occur in the same bit position(s) as the original bit error(s).
3112:
564:
advantage of parallel processing and implementing GCM can make efficient use of an
100:
as an entirely separate cryptographic goal. Some modern modes of operation combine
3743:
595:
6522:
6471:
6466:
6254:
5969:
5818:
5813:
5788:
5662:
5328:
5312:
5301:
5235:
5194:
5159:
5089:
5069:
4943:
4823:
4818:
4773:
4174:
4147:
4120:
3850:
Fast
Encryption and Authentication: XCBC Encryption and XECB Authentication Modes
3482:
101:
47:
5616:
4035:
4012:
3975:
3952:
3712:
NIST Computer
Security Division's (CSD) Security Technology Group (STG) (2013).
3575:
NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013).
3516:
NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013).
1100:
which contains large areas of uniform color. While the color of each individual
6909:
6829:
6785:
6728:
6713:
6512:
6240:
5880:
5733:
5688:
5466:
5414:
5225:
5210:
5149:
5144:
5029:
4778:
4492:
3896:. Eurocrypt 2001. Lecture Notes in Computer Science. Vol. 2045. Springer.
3791:
3116:
1247:
If the first block has index 1, the mathematical formula for CBC encryption is
569:
453:
transmit data in streaming form where it is inconvenient to add padding bytes.
430:
426:
402:
390:
105:
51:
20:
3817:
343:
Synthetic initialization vectors (SIV) synthesize an internal IV by running a
26:
7027:
6990:
6945:
6904:
6884:
6775:
6733:
6708:
6604:
6481:
5833:
5793:
5773:
5763:
5728:
5592:
5461:
5409:
5288:
5270:
5059:
5034:
5024:
4848:
4838:
4685:
3902:
3357:(Source: SP800-38A Table D.2: Summary of Effect of Bit Errors on Decryption)
3100:
2699:
2000:
1150:
461:
305:. Many block cipher modes have stronger requirements, such as the IV must be
90:
6183:
4349:
3936:
3862:
3770:
6940:
6780:
6770:
6760:
6718:
6662:
5394:
5215:
5179:
5044:
4923:
4878:
4710:
4662:
4612:
3096:
1097:
445:
366:
310:
39:
4454:"Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption"
2405:{\displaystyle I_{i}={\big (}(I_{i-1}\ll s)+C_{i}{\big )}{\bmod {2}}^{b},}
660:
Additional authenticated data (zero, one or many AAD fields are supported)
6919:
6594:
6440:
6369:
6365:
5768:
5626:
5004:
4999:
4883:
3466:
3428:
705:
248:
4522:
6879:
6849:
6844:
6805:
5895:
5436:
5154:
5094:
4978:
4973:
4918:
4788:
4651:
1043:
609:
70:
4213:
4119:
Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (2018).
3990:
3552:
Cryptography Engineering: Design Principles and Practical Applications
6869:
6269:
6148:
5808:
5738:
5672:
5169:
5164:
5054:
4968:
4863:
4843:
4027:
3967:
3772:
Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures
3104:
2703:
2265:
These modes will truncate the output of the underlying block cipher.
1524:
1039:
449:
394:
74:
6056:
4269:(2nd ed.). Upper Saddle River, NJ: Prentice Hall. p. 319.
1136:
1124:
1038:, wherein it fails to hide data patterns when it encrypts identical
628:
Counter with cipher block chaining message authentication code (CCM)
385:) require that the final block be padded before encryption. Several
377:), but messages come in a variety of lengths. So some modes (namely
132:(NIST) revised its list of approved modes of operation by including
6914:
6874:
6548:
6445:
6430:
6425:
6415:
6379:
6299:
6213:
6093:
5621:
5507:
5471:
5265:
4928:
4803:
4783:
4695:
4236:"Kryptographie FAQ: Frage 84: What are the Counter and PCBC Modes?"
4057:
3606:
Alfred J. Menezes; Paul C. van Oorschot; Scott A. Vanstone (1996).
3423:
3403:
3170:
3156:
1031:
633:
489:
485:
481:
477:
252:
244:
240:
224:
164:
19:"Mode of operation" redirects here. For "method of operation", see
1648:
1634:
6384:
6340:
6118:
5667:
5641:
5174:
5124:
5084:
5074:
5019:
5014:
4858:
4667:
3549:
3462:
3371:
3013:
2999:
2237:
2223:
1510:
1234:
1220:
1076:
1062:
172:
4176:
Applied Cryptography: Protocols, Algorithms and Source Code in C
500:
modes are classified as single-pass modes or double-pass modes.
6790:
6553:
6294:
6289:
6259:
6249:
6208:
6203:
6198:
6178:
6173:
6143:
6128:
6088:
5758:
5723:
5693:
5657:
5512:
5134:
5129:
5064:
5049:
5039:
4984:
4958:
4953:
4948:
4828:
4813:
3822:
1556:
306:
5783:
5778:
4292:"The Use of Encryption in Kerberos for Network Authentication"
3441:
There are several schemes which use a block cipher to build a
639:
Counter with cipher block chaining message authentication code
6279:
6168:
6123:
6071:
6028:
6023:
6017:
5803:
5230:
5189:
5139:
5119:
5104:
4893:
4873:
4793:
4758:
2384:
2261:
8-bit CFB mode, the 64-bit CFB mode, or the 128-bit CFB mode.
1938:
1101:
81:. Block ciphers may be capable of operating on more than one
65:
Most modes require a unique binary sequence, often called an
4056:
Gueron, Shay; Langley, Adam; Lindell, Yehuda (14 Dec 2018).
4014:
AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
2648:
can also be used for CBC mode to make padding unnecessary).
160:
mode and available in many popular cryptographic libraries.
6394:
6389:
6360:
6355:
6319:
5823:
5798:
5748:
5743:
5611:
5606:
5079:
4988:
4903:
4898:
4888:
4868:
4740:
4725:
4477:
Ferguson, Niels; Schneier, Bruce; Kohno, Tadayoshi (2010).
4118:
3384:
3209:
Specific bit errors in more complex modes such (e.g. CBC):
2123:
1569:
1153:, since each block gets decrypted in exactly the same way.
192:
180:
3414:) are designed to securely encrypt sectors of a disk (see
2715:
to function normally even when applied before encryption.
719:
is an improvement over the very similarly named algorithm
462:
Authenticated encryption with additional data (AEAD) modes
6163:
6158:
6011:
5631:
5184:
5099:
4720:
4715:
4210:"The Transport Layer Security (TLS) Protocol Version 1.1"
3951:
Whiting, D.; Housley, R.; Ferguson, N. (September 2003).
3368:
should be applied to the ciphertext before transmission.
2707:
1200:
568:
or a hardware pipeline. The CBC mode of operation incurs
414:
410:
55:
30:
Six common block cipher modes of operation for encrypting
4452:
Lipmaa, Helger; Wagner, David; Rogaway, Phillip (2000).
4327:
4325:
3554:. Indianapolis: Wiley Publishing, Inc. pp. 63, 64.
3387:
maintains a list of proposed modes for block ciphers at
648:
77:
is encrypted multiple times independently with the same
4149:
Cryptography's Role in Securing the Information Society
3453:
Cryptographically secure pseudorandom number generators
608:
The ciphertext blocks are considered coefficients of a
6816:
Cryptographically secure pseudorandom number generator
4264:
3950:
3509:
2253:
1112:
685:
Owing to the use of two keys, the authentication key K
4476:
4322:
2951:
2901:
2841:
2784:
2727:
2525:
2419:
2313:
2274:
2012:
1804:
1671:
1662:
Encryption and decryption algorithms are as follows:
1459:
1380:
1371:
while the mathematical formula for CBC decryption is
1335:
1256:
4611:
4573:
4553:"Modes Development – Block Cipher Techniques – CSRC"
4084:"Recommendation for Block Cipher Modes of Operation"
4055:
3669:
3132:
the same IV–counter pair, would decrypt that block.
219:
algorithm). These combined modes are referred to as
163:
The block cipher modes ECB, CBC, OFB, CFB, CTR, and
4451:
3890:
Encryption Modes with Almost Free Message Integrity
2698:(OFB) mode makes a block cipher into a synchronous
3607:
3568:
2975:
2936:
2886:
2826:
2769:
2616:
2510:
2404:
2298:
2202:
1922:
1789:
1484:
1444:
1360:
1320:
142:Recommendation for Block Cipher Modes of Operation
4447:
4445:
3705:
3455:(CSPRNGs) can also be built using block ciphers.
1445:{\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}
1321:{\displaystyle C_{i}=E_{K}(P_{i}\oplus C_{i-1}),}
612:which is then evaluated at a key-dependent point
189:The Keyed-Hash Message Authentication Code (HMAC)
7025:
4426:Advances in Cryptology, Proceedings of CRYPTO 82
4401:Advances in Cryptology, Proceedings of CRYPTO 82
1142:Modes other than ECB result in pseudo-randomness
1130:Using ECB allows patterns to be easily discerned
4265:Kaufman, C.; Perlman, R.; Speciner, M. (2002).
3926:(Technical report). NIST Special Publications.
3028:once the plaintext or ciphertext is available.
4442:
3910:
3847:; Donescu, Pompiliu (2002). Matsui, M. (ed.).
3550:Ferguson, N.; Schneier, B.; Kohno, T. (2010).
3372:Other modes and other cryptographic primitives
2635:
1941:, most notably, but otherwise is not common.
1530:CBC decryption example with a toy 2-bit cipher
1516:CBC encryption example with a toy 2-bit cipher
1156:
1030:(ECB) mode (named after conventional physical
476:, integrity-aware parallelizable mode (IAPM),
130:National Institute of Standards and Technology
115:
6647:
5955:
5577:
4597:
3843:
3818:"Netlogon CFB8 considered harmful. OFB8 also"
2593:
2554:
2487:
2448:
2377:
2329:
2258:NIST SP800-38A defines CFB with a bit-width.
726:
620:. The result is then encrypted, producing an
474:integrity-aware cipher block chaining (IACBC)
285:
4403:. New York: Plenum Press. pp. 263–282.
4398:
3672:"Chapter 3 - Domain 3: Security engineering"
1026:The simplest of the encryption modes is the
983:
572:that hamper its efficiency and performance.
223:, AE or "authenc". Examples of AE modes are
4428:. New York: Plenum Press. pp. 99–127.
3944:
3639:
3637:
3635:
3461:(MACs) are often built from block ciphers.
976:) is any deterministic function, often the
6654:
6640:
5962:
5948:
5584:
5570:
4604:
4590:
3768:
3545:
3543:
3449:for descriptions of several such methods.
1566:the decryption is the original plaintext.
4348:
4152:. National Academies Press. p. 132.
4146:Dam, Kenneth W.; Lin, Herbert S. (1996).
4058:"AES-GCM-SIV: Specification and Analysis"
4026:
3966:
3935:
3901:
3861:
136:as a block cipher and adding CTR mode in
4423:
4172:
3815:
3744:"Stream Cipher Reuse: A Graphic Example"
3632:
3434:Block ciphers can also be used in other
3245:Effect of bit errors in the IV or nonce
3230:traditional confidentiality-only modes.
2827:{\displaystyle P_{j}=C_{j}\oplus O_{j},}
2770:{\displaystyle C_{j}=P_{j}\oplus O_{j},}
2651:
1947:
1627:Propagating cipher block chaining (PCBC)
1570:Propagating cipher block chaining (PCBC)
144:. Finally, in January, 2010, NIST added
25:
4332:(NIST), Author: Morris Dworkin (2001).
3988:
3916:
3540:
3305:, …, until synchronization is restored
510:
389:schemes exist. The simplest is to add
7026:
4331:
4179:. John Wiley & Sons. p. 208.
4145:
4010:
3298:, …, until synchronization is restored
2632:to lose alignment with the encryptor)
108:in an efficient way, and are known as
6635:
5943:
5565:
4585:
4559:from the original on 4 September 2017
3886:
3528:from the original on November 6, 2012
3139:in this diagram is equivalent to the
3083:Note: CTR mode (CM) is also known as
649:Synthetic initialization vector (SIV)
409:method, which is to add a single one
4503:from the original on 24 October 2017
4289:
3789:
3750:from the original on 25 January 2015
3676:Eleventh Hour CISSP® (Third Edition)
3186:
4360:from the original on 28 August 2017
3406:) and wide-block encryption modes (
2887:{\displaystyle O_{j}=E_{K}(I_{j}),}
2254:CFB-1, CFB-8, CFB-64, CFB-128, etc.
889:Plaintext XOR F(Y, Key); Ciphertext
13:
5591:
4533:from the original on 23 March 2018
4100:from the original on 29 March 2017
3779:from the original on June 30, 2012
3724:from the original on April 2, 2013
3684:10.1016/b978-0-12-811248-9.00003-6
3599:
3587:from the original on April 2, 2013
3377:for example key feedback mode and
2976:{\displaystyle I_{0}={\text{IV}}.}
2299:{\displaystyle I_{0}={\text{IV}}.}
641:(counter with CBC-MAC; CCM) is an
14:
7050:
4246:from the original on 16 July 2012
3211:adaptive chosen-ciphertext attack
1952:
1614:propagating cipher block chaining
1582:Propagating cipher block chaining
1207:must be used in the first block.
732:
7004:
7003:
6661:
4466:from the original on 2015-02-26.
4122:Handbook of Applied Cryptography
3887:Jutla, Charanjit S. (May 2001).
3746:. Cryptosmith LLC. 31 May 2008.
3659:from the original on 2012-03-17.
3610:Handbook of Applied Cryptography
3348:for bit error in counter block T
3258:
3169:
3155:
3039:
3012:
2998:
2243:Cipher feedback (CFB) decryption
2236:
2229:Cipher feedback (CFB) encryption
2222:
1647:
1633:
1523:
1509:
1233:
1219:
1135:
1123:
1111:
1075:
1061:
594:
73:are produced even when the same
7034:Block cipher modes of operation
4545:
4515:
4485:
4470:
4417:
4392:
4283:
4258:
4228:
4202:
4193:
4166:
4139:
4112:
4076:
4049:
4004:
3982:
3880:
3837:
3809:
3783:
3095:Like OFB, counter mode turns a
1618:plaintext cipher-block chaining
1563:Explicit initialization vectors
456:
6865:Information-theoretic security
6559:NIST hash function competition
3762:
3736:
3663:
2937:{\displaystyle I_{j}=O_{j-1},}
2878:
2865:
2588:
2569:
2482:
2463:
2359:
2334:
2177:
2158:
2094:
2075:
1841:
1828:
1746:
1695:
1417:
1404:
1312:
1280:
700:
36:block cipher mode of operation
1:
3989:Harkins, Dan (October 2008).
3503:
207:was formalized in 2007 under
6564:Password Hashing Competition
5975:message authentication codes
5971:Cryptographic hash functions
5876:block ciphers in stream mode
4212:. p. 20. Archived from
3917:Dworkin, Morris (May 2004).
3816:Blaufish (14 October 2020).
3678:, Syngress, pp. 47–93,
3498:One-way compression function
3459:Message authentication codes
3447:one-way compression function
3227:message authentication codes
38:is an algorithm that uses a
7:
6981:Message authentication code
6936:Cryptographic hash function
6739:Cryptographic hash function
6518:Merkle–Damgård construction
3769:B. Moeller (May 20, 2004),
3488:Message authentication code
3476:
3443:cryptographic hash function
3111:CTR mode was introduced by
2636:CFB compared to other modes
1213:Cipher block chaining (CBC)
1157:Cipher block chaining (CBC)
195:was released in 2005 under
169:message authentication code
116:History and standardization
10:
7055:
6860:Harvest now, decrypt later
5860:alternating step generator
4493:"Basic Block Cipher Modes"
4125:. CRC Press. p. 228.
3954:Counter with CBC-MAC (CCM)
1495:
727:Confidentiality only modes
631:
514:
465:
423:residual block termination
413:, followed by enough zero
369:works on units of a fixed
358:
354:
289:
286:Initialization vector (IV)
266:(with ISO/IEC 10116), the
18:
6999:
6976:Post-quantum cryptography
6928:
6669:
6631:
6582:
6536:
6500:
6454:
6403:
6331:
6308:
6237:
6081:
6042:
6004:
5981:
5939:
5909:
5868:
5842:
5711:
5681:
5650:
5640:
5599:
5561:
5531:
5495:
5487:Time/memory/data tradeoff
5284:
5203:
4749:
4676:
4624:
4581:
4577:
4062:Cryptology ePrint Archive
4011:Gueron, S. (April 2019).
3239:Effect of bit errors in C
3225:(AEAD) or protocols with
3089:segmented integer counter
3072:
3065:Decryption parallelizable
3064:
3057:Encryption parallelizable
3056:
3051:
3046:
2684:
2677:Decryption parallelizable
2676:
2669:Encryption parallelizable
2668:
2663:
2658:
1985:
1978:Decryption parallelizable
1977:
1970:Encryption parallelizable
1969:
1964:
1959:
1602:
1595:Decryption parallelizable
1594:
1587:Encryption parallelizable
1586:
1581:
1576:
1485:{\displaystyle C_{0}=IV.}
1361:{\displaystyle C_{0}=IV,}
1189:
1182:Decryption parallelizable
1181:
1174:Encryption parallelizable
1173:
1168:
1163:
1055:Electronic Codebook (ECB)
1016:
1009:Decryption parallelizable
1008:
1001:Encryption parallelizable
1000:
995:
990:
984:Electronic codebook (ECB)
747:
549:
542:Decryption parallelizable
541:
534:Encryption parallelizable
533:
528:
523:
7039:Cryptographic algorithms
6966:Quantum key distribution
6956:Authenticated encryption
6811:Random number generation
6312:key derivation functions
5855:self-shrinking generator
5275:Whitening transformation
4479:Cryptography Engineering
4173:Schneier, Bruce (2015).
3903:10.1007/3-540-44987-6_32
3493:Authenticated encryption
3338:Specific bit errors in P
3313:Specific bit errors in P
3289:Specific bit errors in P
3278:Specific bit errors in P
3272:Specific bit errors in P
3223:authenticated encryption
3103:. It generates the next
643:authenticated encryption
498:Authenticated encryption
468:Authenticated encryption
221:authenticated encryption
183:was approved in 2002 as
110:authenticated encryption
6961:Public-key cryptography
6951:Symmetric-key algorithm
6744:Key derivation function
6704:Cryptographic primitive
6697:Authentication protocol
6682:Outline of cryptography
6677:History of cryptography
6590:Hash-based cryptography
6492:Length extension attack
5246:Confusion and diffusion
4350:10.6028/NIST.SP.800-38A
4299:Proceedings, Crypto '89
3937:10.6028/NIST.SP.800-38C
3863:10.1007/3-540-45473-X_8
3653:ISO Standards Catalogue
3436:cryptographic protocols
3129:chosen-plaintext attack
2706:blocks, which are then
618:finite field arithmetic
6749:Secure Hash Algorithms
6692:Cryptographic protocol
6600:Message authentication
3614:. CRC Press. pp.
3416:disk encryption theory
3366:error-correcting codes
3344:Random bit errors in P
3319:Random bit errors in P
3301:Random bit errors in P
3294:Random bit errors in P
3267:Random bit errors in P
3253:Random bit errors in P
2977:
2938:
2888:
2828:
2771:
2713:error-correcting codes
2618:
2512:
2406:
2300:
2204:
1924:
1791:
1553:padding oracle attacks
1486:
1446:
1362:
1322:
1042:blocks into identical
361:Padding (cryptography)
345:pseudo-random function
126:DES Modes of Operation
31:
16:Cryptography algorithm
6855:End-to-end encryption
6801:Cryptojacking malware
5927:stream cipher attacks
5539:Initialization vector
3718:Cryptographic Toolkit
3581:Cryptographic Toolkit
3522:Cryptographic Toolkit
3215:Padding oracle attack
3141:initialization vector
2992:Output feedback (OFB)
2978:
2939:
2889:
2829:
2772:
2652:Output feedback (OFB)
2619:
2513:
2407:
2301:
2216:Cipher feedback (CFB)
2205:
1948:Cipher feedback (CFB)
1925:
1792:
1487:
1447:
1363:
1323:
1205:initialization vector
1169:Cipher block chaining
954:), Key); IV = token()
859:F(Y, Key); Ciphertext
815:F(Y, Key); Ciphertext
788:Cipher block chaining
666:Authentication key (K
437:bytes all with value
292:Initialization vector
67:initialization vector
29:
6971:Quantum cryptography
6895:Trusted timestamping
5922:correlation immunity
5318:3-subset MITM attack
4934:Intel Cascade Cipher
4914:Hasty Pudding cipher
4301:. Berlin: Springer.
3518:"Block cipher modes"
3085:integer counter mode
2949:
2899:
2839:
2782:
2725:
2523:
2417:
2311:
2272:
2010:
1802:
1669:
1654:PCBC mode decryption
1640:PCBC mode encryption
1457:
1378:
1333:
1254:
689:and encryption key K
588:Galois/Counter (GCM)
566:instruction pipeline
511:Galois/counter (GCM)
98:integrity protection
44:information security
6724:Cryptographic nonce
6487:Side-channel attack
5850:shrinking generator
5600:Widely used ciphers
5357:Differential-linear
4093:. NIST. p. 9.
4064:. Report (2017/168)
3176:CTR mode decryption
3162:CTR mode encryption
3019:OFB mode decryption
3005:OFB mode encryption
2646:ciphertext stealing
1540:ciphertext stealing
1240:CBC mode decryption
1226:CBC mode encryption
1082:ECB mode decryption
1068:ECB mode encryption
1028:electronic codebook
996:Electronic codebook
759:Electronic codebook
744:
601:GCM mode encryption
517:Galois/Counter Mode
419:ciphertext stealing
303:cryptographic nonce
158:ciphertext stealing
34:In cryptography, a
6840:Subliminal channel
6824:Pseudorandom noise
6766:Key (cryptography)
6544:CAESAR Competition
6528:HAIFA construction
6477:Brute-force attack
5917:correlation attack
5430:Differential-fault
4648:internal mechanics
4384:has generic name (
3649:-bit block cipher"
3073:Random read access
2973:
2934:
2884:
2824:
2767:
2685:Random read access
2614:
2508:
2402:
2296:
2200:
2198:
2122:
1986:Random read access
1920:
1787:
1603:Random read access
1482:
1442:
1358:
1318:
1190:Random read access
1017:Random read access
742:
622:authentication tag
550:Random read access
128:. In 2001, the US
32:
7021:
7020:
7017:
7016:
6900:Key-based routing
6890:Trapdoor function
6756:Digital signature
6627:
6626:
6623:
6622:
6421:ChaCha20-Poly1305
6238:Password hashing/
5935:
5934:
5707:
5706:
5557:
5556:
5544:Mode of operation
5221:Lai–Massey scheme
4497:www.quadibloc.com
4290:Kohl, J. (1990).
3873:978-3-540-43869-4
3845:Gligor, Virgil D.
3693:978-0-12-811248-9
3561:978-0-470-47424-2
3389:Modes Development
3355:
3354:
3187:Error propagation
3080:
3079:
2968:
2692:
2691:
2291:
2118:
2045:
1993:
1992:
1610:
1609:
1197:
1196:
1024:
1023:
978:identity function
966:
965:
743:Summary of modes
557:
556:
177:digital signature
7046:
7007:
7006:
6835:Insecure channel
6687:Classical cipher
6656:
6649:
6642:
6633:
6632:
6508:Avalanche effect
6462:Collision attack
6005:Common functions
5964:
5957:
5950:
5941:
5940:
5648:
5647:
5586:
5579:
5572:
5563:
5562:
5415:Power-monitoring
5256:Avalanche effect
4964:Khufu and Khafre
4617:security summary
4606:
4599:
4592:
4583:
4582:
4579:
4578:
4575:
4574:
4569:
4568:
4566:
4564:
4549:
4543:
4542:
4540:
4538:
4523:"Cryptography I"
4519:
4513:
4512:
4510:
4508:
4489:
4483:
4482:
4474:
4468:
4467:
4465:
4458:
4449:
4440:
4439:
4421:
4415:
4414:
4396:
4390:
4389:
4383:
4379:
4377:
4369:
4367:
4365:
4359:
4352:
4338:
4329:
4320:
4319:
4317:
4311:. Archived from
4296:
4287:
4281:
4280:
4267:Network Security
4262:
4256:
4255:
4253:
4251:
4232:
4226:
4225:
4223:
4221:
4206:
4200:
4197:
4191:
4190:
4170:
4164:
4163:
4143:
4137:
4136:
4116:
4110:
4109:
4107:
4105:
4099:
4088:
4080:
4074:
4073:
4071:
4069:
4053:
4047:
4046:
4044:
4042:
4030:
4028:10.17487/RFC8452
4008:
4002:
4001:
3999:
3997:
3986:
3980:
3979:
3970:
3968:10.17487/RFC3610
3948:
3942:
3941:
3939:
3925:
3914:
3908:
3907:
3905:
3895:
3884:
3878:
3877:
3865:
3855:
3841:
3835:
3834:
3832:
3830:
3813:
3807:
3806:
3804:
3802:
3787:
3781:
3780:
3766:
3760:
3759:
3757:
3755:
3740:
3734:
3733:
3731:
3729:
3709:
3703:
3702:
3701:
3700:
3667:
3661:
3660:
3641:
3630:
3629:
3613:
3603:
3597:
3596:
3594:
3592:
3577:"Proposed modes"
3572:
3566:
3565:
3547:
3538:
3537:
3535:
3533:
3513:
3233:
3232:
3173:
3159:
3113:Whitfield Diffie
3044:
3043:
3016:
3002:
2982:
2980:
2979:
2974:
2969:
2966:
2961:
2960:
2943:
2941:
2940:
2935:
2930:
2929:
2911:
2910:
2893:
2891:
2890:
2885:
2877:
2876:
2864:
2863:
2851:
2850:
2833:
2831:
2830:
2825:
2820:
2819:
2807:
2806:
2794:
2793:
2776:
2774:
2773:
2768:
2763:
2762:
2750:
2749:
2737:
2736:
2702:. It generates
2656:
2655:
2623:
2621:
2620:
2615:
2610:
2609:
2597:
2596:
2587:
2586:
2568:
2567:
2558:
2557:
2548:
2547:
2535:
2534:
2517:
2515:
2514:
2509:
2504:
2503:
2491:
2490:
2481:
2480:
2462:
2461:
2452:
2451:
2442:
2441:
2429:
2428:
2411:
2409:
2408:
2403:
2398:
2397:
2392:
2391:
2381:
2380:
2374:
2373:
2352:
2351:
2333:
2332:
2323:
2322:
2305:
2303:
2302:
2297:
2292:
2289:
2284:
2283:
2240:
2226:
2209:
2207:
2206:
2201:
2199:
2192:
2191:
2176:
2175:
2157:
2156:
2140:
2139:
2126:
2125:
2119:
2116:
2109:
2108:
2093:
2092:
2074:
2073:
2046:
2043:
2026:
2025:
1957:
1956:
1933:PCBC is used in
1929:
1927:
1926:
1921:
1907:
1906:
1894:
1893:
1881:
1880:
1862:
1861:
1840:
1839:
1827:
1826:
1814:
1813:
1796:
1794:
1793:
1788:
1774:
1773:
1761:
1760:
1745:
1744:
1726:
1725:
1707:
1706:
1694:
1693:
1681:
1680:
1651:
1637:
1574:
1573:
1527:
1513:
1491:
1489:
1488:
1483:
1469:
1468:
1451:
1449:
1448:
1443:
1438:
1437:
1416:
1415:
1403:
1402:
1390:
1389:
1367:
1365:
1364:
1359:
1345:
1344:
1327:
1325:
1324:
1319:
1311:
1310:
1292:
1291:
1279:
1278:
1266:
1265:
1237:
1223:
1161:
1160:
1139:
1127:
1115:
1079:
1065:
988:
987:
745:
741:
615:
598:
578:
521:
520:
475:
7054:
7053:
7049:
7048:
7047:
7045:
7044:
7043:
7024:
7023:
7022:
7013:
6995:
6924:
6665:
6660:
6619:
6578:
6537:Standardization
6532:
6523:Sponge function
6496:
6472:Birthday attack
6467:Preimage attack
6450:
6406:
6399:
6327:
6310:
6309:General purpose
6304:
6239:
6233:
6082:Other functions
6077:
6044:SHA-3 finalists
6038:
6000:
5977:
5968:
5931:
5905:
5864:
5838:
5703:
5677:
5636:
5595:
5590:
5553:
5527:
5496:Standardization
5491:
5420:Electromagnetic
5372:Integral/Square
5329:Piling-up lemma
5313:Biclique attack
5302:EFF DES cracker
5286:
5280:
5211:Feistel network
5199:
4824:CIPHERUNICORN-E
4819:CIPHERUNICORN-A
4751:
4745:
4678:
4672:
4626:
4620:
4610:
4572:
4562:
4560:
4551:
4550:
4546:
4536:
4534:
4521:
4520:
4516:
4506:
4504:
4491:
4490:
4486:
4475:
4471:
4463:
4456:
4450:
4443:
4436:
4422:
4418:
4411:
4397:
4393:
4381:
4380:
4371:
4370:
4363:
4361:
4357:
4336:
4330:
4323:
4315:
4309:
4294:
4288:
4284:
4277:
4263:
4259:
4249:
4247:
4240:www.iks-jena.de
4234:
4233:
4229:
4219:
4217:
4208:
4207:
4203:
4198:
4194:
4187:
4171:
4167:
4160:
4144:
4140:
4133:
4117:
4113:
4103:
4101:
4097:
4086:
4082:
4081:
4077:
4067:
4065:
4054:
4050:
4040:
4038:
4009:
4005:
3995:
3993:
3987:
3983:
3949:
3945:
3923:
3915:
3911:
3893:
3885:
3881:
3874:
3853:
3842:
3838:
3828:
3826:
3814:
3810:
3800:
3798:
3790:Tervoort, Tom.
3788:
3784:
3767:
3763:
3753:
3751:
3742:
3741:
3737:
3727:
3725:
3714:"Current modes"
3710:
3706:
3698:
3696:
3694:
3668:
3664:
3643:
3642:
3633:
3626:
3604:
3600:
3590:
3588:
3573:
3569:
3562:
3548:
3541:
3531:
3529:
3514:
3510:
3506:
3483:Disk encryption
3479:
3374:
3351:
3347:
3341:
3330:
3326:
3322:
3316:
3304:
3297:
3293:
3292:
3281:
3275:
3271:
3270:
3256:
3242:
3189:
3183:
3181:
3180:
3179:
3178:
3177:
3174:
3165:
3164:
3163:
3160:
3151:
3150:
3042:
3026:
3024:
3023:
3022:
3021:
3020:
3017:
3008:
3007:
3006:
3003:
2994:
2993:
2986:
2965:
2956:
2952:
2950:
2947:
2946:
2919:
2915:
2906:
2902:
2900:
2897:
2896:
2872:
2868:
2859:
2855:
2846:
2842:
2840:
2837:
2836:
2815:
2811:
2802:
2798:
2789:
2785:
2783:
2780:
2779:
2758:
2754:
2745:
2741:
2732:
2728:
2726:
2723:
2722:
2696:output feedback
2664:Output feedback
2654:
2638:
2605:
2601:
2592:
2591:
2576:
2572:
2563:
2559:
2553:
2552:
2543:
2539:
2530:
2526:
2524:
2521:
2520:
2499:
2495:
2486:
2485:
2470:
2466:
2457:
2453:
2447:
2446:
2437:
2433:
2424:
2420:
2418:
2415:
2414:
2393:
2387:
2383:
2382:
2376:
2375:
2369:
2365:
2341:
2337:
2328:
2327:
2318:
2314:
2312:
2309:
2308:
2288:
2279:
2275:
2273:
2270:
2269:
2256:
2250:
2248:
2247:
2246:
2245:
2244:
2241:
2232:
2231:
2230:
2227:
2218:
2217:
2197:
2196:
2187:
2183:
2165:
2161:
2152:
2148:
2141:
2135:
2131:
2128:
2127:
2121:
2120:
2115:
2113:
2104:
2100:
2082:
2078:
2069:
2065:
2062:
2061:
2050:
2042:
2035:
2034:
2027:
2021:
2017:
2013:
2011:
2008:
2007:
1997:cipher feedback
1965:Cipher feedback
1955:
1950:
1902:
1898:
1889:
1885:
1870:
1866:
1851:
1847:
1835:
1831:
1822:
1818:
1809:
1805:
1803:
1800:
1799:
1769:
1765:
1756:
1752:
1734:
1730:
1715:
1711:
1702:
1698:
1689:
1685:
1676:
1672:
1670:
1667:
1666:
1661:
1659:
1658:
1657:
1656:
1655:
1652:
1643:
1642:
1641:
1638:
1629:
1628:
1572:
1535:
1534:
1533:
1532:
1531:
1528:
1519:
1518:
1517:
1514:
1505:
1504:
1498:
1464:
1460:
1458:
1455:
1454:
1427:
1423:
1411:
1407:
1398:
1394:
1385:
1381:
1379:
1376:
1375:
1340:
1336:
1334:
1331:
1330:
1300:
1296:
1287:
1283:
1274:
1270:
1261:
1257:
1255:
1252:
1251:
1245:
1244:
1243:
1242:
1241:
1238:
1229:
1228:
1227:
1224:
1215:
1214:
1159:
1147:
1146:
1145:
1144:
1143:
1140:
1132:
1131:
1128:
1120:
1119:
1116:
1095:
1092:
1089:
1087:
1086:
1085:
1084:
1083:
1080:
1071:
1070:
1069:
1066:
1057:
1056:
1049:
986:
962:
957:Plaintext XOR Y
945:
929:
924:Plaintext XOR Y
920:
916:
909:
898:Output feedback
892:
886:
879:
868:Cipher feedback
862:
855:
848:
842:XOR (Ciphertext
841:
835:
824:Propagating CBC
818:
812:
805:
799:
783:
776:
770:
733:weakness of ECB
729:
703:
692:
688:
677:
669:
651:
636:
630:
613:
606:
605:
604:
603:
602:
599:
590:
589:
582:
576:
570:pipeline stalls
519:
513:
473:
470:
464:
459:
363:
357:
294:
288:
118:
102:confidentiality
48:confidentiality
24:
17:
12:
11:
5:
7052:
7042:
7041:
7036:
7019:
7018:
7015:
7014:
7012:
7011:
7000:
6997:
6996:
6994:
6993:
6988:
6986:Random numbers
6983:
6978:
6973:
6968:
6963:
6958:
6953:
6948:
6943:
6938:
6932:
6930:
6926:
6925:
6923:
6922:
6917:
6912:
6910:Garlic routing
6907:
6902:
6897:
6892:
6887:
6882:
6877:
6872:
6867:
6862:
6857:
6852:
6847:
6842:
6837:
6832:
6830:Secure channel
6827:
6821:
6820:
6819:
6808:
6803:
6798:
6793:
6788:
6786:Key stretching
6783:
6778:
6773:
6768:
6763:
6758:
6753:
6752:
6751:
6746:
6741:
6731:
6729:Cryptovirology
6726:
6721:
6716:
6714:Cryptocurrency
6711:
6706:
6701:
6700:
6699:
6689:
6684:
6679:
6673:
6671:
6667:
6666:
6659:
6658:
6651:
6644:
6636:
6629:
6628:
6625:
6624:
6621:
6620:
6618:
6617:
6612:
6607:
6602:
6597:
6592:
6586:
6584:
6580:
6579:
6577:
6576:
6571:
6566:
6561:
6556:
6551:
6546:
6540:
6538:
6534:
6533:
6531:
6530:
6525:
6520:
6515:
6513:Hash collision
6510:
6504:
6502:
6498:
6497:
6495:
6494:
6489:
6484:
6479:
6474:
6469:
6464:
6458:
6456:
6452:
6451:
6449:
6448:
6443:
6438:
6433:
6428:
6423:
6418:
6412:
6410:
6401:
6400:
6398:
6397:
6392:
6387:
6382:
6377:
6372:
6363:
6358:
6353:
6348:
6343:
6337:
6335:
6329:
6328:
6326:
6325:
6322:
6316:
6314:
6306:
6305:
6303:
6302:
6297:
6292:
6287:
6282:
6277:
6272:
6267:
6262:
6257:
6252:
6246:
6244:
6241:key stretching
6235:
6234:
6232:
6231:
6226:
6221:
6216:
6211:
6206:
6201:
6196:
6191:
6186:
6181:
6176:
6171:
6166:
6161:
6156:
6151:
6146:
6141:
6136:
6131:
6126:
6121:
6116:
6111:
6106:
6101:
6096:
6091:
6085:
6083:
6079:
6078:
6076:
6075:
6069:
6064:
6059:
6054:
6048:
6046:
6040:
6039:
6037:
6036:
6031:
6026:
6021:
6015:
6008:
6006:
6002:
6001:
5999:
5998:
5993:
5988:
5982:
5979:
5978:
5967:
5966:
5959:
5952:
5944:
5937:
5936:
5933:
5932:
5930:
5929:
5924:
5919:
5913:
5911:
5907:
5906:
5904:
5903:
5898:
5893:
5888:
5883:
5881:shift register
5878:
5872:
5870:
5866:
5865:
5863:
5862:
5857:
5852:
5846:
5844:
5840:
5839:
5837:
5836:
5831:
5826:
5821:
5816:
5811:
5806:
5801:
5796:
5791:
5786:
5781:
5776:
5771:
5766:
5761:
5756:
5751:
5746:
5741:
5736:
5731:
5726:
5721:
5715:
5713:
5709:
5708:
5705:
5704:
5702:
5701:
5696:
5691:
5685:
5683:
5679:
5678:
5676:
5675:
5670:
5665:
5660:
5654:
5652:
5645:
5638:
5637:
5635:
5634:
5629:
5624:
5619:
5614:
5609:
5603:
5601:
5597:
5596:
5593:Stream ciphers
5589:
5588:
5581:
5574:
5566:
5559:
5558:
5555:
5554:
5552:
5551:
5546:
5541:
5535:
5533:
5529:
5528:
5526:
5525:
5520:
5515:
5510:
5505:
5499:
5497:
5493:
5492:
5490:
5489:
5484:
5479:
5474:
5469:
5464:
5459:
5454:
5449:
5444:
5439:
5434:
5433:
5432:
5427:
5422:
5417:
5412:
5402:
5397:
5392:
5387:
5379:
5374:
5369:
5362:Distinguishing
5359:
5354:
5353:
5352:
5347:
5342:
5332:
5322:
5321:
5320:
5315:
5305:
5294:
5292:
5282:
5281:
5279:
5278:
5268:
5263:
5258:
5253:
5248:
5243:
5238:
5233:
5228:
5226:Product cipher
5223:
5218:
5213:
5207:
5205:
5201:
5200:
5198:
5197:
5192:
5187:
5182:
5177:
5172:
5167:
5162:
5157:
5152:
5147:
5142:
5137:
5132:
5127:
5122:
5117:
5112:
5107:
5102:
5097:
5092:
5087:
5082:
5077:
5072:
5067:
5062:
5057:
5052:
5047:
5042:
5037:
5032:
5027:
5022:
5017:
5012:
5007:
5002:
4997:
4992:
4981:
4976:
4971:
4966:
4961:
4956:
4951:
4946:
4941:
4936:
4931:
4926:
4921:
4916:
4911:
4906:
4901:
4896:
4891:
4886:
4881:
4876:
4871:
4866:
4861:
4856:
4854:Cryptomeria/C2
4851:
4846:
4841:
4836:
4831:
4826:
4821:
4816:
4811:
4806:
4801:
4796:
4791:
4786:
4781:
4776:
4771:
4766:
4761:
4755:
4753:
4747:
4746:
4744:
4743:
4738:
4733:
4728:
4723:
4718:
4713:
4708:
4703:
4698:
4693:
4688:
4682:
4680:
4674:
4673:
4671:
4670:
4665:
4660:
4655:
4641:
4636:
4630:
4628:
4622:
4621:
4609:
4608:
4601:
4594:
4586:
4571:
4570:
4544:
4514:
4484:
4469:
4441:
4434:
4416:
4409:
4391:
4321:
4318:on 2009-06-12.
4307:
4282:
4275:
4257:
4227:
4201:
4192:
4185:
4165:
4158:
4138:
4131:
4111:
4075:
4048:
4003:
3981:
3943:
3909:
3879:
3872:
3836:
3808:
3782:
3761:
3735:
3704:
3692:
3662:
3631:
3624:
3598:
3567:
3560:
3539:
3507:
3505:
3502:
3501:
3500:
3495:
3490:
3485:
3478:
3475:
3473:are examples.
3373:
3370:
3353:
3352:
3349:
3345:
3342:
3339:
3336:
3332:
3331:
3328:
3324:
3320:
3317:
3314:
3311:
3307:
3306:
3302:
3299:
3295:
3290:
3287:
3283:
3282:
3279:
3276:
3273:
3268:
3265:
3261:
3260:
3257:
3254:
3251:
3247:
3246:
3243:
3240:
3237:
3219:
3218:
3207:
3203:
3202:
3199:
3188:
3185:
3175:
3168:
3167:
3166:
3161:
3154:
3153:
3152:
3148:
3147:
3146:
3145:
3135:Note that the
3117:Martin Hellman
3093:
3092:
3078:
3077:
3074:
3070:
3069:
3066:
3062:
3061:
3058:
3054:
3053:
3049:
3048:
3041:
3038:
3018:
3011:
3010:
3009:
3004:
2997:
2996:
2995:
2991:
2990:
2989:
2988:
2984:
2983:
2972:
2964:
2959:
2955:
2944:
2933:
2928:
2925:
2922:
2918:
2914:
2909:
2905:
2894:
2883:
2880:
2875:
2871:
2867:
2862:
2858:
2854:
2849:
2845:
2834:
2823:
2818:
2814:
2810:
2805:
2801:
2797:
2792:
2788:
2777:
2766:
2761:
2757:
2753:
2748:
2744:
2740:
2735:
2731:
2690:
2689:
2686:
2682:
2681:
2678:
2674:
2673:
2670:
2666:
2665:
2661:
2660:
2653:
2650:
2637:
2634:
2625:
2624:
2613:
2608:
2604:
2600:
2595:
2590:
2585:
2582:
2579:
2575:
2571:
2566:
2562:
2556:
2551:
2546:
2542:
2538:
2533:
2529:
2518:
2507:
2502:
2498:
2494:
2489:
2484:
2479:
2476:
2473:
2469:
2465:
2460:
2456:
2450:
2445:
2440:
2436:
2432:
2427:
2423:
2412:
2401:
2396:
2390:
2386:
2379:
2372:
2368:
2364:
2361:
2358:
2355:
2350:
2347:
2344:
2340:
2336:
2331:
2326:
2321:
2317:
2306:
2295:
2287:
2282:
2278:
2255:
2252:
2242:
2235:
2234:
2233:
2228:
2221:
2220:
2219:
2215:
2214:
2213:
2212:
2211:
2210:
2195:
2190:
2186:
2182:
2179:
2174:
2171:
2168:
2164:
2160:
2155:
2151:
2147:
2144:
2142:
2138:
2134:
2130:
2129:
2124:
2114:
2112:
2107:
2103:
2099:
2096:
2091:
2088:
2085:
2081:
2077:
2072:
2068:
2064:
2063:
2060:
2057:
2054:
2051:
2049:
2041:
2040:
2038:
2033:
2030:
2028:
2024:
2020:
2016:
2015:
1991:
1990:
1987:
1983:
1982:
1979:
1975:
1974:
1971:
1967:
1966:
1962:
1961:
1954:
1953:Full-block CFB
1951:
1949:
1946:
1931:
1930:
1919:
1916:
1913:
1910:
1905:
1901:
1897:
1892:
1888:
1884:
1879:
1876:
1873:
1869:
1865:
1860:
1857:
1854:
1850:
1846:
1843:
1838:
1834:
1830:
1825:
1821:
1817:
1812:
1808:
1797:
1786:
1783:
1780:
1777:
1772:
1768:
1764:
1759:
1755:
1751:
1748:
1743:
1740:
1737:
1733:
1729:
1724:
1721:
1718:
1714:
1710:
1705:
1701:
1697:
1692:
1688:
1684:
1679:
1675:
1653:
1646:
1645:
1644:
1639:
1632:
1631:
1630:
1626:
1625:
1624:
1623:
1608:
1607:
1604:
1600:
1599:
1596:
1592:
1591:
1588:
1584:
1583:
1579:
1578:
1571:
1568:
1529:
1522:
1521:
1520:
1515:
1508:
1507:
1506:
1502:
1501:
1500:
1499:
1497:
1494:
1493:
1492:
1481:
1478:
1475:
1472:
1467:
1463:
1452:
1441:
1436:
1433:
1430:
1426:
1422:
1419:
1414:
1410:
1406:
1401:
1397:
1393:
1388:
1384:
1369:
1368:
1357:
1354:
1351:
1348:
1343:
1339:
1328:
1317:
1314:
1309:
1306:
1303:
1299:
1295:
1290:
1286:
1282:
1277:
1273:
1269:
1264:
1260:
1239:
1232:
1231:
1230:
1225:
1218:
1217:
1216:
1212:
1211:
1210:
1209:
1195:
1194:
1191:
1187:
1186:
1183:
1179:
1178:
1175:
1171:
1170:
1166:
1165:
1158:
1155:
1151:replay attacks
1141:
1134:
1133:
1129:
1122:
1121:
1118:Original image
1117:
1110:
1109:
1108:
1107:
1106:
1081:
1074:
1073:
1072:
1067:
1060:
1059:
1058:
1054:
1053:
1052:
1051:
1022:
1021:
1018:
1014:
1013:
1010:
1006:
1005:
1002:
998:
997:
993:
992:
985:
982:
964:
963:
958:
955:
941:
938:
935:
931:
930:
925:
922:
918:
911:
905:
902:
899:
895:
894:
890:
887:
881:
875:
872:
869:
865:
864:
860:
857:
850:
843:
837:
831:
828:
825:
821:
820:
816:
813:
807:
806:XOR Ciphertext
801:
795:
792:
789:
785:
784:
781:
778:
772:
766:
763:
760:
756:
755:
752:
749:
728:
725:
702:
699:
690:
686:
675:
672:
671:
667:
664:
661:
650:
647:
632:Main article:
629:
626:
600:
593:
592:
591:
587:
586:
585:
584:
555:
554:
551:
547:
546:
543:
539:
538:
535:
531:
530:
529:Galois/counter
526:
525:
515:Main article:
512:
509:
466:Main article:
463:
460:
458:
455:
359:Main article:
356:
353:
352:
351:
348:
290:Main article:
287:
284:
117:
114:
21:Modus operandi
15:
9:
6:
4:
3:
2:
7051:
7040:
7037:
7035:
7032:
7031:
7029:
7010:
7002:
7001:
6998:
6992:
6991:Steganography
6989:
6987:
6984:
6982:
6979:
6977:
6974:
6972:
6969:
6967:
6964:
6962:
6959:
6957:
6954:
6952:
6949:
6947:
6946:Stream cipher
6944:
6942:
6939:
6937:
6934:
6933:
6931:
6927:
6921:
6918:
6916:
6913:
6911:
6908:
6906:
6905:Onion routing
6903:
6901:
6898:
6896:
6893:
6891:
6888:
6886:
6885:Shared secret
6883:
6881:
6878:
6876:
6873:
6871:
6868:
6866:
6863:
6861:
6858:
6856:
6853:
6851:
6848:
6846:
6843:
6841:
6838:
6836:
6833:
6831:
6828:
6825:
6822:
6817:
6814:
6813:
6812:
6809:
6807:
6804:
6802:
6799:
6797:
6794:
6792:
6789:
6787:
6784:
6782:
6779:
6777:
6776:Key generator
6774:
6772:
6769:
6767:
6764:
6762:
6759:
6757:
6754:
6750:
6747:
6745:
6742:
6740:
6737:
6736:
6735:
6734:Hash function
6732:
6730:
6727:
6725:
6722:
6720:
6717:
6715:
6712:
6710:
6709:Cryptanalysis
6707:
6705:
6702:
6698:
6695:
6694:
6693:
6690:
6688:
6685:
6683:
6680:
6678:
6675:
6674:
6672:
6668:
6664:
6657:
6652:
6650:
6645:
6643:
6638:
6637:
6634:
6630:
6616:
6613:
6611:
6608:
6606:
6605:Proof of work
6603:
6601:
6598:
6596:
6593:
6591:
6588:
6587:
6585:
6581:
6575:
6572:
6570:
6567:
6565:
6562:
6560:
6557:
6555:
6552:
6550:
6547:
6545:
6542:
6541:
6539:
6535:
6529:
6526:
6524:
6521:
6519:
6516:
6514:
6511:
6509:
6506:
6505:
6503:
6499:
6493:
6490:
6488:
6485:
6483:
6482:Rainbow table
6480:
6478:
6475:
6473:
6470:
6468:
6465:
6463:
6460:
6459:
6457:
6453:
6447:
6444:
6442:
6439:
6437:
6434:
6432:
6429:
6427:
6424:
6422:
6419:
6417:
6414:
6413:
6411:
6408:
6405:Authenticated
6402:
6396:
6393:
6391:
6388:
6386:
6383:
6381:
6378:
6376:
6373:
6371:
6367:
6364:
6362:
6359:
6357:
6354:
6352:
6349:
6347:
6344:
6342:
6339:
6338:
6336:
6334:
6333:MAC functions
6330:
6323:
6321:
6318:
6317:
6315:
6313:
6307:
6301:
6298:
6296:
6293:
6291:
6288:
6286:
6283:
6281:
6278:
6276:
6273:
6271:
6268:
6266:
6263:
6261:
6258:
6256:
6253:
6251:
6248:
6247:
6245:
6242:
6236:
6230:
6227:
6225:
6222:
6220:
6217:
6215:
6212:
6210:
6207:
6205:
6202:
6200:
6197:
6195:
6192:
6190:
6187:
6185:
6182:
6180:
6177:
6175:
6172:
6170:
6167:
6165:
6162:
6160:
6157:
6155:
6152:
6150:
6147:
6145:
6142:
6140:
6137:
6135:
6132:
6130:
6127:
6125:
6122:
6120:
6117:
6115:
6112:
6110:
6107:
6105:
6102:
6100:
6097:
6095:
6092:
6090:
6087:
6086:
6084:
6080:
6073:
6070:
6068:
6065:
6063:
6060:
6058:
6055:
6053:
6050:
6049:
6047:
6045:
6041:
6035:
6032:
6030:
6027:
6025:
6022:
6020:(compromised)
6019:
6016:
6014:(compromised)
6013:
6010:
6009:
6007:
6003:
5997:
5996:Known attacks
5994:
5992:
5989:
5987:
5984:
5983:
5980:
5976:
5972:
5965:
5960:
5958:
5953:
5951:
5946:
5945:
5942:
5938:
5928:
5925:
5923:
5920:
5918:
5915:
5914:
5912:
5908:
5902:
5899:
5897:
5894:
5892:
5889:
5887:
5884:
5882:
5879:
5877:
5874:
5873:
5871:
5867:
5861:
5858:
5856:
5853:
5851:
5848:
5847:
5845:
5841:
5835:
5832:
5830:
5827:
5825:
5822:
5820:
5817:
5815:
5812:
5810:
5807:
5805:
5802:
5800:
5797:
5795:
5792:
5790:
5787:
5785:
5782:
5780:
5777:
5775:
5772:
5770:
5767:
5765:
5762:
5760:
5757:
5755:
5752:
5750:
5747:
5745:
5742:
5740:
5737:
5735:
5732:
5730:
5727:
5725:
5722:
5720:
5717:
5716:
5714:
5712:Other ciphers
5710:
5700:
5697:
5695:
5692:
5690:
5687:
5686:
5684:
5680:
5674:
5671:
5669:
5666:
5664:
5661:
5659:
5656:
5655:
5653:
5649:
5646:
5643:
5639:
5633:
5630:
5628:
5625:
5623:
5620:
5618:
5615:
5613:
5610:
5608:
5605:
5604:
5602:
5598:
5594:
5587:
5582:
5580:
5575:
5573:
5568:
5567:
5564:
5560:
5550:
5547:
5545:
5542:
5540:
5537:
5536:
5534:
5530:
5524:
5521:
5519:
5516:
5514:
5511:
5509:
5506:
5504:
5501:
5500:
5498:
5494:
5488:
5485:
5483:
5480:
5478:
5475:
5473:
5470:
5468:
5465:
5463:
5460:
5458:
5455:
5453:
5450:
5448:
5445:
5443:
5442:Interpolation
5440:
5438:
5435:
5431:
5428:
5426:
5423:
5421:
5418:
5416:
5413:
5411:
5408:
5407:
5406:
5403:
5401:
5398:
5396:
5393:
5391:
5388:
5386:
5385:
5380:
5378:
5375:
5373:
5370:
5367:
5363:
5360:
5358:
5355:
5351:
5348:
5346:
5343:
5341:
5338:
5337:
5336:
5333:
5330:
5326:
5323:
5319:
5316:
5314:
5311:
5310:
5309:
5306:
5303:
5299:
5296:
5295:
5293:
5290:
5289:cryptanalysis
5283:
5276:
5272:
5271:Key whitening
5269:
5267:
5264:
5262:
5259:
5257:
5254:
5252:
5249:
5247:
5244:
5242:
5239:
5237:
5234:
5232:
5229:
5227:
5224:
5222:
5219:
5217:
5214:
5212:
5209:
5208:
5206:
5202:
5196:
5193:
5191:
5188:
5186:
5183:
5181:
5178:
5176:
5173:
5171:
5168:
5166:
5163:
5161:
5158:
5156:
5153:
5151:
5148:
5146:
5143:
5141:
5138:
5136:
5133:
5131:
5128:
5126:
5123:
5121:
5118:
5116:
5113:
5111:
5108:
5106:
5103:
5101:
5098:
5096:
5093:
5091:
5088:
5086:
5083:
5081:
5078:
5076:
5073:
5071:
5068:
5066:
5063:
5061:
5060:New Data Seal
5058:
5056:
5053:
5051:
5048:
5046:
5043:
5041:
5038:
5036:
5033:
5031:
5028:
5026:
5023:
5021:
5018:
5016:
5013:
5011:
5008:
5006:
5003:
5001:
4998:
4996:
4993:
4990:
4986:
4982:
4980:
4977:
4975:
4972:
4970:
4967:
4965:
4962:
4960:
4957:
4955:
4952:
4950:
4947:
4945:
4942:
4940:
4937:
4935:
4932:
4930:
4927:
4925:
4922:
4920:
4917:
4915:
4912:
4910:
4907:
4905:
4902:
4900:
4897:
4895:
4892:
4890:
4887:
4885:
4882:
4880:
4877:
4875:
4872:
4870:
4867:
4865:
4862:
4860:
4857:
4855:
4852:
4850:
4847:
4845:
4842:
4840:
4837:
4835:
4832:
4830:
4827:
4825:
4822:
4820:
4817:
4815:
4812:
4810:
4807:
4805:
4802:
4800:
4799:BEAR and LION
4797:
4795:
4792:
4790:
4787:
4785:
4782:
4780:
4777:
4775:
4772:
4770:
4767:
4765:
4762:
4760:
4757:
4756:
4754:
4748:
4742:
4739:
4737:
4734:
4732:
4729:
4727:
4724:
4722:
4719:
4717:
4714:
4712:
4709:
4707:
4704:
4702:
4699:
4697:
4694:
4692:
4689:
4687:
4684:
4683:
4681:
4675:
4669:
4666:
4664:
4661:
4659:
4656:
4653:
4649:
4645:
4642:
4640:
4637:
4635:
4632:
4631:
4629:
4623:
4618:
4614:
4613:Block ciphers
4607:
4602:
4600:
4595:
4593:
4588:
4587:
4584:
4580:
4576:
4558:
4554:
4548:
4532:
4528:
4524:
4518:
4502:
4498:
4494:
4488:
4481:. p. 71.
4480:
4473:
4462:
4455:
4448:
4446:
4437:
4431:
4427:
4420:
4412:
4406:
4402:
4395:
4387:
4375:
4356:
4351:
4346:
4342:
4341:csrc.nist.gov
4335:
4328:
4326:
4314:
4310:
4304:
4300:
4293:
4286:
4278:
4272:
4268:
4261:
4245:
4241:
4237:
4231:
4216:on 2015-01-07
4215:
4211:
4205:
4196:
4188:
4186:9781119096726
4182:
4178:
4177:
4169:
4161:
4159:9780309054751
4155:
4151:
4150:
4142:
4134:
4132:9780429881329
4128:
4124:
4123:
4115:
4096:
4092:
4085:
4079:
4063:
4059:
4052:
4037:
4034:
4029:
4024:
4020:
4016:
4015:
4007:
3992:
3985:
3977:
3974:
3969:
3964:
3960:
3956:
3955:
3947:
3938:
3933:
3929:
3922:
3921:
3913:
3904:
3899:
3892:
3891:
3883:
3875:
3869:
3864:
3859:
3852:
3851:
3846:
3840:
3825:
3824:
3819:
3812:
3797:
3793:
3786:
3778:
3774:
3773:
3765:
3749:
3745:
3739:
3723:
3719:
3715:
3708:
3695:
3689:
3685:
3681:
3677:
3673:
3666:
3658:
3654:
3650:
3648:
3640:
3638:
3636:
3627:
3625:0-8493-8523-7
3621:
3617:
3612:
3611:
3602:
3586:
3582:
3578:
3571:
3563:
3557:
3553:
3546:
3544:
3527:
3523:
3519:
3512:
3508:
3499:
3496:
3494:
3491:
3489:
3486:
3484:
3481:
3480:
3474:
3472:
3468:
3464:
3460:
3456:
3454:
3450:
3448:
3444:
3439:
3437:
3432:
3430:
3425:
3419:
3417:
3413:
3409:
3405:
3401:
3397:
3392:
3390:
3386:
3382:
3380:
3369:
3367:
3362:
3358:
3343:
3337:
3334:
3333:
3318:
3312:
3309:
3308:
3300:
3288:
3285:
3284:
3277:
3266:
3263:
3262:
3252:
3249:
3248:
3244:
3238:
3235:
3234:
3231:
3228:
3224:
3216:
3212:
3208:
3205:
3204:
3200:
3197:
3196:
3195:
3192:
3184:
3172:
3158:
3149:Counter (CTR)
3144:
3142:
3138:
3133:
3130:
3124:
3120:
3118:
3114:
3109:
3106:
3102:
3101:stream cipher
3098:
3090:
3086:
3082:
3081:
3075:
3071:
3067:
3063:
3059:
3055:
3050:
3045:
3040:Counter (CTR)
3037:
3033:
3029:
3015:
3001:
2987:
2970:
2962:
2957:
2953:
2945:
2931:
2926:
2923:
2920:
2916:
2912:
2907:
2903:
2895:
2881:
2873:
2869:
2860:
2856:
2852:
2847:
2843:
2835:
2821:
2816:
2812:
2808:
2803:
2799:
2795:
2790:
2786:
2778:
2764:
2759:
2755:
2751:
2746:
2742:
2738:
2733:
2729:
2721:
2720:
2719:
2716:
2714:
2709:
2705:
2701:
2700:stream cipher
2697:
2687:
2683:
2679:
2675:
2671:
2667:
2662:
2657:
2649:
2647:
2641:
2633:
2629:
2611:
2606:
2602:
2598:
2583:
2580:
2577:
2573:
2564:
2560:
2549:
2544:
2540:
2536:
2531:
2527:
2519:
2505:
2500:
2496:
2492:
2477:
2474:
2471:
2467:
2458:
2454:
2443:
2438:
2434:
2430:
2425:
2421:
2413:
2399:
2394:
2388:
2370:
2366:
2362:
2356:
2353:
2348:
2345:
2342:
2338:
2324:
2319:
2315:
2307:
2293:
2285:
2280:
2276:
2268:
2267:
2266:
2263:
2262:
2251:
2239:
2225:
2193:
2188:
2184:
2180:
2172:
2169:
2166:
2162:
2153:
2149:
2145:
2143:
2136:
2132:
2110:
2105:
2101:
2097:
2089:
2086:
2083:
2079:
2070:
2066:
2058:
2055:
2052:
2047:
2036:
2031:
2029:
2022:
2018:
2006:
2005:
2004:
2002:
2001:stream cipher
1998:
1988:
1984:
1980:
1976:
1972:
1968:
1963:
1958:
1945:
1942:
1940:
1936:
1917:
1914:
1911:
1908:
1903:
1899:
1895:
1890:
1886:
1882:
1877:
1874:
1871:
1867:
1863:
1858:
1855:
1852:
1848:
1844:
1836:
1832:
1823:
1819:
1815:
1810:
1806:
1798:
1784:
1781:
1778:
1775:
1770:
1766:
1762:
1757:
1753:
1749:
1741:
1738:
1735:
1731:
1727:
1722:
1719:
1716:
1712:
1708:
1703:
1699:
1690:
1686:
1682:
1677:
1673:
1665:
1664:
1663:
1650:
1636:
1622:
1619:
1615:
1605:
1601:
1597:
1593:
1589:
1585:
1580:
1575:
1567:
1564:
1560:
1558:
1554:
1549:
1543:
1541:
1526:
1512:
1479:
1476:
1473:
1470:
1465:
1461:
1453:
1439:
1434:
1431:
1428:
1424:
1420:
1412:
1408:
1399:
1395:
1391:
1386:
1382:
1374:
1373:
1372:
1355:
1352:
1349:
1346:
1341:
1337:
1329:
1315:
1307:
1304:
1301:
1297:
1293:
1288:
1284:
1275:
1271:
1267:
1262:
1258:
1250:
1249:
1248:
1236:
1222:
1208:
1206:
1202:
1192:
1188:
1184:
1180:
1176:
1172:
1167:
1162:
1154:
1152:
1138:
1126:
1114:
1105:
1103:
1099:
1093:
1090:
1078:
1064:
1050:
1047:
1045:
1041:
1037:
1033:
1029:
1019:
1015:
1011:
1007:
1003:
999:
994:
989:
981:
979:
975:
971:
961:
956:
953:
949:
944:
939:
936:
933:
932:
928:
923:
914:
908:
903:
900:
897:
896:
888:
884:
878:
873:
870:
867:
866:
858:
853:
849:XOR PlainText
846:
840:
834:
829:
826:
823:
822:
814:
810:
804:
798:
793:
790:
787:
786:
779:
775:
771:= F(PlainText
769:
764:
761:
758:
757:
753:
750:
746:
740:
736:
734:
724:
722:
718:
714:
710:
707:
698:
696:
683:
679:
665:
662:
659:
658:
657:
654:
646:
644:
640:
635:
625:
623:
619:
611:
597:
583:
580:
573:
571:
567:
561:
552:
548:
544:
540:
536:
532:
527:
522:
518:
508:
506:
501:
499:
495:
491:
487:
483:
479:
469:
454:
451:
447:
442:
440:
436:
432:
428:
424:
420:
416:
412:
408:
404:
400:
396:
392:
388:
384:
380:
376:
372:
368:
362:
349:
346:
342:
341:
340:
336:
332:
328:
324:
321:
319:
314:
312:
308:
304:
298:
293:
283:
281:
277:
273:
269:
265:
261:
256:
254:
250:
246:
242:
238:
234:
230:
226:
222:
216:
214:
210:
206:
202:
198:
194:
190:
186:
182:
178:
174:
170:
166:
161:
159:
155:
151:
147:
143:
139:
135:
131:
127:
123:
113:
111:
107:
103:
99:
94:
92:
91:stream cipher
88:
84:
80:
76:
72:
68:
63:
61:
57:
53:
49:
45:
41:
37:
28:
22:
6941:Block cipher
6781:Key schedule
6771:Key exchange
6761:Kleptography
6719:Cryptosystem
6663:Cryptography
5875:
5543:
5447:Partitioning
5405:Side-channel
5383:
5350:Higher-order
5335:Differential
5216:Key schedule
4561:. Retrieved
4547:
4535:. Retrieved
4526:
4517:
4505:. Retrieved
4496:
4487:
4478:
4472:
4425:
4419:
4400:
4394:
4382:|first=
4374:cite journal
4362:. Retrieved
4340:
4313:the original
4298:
4285:
4266:
4260:
4248:. Retrieved
4239:
4230:
4218:. Retrieved
4214:the original
4204:
4195:
4175:
4168:
4148:
4141:
4121:
4114:
4102:. Retrieved
4090:
4078:
4066:. Retrieved
4061:
4051:
4039:. Retrieved
4013:
4006:
3994:. Retrieved
3984:
3953:
3946:
3919:
3912:
3889:
3882:
3849:
3839:
3827:. Retrieved
3821:
3811:
3799:. Retrieved
3795:
3785:
3771:
3764:
3752:. Retrieved
3738:
3726:. Retrieved
3717:
3707:
3697:, retrieved
3675:
3665:
3652:
3646:
3609:
3601:
3589:. Retrieved
3580:
3570:
3551:
3530:. Retrieved
3521:
3511:
3457:
3451:
3440:
3433:
3420:
3393:
3388:
3383:
3379:Davies–Meyer
3375:
3363:
3359:
3356:
3220:
3193:
3190:
3182:
3134:
3125:
3121:
3110:
3097:block cipher
3094:
3088:
3084:
3034:
3030:
3025:
2985:
2717:
2695:
2693:
2642:
2639:
2630:
2626:
2264:
2259:
2257:
2249:
1996:
1994:
1943:
1932:
1660:
1617:
1613:
1611:
1562:
1561:
1547:
1544:
1536:
1370:
1246:
1198:
1148:
1098:bitmap image
1094:
1091:
1088:
1048:
1027:
1025:
973:
969:
967:
959:
951:
947:
942:
926:
921:= F(IV, Key)
912:
906:
882:
880:= Ciphertext
876:
851:
844:
838:
832:
808:
802:
796:
773:
767:
737:
730:
720:
716:
715:
711:
704:
694:
684:
680:
673:
655:
652:
638:
637:
607:
581:
574:
562:
558:
502:
471:
457:Common modes
443:
438:
434:
374:
373:(known as a
367:block cipher
364:
337:
333:
329:
325:
322:
315:
311:pseudorandom
299:
295:
257:
217:
212:
200:
188:
162:
153:
141:
125:
119:
106:authenticity
95:
64:
52:authenticity
40:block cipher
35:
33:
6929:Mathematics
6920:Mix network
6595:Merkle tree
6583:Utilization
6569:NSA Suite B
5532:Utilization
5518:NSA Suite B
5503:AES process
5452:Rubber-hose
5390:Related-key
5298:Brute-force
4677:Less common
3429:AES-GCM-SIV
3221:For modern
3091:(SIC) mode.
1935:Kerberos v4
836:= PlainText
800:= PlainText
754:Ciphertext
717:AES-GCM-SIV
706:AES-GCM-SIV
701:AES-GCM-SIV
71:ciphertexts
42:to provide
7028:Categories
6880:Ciphertext
6850:Decryption
6845:Encryption
6806:Ransomware
6407:encryption
6184:RadioGatún
5991:Comparison
5896:T-function
5843:Generators
5719:Achterbahn
5482:Chi-square
5400:Rotational
5340:Impossible
5261:Block size
5155:Spectr-H64
4979:Ladder-DES
4974:Kuznyechik
4919:Hierocrypt
4789:BassOmatic
4752:algorithms
4679:algorithms
4652:Triple DES
4627:algorithms
4435:0306413663
4410:0306413663
4308:0387973176
4276:0130460192
4068:19 October
4041:August 14,
3996:21 October
3940:. 800-38C.
3829:14 October
3801:14 October
3699:2020-11-01
3504:References
3087:(ICM) and
1555:, such as
1044:ciphertext
610:polynomial
391:null bytes
375:block size
278:, and the
83:block size
6870:Plaintext
6324:KDF1/KDF2
6243:functions
6229:Whirlpool
5809:SOBER-128
5739:KCipher-2
5673:SOSEMANUK
5644:Portfolio
5457:Black-bag
5377:Boomerang
5366:Known-key
5345:Truncated
5170:Threefish
5165:SXAL/MBAL
5055:MultiSwap
5010:MacGuffin
4969:KN-Cipher
4909:Grand Cru
4864:CS-Cipher
4844:COCONUT98
4220:7 January
3754:7 January
3728:April 12,
3591:April 14,
3532:April 12,
3381:hashing.
3119:in 1979.
3105:keystream
2924:−
2809:⊕
2752:⊕
2704:keystream
2599:⊕
2581:−
2550:
2493:⊕
2475:−
2444:
2354:≪
2346:−
2181:⊕
2170:−
2117:otherwise
2098:⊕
2087:−
1896:⊕
1875:−
1864:⊕
1856:−
1845:⊕
1763:⊕
1739:−
1728:⊕
1720:−
1709:⊕
1432:−
1421:⊕
1305:−
1294:⊕
1040:plaintext
1036:diffusion
1032:codebooks
946:= F(IV +
917:, Key); Y
697:AES-256.
663:Plaintext
450:keystream
395:plaintext
318:SP800-38A
237:SP800-38D
229:SP800-38C
209:SP800-38D
197:SP800-38B
150:SP800-38E
138:SP800-38A
75:plaintext
58:called a
7009:Category
6915:Kademlia
6875:Codetext
6818:(CSPRNG)
6796:Machines
6549:CRYPTREC
6380:Poly1305
6300:yescrypt
6214:Streebog
6094:CubeHash
6074:(winner)
5682:Hardware
5651:Software
5622:Crypto-1
5508:CRYPTREC
5472:Weak key
5425:Acoustic
5266:Key size
5110:Red Pike
4929:IDEA NXT
4809:Chiasmus
4804:CAST-256
4784:BaseKing
4769:Akelarre
4764:Adiantum
4731:Skipjack
4696:CAST-128
4691:Camellia
4639:Blowfish
4563:28 April
4557:Archived
4537:28 April
4531:Archived
4527:Coursera
4507:28 April
4501:Archived
4461:Archived
4364:28 April
4355:Archived
4250:28 April
4244:Archived
4095:Archived
4091:NIST.gov
3777:archived
3748:Archived
3722:Archived
3720:. NIST.
3657:Archived
3655:. 2006.
3585:Archived
3583:. NIST.
3526:Archived
3524:. NIST.
3477:See also
3424:Key Wrap
1046:blocks.
751:Formulas
634:CCM mode
616:, using
431:Ferguson
427:Schneier
185:FIPS 198
171:such as
46:such as
6670:General
6455:Attacks
6385:SipHash
6341:CBC-MAC
6275:LM hash
6255:Balloon
6119:HAS-160
5910:Attacks
5699:Trivium
5668:Salsa20
5642:eSTREAM
5549:Padding
5467:Rebound
5175:Treyfer
5125:SAVILLE
5085:PRESENT
5075:NOEKEON
5020:MAGENTA
5015:Madryga
4995:Lucifer
4859:CRYPTON
4668:Twofish
4658:Serpent
4104:1 April
3616:228–233
3463:CBC-MAC
3099:into a
3052:Counter
1503:Example
1496:Example
934:Counter
721:GCM-SIV
393:to the
387:padding
355:Padding
175:, or a
173:CBC-MAC
146:XTS-AES
122:FIPS 81
112:modes.
6791:Keygen
6615:Pepper
6554:NESSIE
6501:Design
6295:scrypt
6290:PBKDF2
6265:Catena
6260:bcrypt
6250:Argon2
6209:Snefru
6204:Shabal
6199:SWIFFT
6179:RIPEMD
6174:N-hash
6149:MASH-2
6144:MASH-1
6129:Kupyna
6089:BLAKE3
6072:Keccak
6057:Grøstl
6034:BLAKE2
5869:Theory
5819:Turing
5814:Spritz
5789:Scream
5759:Phelix
5754:Panama
5724:F-FCSR
5694:MICKEY
5663:Rabbit
5658:HC-128
5617:ChaCha
5513:NESSIE
5462:Davies
5410:Timing
5325:Linear
5285:Attack
5204:Design
5195:Zodiac
5160:Square
5135:SHACAL
5130:SC2000
5090:Prince
5070:Nimbus
5065:NewDES
5050:MULTI2
5040:MISTY1
4983:LOKI (
4959:KHAZAD
4954:KeeLoq
4949:KASUMI
4944:Kalyna
4829:CLEFIA
4814:CIKS-1
4774:Anubis
4625:Common
4432:
4407:
4305:
4273:
4183:
4156:
4129:
3870:
3823:GitHub
3796:Secura
3690:
3622:
3558:
3445:. See
3402:, and
3327:, …, P
1557:POODLE
968:Note:
827:(PCBC)
777:, Key)
492:, and
446:XORing
403:string
401:style
307:random
270:, the
251:, and
203:, and
87:padded
6826:(PRN)
6409:modes
6285:Makwa
6280:Lyra2
6270:crypt
6219:Tiger
6169:MDC-2
6124:HAVAL
6109:Fugue
6067:Skein
6052:BLAKE
6029:SHA-3
6024:SHA-2
6018:SHA-1
5891:NLFSR
5804:SOBER
5734:ISAAC
5689:Grain
5395:Slide
5251:Round
5236:P-box
5231:S-box
5190:XXTEA
5150:Speck
5145:Simon
5140:SHARK
5120:SAFER
5105:REDOC
5030:Mercy
4989:89/91
4939:Iraqi
4904:G-DES
4894:FEA-M
4874:DES-X
4839:Cobra
4794:BATON
4779:Ascon
4759:3-Way
4750:Other
4464:(PDF)
4457:(PDF)
4358:(PDF)
4337:(PDF)
4316:(PDF)
4295:(PDF)
4098:(PDF)
4087:(PDF)
3924:(PDF)
3894:(PDF)
3854:(PDF)
3137:nonce
2708:XORed
1939:WASTE
1201:XORed
1102:pixel
937:(CTR)
910:= F(Y
901:(OFB)
893:= IV
871:(CFB)
863:= IV
819:= IV
791:(CBC)
762:(ECB)
60:block
6610:Salt
6574:CNSA
6441:IAPM
6395:VMAC
6390:UMAC
6375:PMAC
6370:CMAC
6366:OMAC
6361:NMAC
6356:HMAC
6351:GMAC
6320:HKDF
6189:SIMD
6139:Lane
6114:GOST
6099:ECOH
5986:List
5973:and
5886:LFSR
5834:WAKE
5829:VMPC
5824:VEST
5799:SNOW
5794:SEAL
5784:RC4A
5779:RC4+
5774:QUAD
5764:Pike
5749:ORYX
5744:MUGI
5729:FISH
5612:A5/2
5607:A5/1
5523:CNSA
5382:Mod
5308:MITM
5080:NUSH
5035:MESH
5025:MARS
4899:FROG
4889:FEAL
4869:DEAL
4849:Crab
4834:CMEA
4741:XTEA
4726:SEED
4706:IDEA
4701:GOST
4686:ARIA
4565:2018
4539:2018
4509:2018
4430:ISBN
4405:ISBN
4386:help
4366:2018
4303:ISBN
4271:ISBN
4252:2018
4222:2015
4181:ISBN
4154:ISBN
4127:ISBN
4106:2017
4070:2020
4043:2019
4036:8452
4019:IETF
3998:2020
3976:3610
3959:IETF
3928:NIST
3868:ISBN
3831:2020
3803:2020
3756:2015
3730:2013
3688:ISBN
3620:ISBN
3593:2013
3556:ISBN
3534:2013
3471:PMAC
3469:and
3467:OMAC
3410:and
3385:NIST
3236:Mode
3115:and
2694:The
1995:The
1937:and
1612:The
1577:PCBC
748:Mode
505:AEAD
429:and
415:bits
381:and
371:size
280:IETF
276:ANSI
272:IEEE
260:NIST
249:IAPM
205:GMAC
193:CMAC
181:HMAC
104:and
56:bits
6446:OCB
6436:GCM
6431:EAX
6426:CWC
6416:CCM
6346:DAA
6224:VSH
6194:SM3
6164:MD6
6159:MD4
6154:MD2
6134:LSH
6104:FSB
6012:MD5
5632:RC4
5477:Tau
5437:XSL
5241:SPN
5185:xmx
5180:UES
5115:S-1
5100:RC2
5045:MMB
4924:ICE
4879:DFC
4736:TEA
4721:RC6
4716:RC5
4711:LEA
4663:SM4
4644:DES
4634:AES
4345:doi
4033:RFC
4023:doi
3973:RFC
3963:doi
3932:doi
3898:doi
3858:doi
3680:doi
3418:).
3412:EME
3408:CMC
3404:XTS
3400:XEX
3396:LRW
3335:CTR
3323:, P
3310:OFB
3296:i+1
3286:CFB
3274:i+1
3264:CBC
3250:ECB
3076:Yes
3068:Yes
3060:Yes
3047:CTR
2659:OFB
2541:MSB
2435:MSB
2385:mod
1989:Yes
1981:Yes
1960:CFB
1616:or
1548:can
1193:Yes
1185:Yes
1164:CBC
1020:Yes
1012:Yes
1004:Yes
991:ECB
695:not
678:).
553:Yes
545:Yes
537:Yes
524:GCM
494:GCM
490:CCM
486:CWC
482:EAX
478:OCB
421:or
411:bit
407:DES
383:CBC
379:ECB
309:or
268:IEC
264:ISO
253:OCB
245:EAX
241:CWC
239:),
233:GCM
231:),
225:CCM
165:XTS
148:in
134:AES
79:key
50:or
7030::
6062:JH
5901:IV
5769:Py
5627:E0
5005:M8
5000:M6
4987:,
4985:97
4884:E2
4650:,
4529:.
4525:.
4499:.
4495:.
4459:.
4444:^
4378::
4376:}}
4372:{{
4353:.
4343:.
4339:.
4324:^
4297:.
4242:.
4238:.
4089:.
4060:.
4031:.
4021:.
4017:.
3971:.
3961:.
3957:.
3930:.
3866:.
3820:.
3794:.
3775:,
3716:.
3686:,
3674:,
3651:.
3634:^
3618:.
3579:.
3542:^
3520:.
3465:,
3398:,
3391:.
3259:—
2967:IV
2688:No
2680:No
2672:No
2290:IV
2044:IV
1973:No
1606:No
1598:No
1590:No
1559:.
1177:No
980:.
915:−1
885:−1
854:−1
847:−1
811:−1
735:.
670:).
496:.
488:,
484:,
480:,
441:.
365:A
320:.
282:.
274:,
262:,
255:.
247:,
243:,
215:.
211:,
199:,
191:,
187:,
152:,
140:,
124:,
93:.
6655:e
6648:t
6641:v
6368:/
5963:e
5956:t
5949:v
5585:e
5578:t
5571:v
5384:n
5368:)
5364:(
5331:)
5327:(
5304:)
5300:(
5291:)
5287:(
5277:)
5273:(
5095:Q
4991:)
4654:)
4646:(
4619:)
4615:(
4605:e
4598:t
4591:v
4567:.
4541:.
4511:.
4438:.
4413:.
4388:)
4368:.
4347::
4279:.
4254:.
4224:.
4189:.
4162:.
4135:.
4108:.
4072:.
4045:.
4025::
4000:.
3978:.
3965::
3934::
3906:.
3900::
3876:.
3860::
3833:.
3805:.
3758:.
3732:.
3682::
3647:n
3628:.
3595:.
3564:.
3536:.
3350:i
3346:i
3340:i
3329:n
3325:2
3321:1
3315:i
3303:1
3291:i
3280:1
3269:i
3255:i
3241:i
2971:.
2963:=
2958:0
2954:I
2932:,
2927:1
2921:j
2917:O
2913:=
2908:j
2904:I
2882:,
2879:)
2874:j
2870:I
2866:(
2861:K
2857:E
2853:=
2848:j
2844:O
2822:,
2817:j
2813:O
2804:j
2800:C
2796:=
2791:j
2787:P
2765:,
2760:j
2756:O
2747:j
2743:P
2739:=
2734:j
2730:C
2612:,
2607:i
2603:C
2594:)
2589:)
2584:1
2578:i
2574:I
2570:(
2565:K
2561:E
2555:(
2545:s
2537:=
2532:i
2528:P
2506:,
2501:i
2497:P
2488:)
2483:)
2478:1
2472:i
2468:I
2464:(
2459:K
2455:E
2449:(
2439:s
2431:=
2426:i
2422:C
2400:,
2395:b
2389:2
2378:)
2371:i
2367:C
2363:+
2360:)
2357:s
2349:1
2343:i
2339:I
2335:(
2330:(
2325:=
2320:i
2316:I
2294:.
2286:=
2281:0
2277:I
2194:,
2189:i
2185:C
2178:)
2173:1
2167:i
2163:C
2159:(
2154:K
2150:E
2146:=
2137:i
2133:P
2111:,
2106:i
2102:P
2095:)
2090:1
2084:i
2080:C
2076:(
2071:K
2067:E
2059:0
2056:=
2053:i
2048:,
2037:{
2032:=
2023:i
2019:C
1918:.
1915:V
1912:I
1909:=
1904:0
1900:C
1891:0
1887:P
1883:,
1878:1
1872:i
1868:C
1859:1
1853:i
1849:P
1842:)
1837:i
1833:C
1829:(
1824:K
1820:D
1816:=
1811:i
1807:P
1785:,
1782:V
1779:I
1776:=
1771:0
1767:C
1758:0
1754:P
1750:,
1747:)
1742:1
1736:i
1732:C
1723:1
1717:i
1713:P
1704:i
1700:P
1696:(
1691:K
1687:E
1683:=
1678:i
1674:C
1480:.
1477:V
1474:I
1471:=
1466:0
1462:C
1440:,
1435:1
1429:i
1425:C
1418:)
1413:i
1409:C
1405:(
1400:K
1396:D
1392:=
1387:i
1383:P
1356:,
1353:V
1350:I
1347:=
1342:0
1338:C
1316:,
1313:)
1308:1
1302:i
1298:C
1289:i
1285:P
1281:(
1276:K
1272:E
1268:=
1263:i
1259:C
974:i
972:(
970:g
960:i
952:i
950:(
948:g
943:i
940:Y
927:i
919:0
913:i
907:i
904:Y
891:0
883:i
877:i
874:Y
861:0
856:)
852:i
845:i
839:i
833:i
830:Y
817:0
809:i
803:i
797:i
794:Y
782:i
780:Y
774:i
768:i
765:Y
691:2
687:1
676:2
668:1
614:H
577:E
439:n
435:n
399:C
235:(
227:(
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
