601:
38:
3113:
be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk". However, today CTR mode is widely accepted, and any problems are considered a weakness of the underlying block cipher, which is expected to be secure regardless of systemic bias in its input. Along with CBC, CTR mode is one of two block cipher modes recommended by Niels
Ferguson and Bruce Schneier.
1530:
6995:
3176:
3162:
1654:
1640:
1142:
1130:
3019:
3005:
2243:
2229:
1516:
1240:
1226:
1082:
1068:
2213:
1118:
3365:
It might be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks. Some felt that such resilience was desirable in the face of random
3136:
in many cases, since the attacker may be able to manipulate the entire IV–counter pair to cause a collision. Once an attacker controls the IV–counter pair and plaintext, XOR of the ciphertext with the known plaintext would yield a value that, when XORed with the ciphertext of the other block sharing
341:
In CBC mode, the IV must be unpredictable (random or pseudorandom) at encryption time; in particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the
3426:
Many modes use an initialization vector (IV) which, depending on the mode, may have requirements such as being only used once (a nonce) or being unpredictable ahead of its publication, etc. Reusing an IV with the same key in CTR, GCM or OFB mode results in XORing the same keystream with two or more
3032:
Each output feedback block cipher operation depends on all previous ones, and so cannot be performed in parallel. However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel
568:
GCM is defined for block ciphers with a block size of 128 bits. Galois message authentication code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length. GCM can take full
345:
For some keys, an all-zero initialization vector may generate some block cipher modes (CFB-8, OFB-8) to get the internal state stuck at all-zero. For CFB-8, an all-zero IV and an all-zero plaintext, causes 1/256 of keys to generate no encryption, plaintext is returned as ciphertext. For OFB-8, using
3112:
block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to
2636:
CFB may also self synchronize in some special cases other than those specified. For example, a one bit change in CFB-128 with an underlying 128 bit block cipher, will re-synchronize after two blocks. (However, CFB-128 etc. will not handle bit loss gracefully; a one-bit loss will cause the decryptor
2265:
The CFB mode also requires an integer parameter, denoted s, such that 1 ≤ s ≤ b. In the specification of the CFB mode below, each plaintext segment (Pj) and ciphertext segment (Cj) consists of s bits. The value of s is sometimes incorporated into the name of the mode, e.g., the 1-bit CFB mode, the
1570:
take advantage of this property by prepending a single random block to the plaintext. Encryption is done as normal, except the IV does not need to be communicated to the decryption routine. Whatever IV decryption uses, only the random block is "corrupted". It can be safely discarded and the rest of
1550:
Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous block, not the plaintext, so one does not need to decrypt the previous block before using it as
564:
Galois/counter mode (GCM) combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is the ease of parallel computation of the Galois field multiplication used for authentication. This feature permits higher throughput than encryption algorithms.
3381:
Many more modes of operation for block ciphers have been suggested. Some have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and should never be used. Still others don't categorize as confidentiality, authenticity, or authenticated encryption –
463:
block, producing a final ciphertext block that is the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be the same size as the original plaintext data, and for applications that
3131:
If the IV/nonce is random, then they can be combined with the counter using any invertible operation (concatenation, addition, or XOR) to produce the actual unique counter block for encryption. In case of a non-random nonce (such as a packet counter), the nonce and counter should be concatenated
3040:
Using OFB mode with a partial block as feedback like CFB mode reduces the average cycle length by a factor of 2 or more. A mathematical model proposed by Davies and Parkin and substantiated by experimental results showed that only with full feedback an average cycle length near to the obtainable
2632:
CFB-1 is considered self synchronizing and resilient to loss of ciphertext; "When the 1-bit CFB mode is used, then the synchronization is automatically restored b+1 positions after the inserted or deleted bit. For other values of s in the CFB mode, and for the other confidentiality modes in this
1625:
mode was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, as well as when encrypting. In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted. Like with CBC mode, an
3127:
CTR mode has similar characteristics to OFB, but also allows a random-access property during decryption. CTR mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.
229:
The cryptographic community observed that compositing (combining) a confidentiality mode with an authenticity mode could be difficult and error prone. They therefore began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive (an encryption
3234:
chained in MAC-Then-Encrypt order, any bit error should completely abort decryption and must not generate any specific bit errors to decryptor. I.e. if decryption succeeded, there should not be any bit error. As such error propagation is less important subject in modern cipher modes than in
1555:
be parallelized. Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact. This peculiarity is exploited in different
1542:
CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as
728:, with a few very small changes (e.g. how AES-CTR is initialized), but which yields practical benefits to its security "This addition allows for encrypting up to 2 messages with the same key, compared to the significant limitation of only 2 messages that were allowed with GCM-SIV."
307:
An initialization vector (IV) or starting variable (SV) is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
2014:
686:
SIV can support external nonce-based authenticated encryption, in which case one of the authenticated data fields is utilized for this purpose. RFC5297 specifies that for interoperability purposes the last authenticated data field should be used external nonce.
717:
AES-GCM-SIV synthesizes the internal IV. It derives a hash of the additional authenticated data and plaintext using the POLYVAL Galois hash function. The hash is then encrypted an AES-key, and used as authentication tag and AES-CTR initialization vector.
584:, usually AES. The result of this encryption is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.
311:
An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a
713:
is a mode of operation for the
Advanced Encryption Standard which provides similar performance to Galois/counter mode as well as misuse resistance in the event of the reuse of a cryptographic nonce. The construction is defined in RFC 8452.
337:
For OFB and CTR, reusing an IV causes key bitstream re-use, which breaks security. This can be seen because both modes effectively create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the key and IV only.
2627:
2521:
1933:
1800:
743:
Different cipher modes mask patterns by cascading outputs from the cipher block or other globally deterministic variables into the subsequent cipher block. The inputs of the listed modes are summarized in the following table:
3036:
It is possible to obtain an OFB mode keystream by using CBC mode with a constant string of zeroes as input. This can be useful, because it allows the usage of fast hardware implementations of CBC mode for OFB mode encryption.
342:
IV (or the previous block of ciphertext) before the next plaintext is specified, they can check their guess about plaintext of some block that was encrypted with the same key before (this is known as the TLS CBC IV attack).
3132:(e.g., storing the nonce in the upper 64 bits and the counter in the lower 64 bits of a 128-bit counter block). Simply adding or XORing the nonce and counter into a single value would break the security under a
2415:
3431:
algorithm and the SIV (RFC 5297) AEAD mode do not require an IV as an input, and return the same ciphertext and authentication tag every time for a given plaintext and key. Other IV misuse-resistant modes such as
3443:. They are generally used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically secure, care must be taken to design these modes of operation correctly.
358:(PRF) construction called S2V on the input (additional data and plaintext), preventing any external data from directly controlling the IV. External nonces / IV may be fed into S2V as an additional data field.
2715:
with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many
2648:
CFB, OFB and CTR share two advantages over CBC mode: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though
349:
Some modes (such as AES-SIV and AES-GCM-SIV) are built to be more nonce-misuse resistant, i.e. resilient to scenarios in which the randomness generation is faulty or under the control of the attacker.
736:
Many modes of operation have been defined. Some of these are described below. The purpose of cipher modes is to mask patterns which exist in encrypted data, as illustrated in the description of the
2633:
recommendation, the synchronization must be restored externally." (NIST SP800-38A). I.e. 1-bit loss in a 128-bit-wide block cipher like AES will render 129 invalid bits before emitting valid bits.
3222:, CBC can be decrypted in the attack by guessing encryption secrets based on error responses. The Padding Oracle attack variant "CBC-R" (CBC Reverse) lets the attacker construct any valid message.
2208:{\displaystyle {\begin{aligned}C_{i}&={\begin{cases}{\text{IV}},&i=0\\E_{K}(C_{i-1})\oplus P_{i},&{\text{otherwise}}\end{cases}}\\P_{i}&=E_{K}(C_{i-1})\oplus C_{i},\end{aligned}}}
2019:
1949:
On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this does not affect the decryption of subsequent blocks. For this reason, PCBC is not used in
Kerberos v5.
1455:
1331:
408:
to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is trivial, for example, if the plaintext is a
3436:
benefit from an IV input, for example in the maximum amount of data that can be safely encrypted with one key, while not failing catastrophically if the same IV is used multiple times.
3369:
However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected. If resistance to random error is desirable,
2837:
2780:
1208:
with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an
1039:). The message is divided into blocks, and each block is encrypted separately. ECB is not recommended for use in cryptographic protocols: the disadvantage of this method is a lack of
107:
Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded
6975:
6805:
3457:
2897:
2986:
2309:
1109:
has supposedly been encrypted, the overall image may still be discerned, as the pattern of identically colored pixels in the original remains visible in the encrypted version.
3148:(IV) in the other diagrams. However, if the offset/location information is corrupt, it will be impossible to partially recover such data due to the dependence on byte offset.
2947:
2004:(CFB) mode, in its simplest form uses the entire output of the block cipher. In this variation, it is very similar to CBC, turning a block cipher into a self-synchronizing
444:
suggest two possibilities, both simple: append a byte with value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the last block with
4204:
William F. Ehrsam, Carl H. W. Meyer, John L. Smith, Walter L. Tuchman, "Message verification and transmission error detection by block chaining", US Patent 4074066, 1976.
1626:
initialization vector is used in the first block. Unlike CBC, decrypting PCBC with the incorrect IV (initialization vector) causes all blocks of plaintext to be corrupt.
282:
1495:
1371:
1551:
the IV for the decryption of the current one. This means that a plaintext block can be recovered from two adjacent blocks of ciphertext. As a consequence, decryption
100:
to a full block if it is smaller than the current block size. There are, however, modes that do not require padding because they effectively use a block cipher as a
80:(IV), for each encryption operation. The IV must be non-repeating, and for some modes must also be random. The initialization vector is used to ensure that distinct
3661:
2645:
Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized.
178:
provide confidentiality, but they do not protect against accidental modification or malicious tampering. Modification or tampering can be detected with a separate
3932:
274:
270:
140:
4465:
6658:
5588:
2527:
2421:
361:
AES-GCM-SIVs synthesize an internal IV by running POLYVAL Galois mode of authentication on input (additional data and plaintext), followed by an AES operation.
4560:. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce. 4 January 2017.
6578:
5527:
4608:
5966:
4099:
1806:
1673:
483:
A number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive. Examples of such modes are ,
428:
to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as
5995:
455:
CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since the modes work by
5833:
278:
73:. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
7023:
3196:"Error propagation" properties describe how a decryption behaves during bit errors, i.e. how error in one bit cascades to different decrypted bits.
650:
algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.
346:
all zero initialization vector will generate no encryption for 1/256 of keys. OFB-8 encryption returns the plaintext unencrypted for affected keys.
96:, but during transformation the block size is always fixed. Block cipher modes operate on whole blocks and require that the final data fragment be
5354:
4710:
334:
For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages.
1101:
A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a
698:, naming schemes for SIV AEAD-variants may lead to some confusion; for example AEAD_AES_SIV_CMAC_256 refers to AES-SIV with two AES-128 keys and
324:. Some block ciphers have particular problems with certain initialization vectors, such as all zero IV generating no encryption (for some keys).
2315:
269:
Modes of operation are defined by a number of national and internationally recognized standards bodies. Notable standards organizations include
65:. A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of
4561:
3589:
4359:
4296:
5344:
4838:
3876:
3696:
3564:
3427:
plaintexts, a clear misuse of a stream, with a catastrophic loss of security. Deterministic authenticated encryption modes such as the NIST
3366:
errors (e.g., line noise), while others argued that error correcting increased the scope for attackers to maliciously tamper with a message.
1204:
Ehrsam, Meyer, Smith and
Tuchman invented the cipher block chaining (CBC) mode of operation in 1976. In CBC mode, each block of plaintext is
286:
5245:
661:
SIV synthesizes an internal IV using the pseudorandom function S2V. S2V is a keyed hash is based on CMAC, and the input to the function is:
5507:
5481:
5349:
4248:
3726:
518:(authenticated encryption with associated data) schemes. For example, EAX mode is a double-pass AEAD scheme while OCB mode is single-pass.
515:
6522:
6355:
5322:
459:
the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last
3399:
Disk encryption often uses special purpose modes specifically designed for the application. Tweakable narrow-block encryption modes (
7028:
6651:
5895:
5581:
4189:
4162:
4135:
3628:
3215:
3530:
629:
that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.
580:
Like in CTR, blocks are numbered sequentially, and then this block number is combined with an IV and encrypted with a block cipher
190:. The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC.
5491:
4601:
327:
It is recommended to review relevant IV requirements for the particular block cipher mode in relevant specification, for example
5959:
5370:
4023:
3963:
393:
389:
290:
6854:
6563:
6048:
6000:
5890:
4438:
4413:
4311:
4279:
3752:
6350:
4505:
6644:
6568:
5574:
4638:
3649:
3502:
3451:
3383:
3231:
144:
3861:. Fast Software Encryption 2001. Lecture Notes in Computer Science. Vol. 2355. Berlin: Springer. pp. 92–108.
1382:
1258:
6970:
6925:
6738:
6337:
5979:
5975:
5434:
4594:
4458:
3781:
3492:
3463:
3447:
179:
131:
The earliest modes of operation, ECB, CBC, OFB, and CFB (see below for all), date back to 1981 and were specified in
4404:
Davies, D. W.; Parkin, G. I. P. (1983). "The average cycle size of the key stream in output feedback encipherment".
3211:
Specific bit errors in stream cipher modes (OFB, CTR, etc.) are trivial. They affect only the specific bit intended.
3041:
maximum can be achieved. For this reason, support for truncated feedback was removed from the specification of OFB.
6849:
5952:
5864:
5723:
5451:
5361:
5339:
4652:
4535:
1547:. Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.
433:
6965:
6594:
6233:
5456:
5312:
5265:
4740:
4214:
381:
93:
3675:
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2017-01-01), Conrad, Eric; Misenar, Seth; Feldman, Joshua (eds.),
6955:
6945:
6800:
6573:
6409:
6108:
6103:
5859:
5522:
5404:
5279:
4648:
4088:
3923:
3497:
3404:
3227:
647:
514:
In addition, some modes also allow for the authentication of unencrypted associated data, and these are called
508:
478:
417:
409:
328:
247:
239:
231:
219:
207:
160:
148:
120:
2786:
2729:
3996:"Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)"
3797:"Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)"
6950:
6940:
6743:
6703:
6696:
6686:
6681:
6496:
6316:
5461:
5250:
4621:
3133:
1040:
622:
165:
Recommendation for Block Cipher Modes of
Operation: The XTS-AES Mode for Confidentiality on Storage Devices
6691:
6604:
5990:
5553:
5429:
5424:
5376:
3440:
3420:
3416:
3412:
3400:
397:
371:
355:
156:
97:
5225:
2843:
6998:
6844:
6790:
6619:
6269:
6223:
6113:
6071:
6056:
6038:
5931:
5905:
5758:
5543:
5366:
4803:
4378:
3676:
3370:
3219:
3145:
2953:
2717:
2276:
1557:
1209:
302:
77:
3925:
Recommendation for Block Cipher Modes of
Operation: The CCM Mode for Authentication and Confidentiality
3853:
6960:
6884:
6289:
6193:
6143:
6118:
5926:
5446:
5329:
5255:
4938:
4918:
4037:
3977:
570:
108:
70:
54:
4557:
3581:
2903:
2044:
6723:
6614:
6491:
6440:
6379:
6198:
6158:
6138:
5854:
5409:
5386:
4705:
4338:
4317:
3475:
3141:
2650:
1939:
1544:
600:
504:
429:
313:
243:
215:
168:
6829:
6813:
6760:
6548:
6532:
6481:
6066:
5921:
5394:
5302:
5014:
4943:
4913:
4858:
626:
89:
4240:
3718:
3620:
3613:
3650:"ISO/IEC 10116:2006 – Information technology – Security techniques – Modes of operation for an
2008:. CFB decryption in this variation is almost identical to CBC encryption performed in reverse:
1461:
1337:
195:
6889:
6879:
6750:
6425:
5114:
4813:
4773:
4768:
4735:
4695:
4643:
4434:
4409:
4307:
4275:
4185:
4158:
4131:
3872:
3692:
3624:
3560:
2723:
Because of the symmetry of the XOR operation, encryption and decryption are exactly the same:
982:
187:
167:. Other confidentiality modes exist which have not been approved by NIST. For example, CTS is
37:
679:
SIV encrypts the S2V output and the plaintext using AES-CTR, keyed with the encryption key (K
6824:
6512:
6466:
6228:
5703:
5486:
5381:
5260:
5119:
4999:
4968:
4662:
4349:
4027:
3967:
3936:
3902:
3862:
3849:
3684:
3203:
Random bit errors occur independently in any bit position with an expected probability of ½.
3117:
132:
6527:
6476:
6471:
6259:
5823:
5818:
5793:
5667:
5333:
5317:
5306:
5240:
5199:
5164:
5094:
5074:
4948:
4828:
4823:
4778:
4390:
3487:
3218:
may intelligently combine many different specific bit errors to break the cipher mode. In
112:
58:
2622:{\displaystyle P_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus C_{i},}
2516:{\displaystyle C_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus P_{i},}
436:, which do not cause any extra ciphertext, at the expense of some additional complexity.
4339:"SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques"
3522:
6899:
6819:
6780:
6728:
6713:
6517:
6245:
5885:
5738:
5693:
5471:
5419:
5230:
5215:
5154:
5149:
5034:
4783:
3688:
3121:
1154:
ECB mode can also make protocols without integrity protection even more susceptible to
574:
441:
437:
413:
401:
116:
62:
31:
3893:
3199:
Bit errors may occur intentionally in attacks or randomly due to transmission errors.
416:
which contains no null bytes except at the end. Slightly more complex is the original
224:
Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC
7017:
6980:
6935:
6894:
6874:
6770:
6733:
6708:
6609:
6486:
6188:
5838:
5798:
5778:
5768:
5733:
5597:
5466:
5414:
5293:
5275:
5064:
5039:
5029:
4853:
4843:
4690:
3105:
2704:
2005:
1155:
658:
Synthetic initialization vector (SIV) is a nonce-misuse resistant block cipher mode.
101:
1928:{\displaystyle P_{i}=D_{K}(C_{i})\oplus P_{i-1}\oplus C_{i-1},P_{0}\oplus C_{0}=IV.}
1795:{\displaystyle C_{i}=E_{K}(P_{i}\oplus P_{i-1}\oplus C_{i-1}),P_{0}\oplus C_{0}=IV,}
212:
Recommendation for Block Cipher Modes of
Operation: The CMAC Mode for Authentication
6930:
6775:
6765:
6755:
6718:
6667:
5399:
5220:
5184:
5049:
4928:
4883:
4715:
4667:
4617:
4429:
Jueneman, Robert R. (1983). "Analysis of certain aspects of output feedback mode".
3206:
Specific bit errors occur in the same bit position(s) as the original bit error(s).
3101:
1102:
569:
advantage of parallel processing and implementing GCM can make efficient use of an
456:
377:
321:
111:
as an entirely separate cryptographic goal. Some modern modes of operation combine
50:
3748:
1529:
4179:
4152:
4125:
3855:
Fast
Encryption and Authentication: XCBC Encryption and XECB Authentication Modes
6909:
6599:
6445:
6374:
6370:
6279:
5773:
5631:
5009:
5004:
4888:
4040:
4017:
3980:
3957:
3717:
NIST Computer
Security Division's (CSD) Security Technology Group (STG) (2013).
3580:
NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013).
3521:
NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013).
3471:
3433:
1141:
1129:
1105:
which contains large areas of uniform color. While the color of each individual
710:
259:
4497:
3901:. Eurocrypt 2001. Lecture Notes in Computer Science. Vol. 2045. Springer.
3796:
3175:
3161:
1252:
If the first block has index 1, the mathematical formula for CBC encryption is
464:
transmit data in streaming form where it is inconvenient to add padding bytes.
17:
6869:
6839:
6834:
6795:
5900:
5441:
5159:
5099:
4983:
4978:
4923:
4793:
4656:
3822:
1653:
1639:
1048:
614:
354:
Synthetic initialization vectors (SIV) synthesize an internal IV by running a
81:
3907:
3362:(Source: SP800-38A Table D.2: Summary of Effect of Bit Errors on Decryption)
316:. Many block cipher modes have stronger requirements, such as the IV must be
6859:
6274:
5813:
5743:
5677:
5174:
5169:
5059:
4973:
4868:
4848:
4354:
3941:
3867:
3775:
3109:
3018:
3004:
2708:
2242:
2228:
1515:
1239:
1225:
1081:
1067:
1044:
460:
405:
85:
6061:
4459:"Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption"
2410:{\displaystyle I_{i}={\big (}(I_{i-1}\ll s)+C_{i}{\big )}{\bmod {2}}^{b},}
665:
Additional authenticated data (zero, one or many AAD fields are supported)
6904:
6864:
6553:
6450:
6435:
6430:
6420:
6384:
6304:
6218:
6098:
5626:
5512:
5476:
5270:
4933:
4808:
4788:
4700:
3428:
3408:
1036:
638:
500:
496:
492:
488:
263:
255:
251:
235:
175:
4527:
6389:
6345:
6123:
5672:
5646:
5621:
5179:
5129:
5089:
5079:
5024:
5019:
4863:
4672:
3467:
183:
4218:
4124:
Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (2018).
3995:
3557:
Cryptography Engineering: Design Principles and Practical Applications
6785:
6558:
6299:
6294:
6264:
6254:
6213:
6208:
6203:
6183:
6178:
6153:
6148:
6133:
6093:
5763:
5728:
5698:
5662:
5517:
5139:
5134:
5069:
5054:
5044:
4989:
4963:
4958:
4953:
4833:
4818:
4032:
3972:
3827:
3777:
Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures
2270:
These modes will truncate the output of the underlying block cipher.
1561:
317:
4274:(2nd ed.). Upper Saddle River, NJ: Prentice Hall. p. 319.
1043:, wherein it fails to hide data patterns when it encrypts identical
633:
Counter with cipher block chaining message authentication code (CCM)
396:) require that the final block be padded before encryption. Several
388:), but messages come in a variety of lengths. So some modes (namely
143:(NIST) revised its list of approved modes of operation by including
4241:"Kryptographie FAQ: Frage 84: What are the Counter and PCBC Modes?"
4062:
3611:
Alfred J. Menezes; Paul C. van Oorschot; Scott A. Vanstone (1996).
30:"Mode of operation" redirects here. For "method of operation", see
6284:
6173:
6128:
6076:
6033:
6028:
6022:
5808:
5235:
5194:
5144:
5124:
5109:
4898:
4878:
4798:
4763:
1943:
1106:
36:
6399:
6394:
6365:
6360:
6324:
5828:
5803:
5753:
5748:
5616:
5611:
5084:
4993:
4908:
4903:
4893:
4873:
4745:
4730:
4181:
Applied Cryptography: Protocols, Algorithms and Source Code in C
3389:
511:
modes are classified as single-pass modes or double-pass modes.
203:
191:
6640:
5948:
5570:
4590:
6168:
6163:
6016:
5788:
5783:
5636:
5189:
5104:
4725:
4720:
4297:"The Use of Encryption in Kerberos for Network Authentication"
3446:
There are several schemes which use a block cipher to build a
2712:
1205:
1117:
644:
Counter with cipher block chaining message authentication code
425:
421:
66:
2389:
2266:
8-bit CFB mode, the 64-bit CFB mode, or the 128-bit CFB mode.
92:. Block ciphers may be capable of operating on more than one
76:
Most modes require a unique binary sequence, often called an
4061:
Gueron, Shay; Langley, Adam; Lindell, Yehuda (14 Dec 2018).
4019:
AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
2653:
can also be used for CBC mode to make padding unnecessary).
171:
mode and available in many popular cryptographic libraries.
4482:
Ferguson, Niels; Schneier, Bruce; Kohno, Tadayoshi (2010).
3214:
Specific bit errors in more complex modes such (e.g. CBC):
2128:
1158:, since each block gets decrypted in exactly the same way.
3419:) are designed to securely encrypt sectors of a disk (see
2720:
to function normally even when applied before encryption.
724:
is an improvement over the very similarly named algorithm
473:
Authenticated encryption with additional data (AEAD) modes
4215:"The Transport Layer Security (TLS) Protocol Version 1.1"
3956:
Whiting, D.; Housley, R.; Ferguson, N. (September 2003).
3373:
should be applied to the ciphertext before transmission.
573:
or a hardware pipeline. The CBC mode of operation incurs
41:
Six common block cipher modes of operation for encrypting
4457:
Lipmaa, Helger; Wagner, David; Rogaway, Phillip (2000).
4332:
4330:
3559:. Indianapolis: Wiley Publishing, Inc. pp. 63, 64.
3392:
maintains a list of proposed modes for block ciphers at
88:
is encrypted multiple times independently with the same
4154:
Cryptography's Role in Securing the Information Society
3458:
Cryptographically secure pseudorandom number generators
613:
The ciphertext blocks are considered coefficients of a
6806:
Cryptographically secure pseudorandom number generator
690:
Owing to the use of two keys, the authentication key K
2956:
2906:
2846:
2789:
2732:
2530:
2424:
2318:
2279:
2017:
1809:
1676:
1667:
Encryption and decryption algorithms are as follows:
1464:
1385:
1376:
while the mathematical formula for CBC decryption is
1340:
1261:
4578:
4558:"Modes Development – Block Cipher Techniques – CSRC"
4089:"Recommendation for Block Cipher Modes of Operation"
3137:
the same IV–counter pair, would decrypt that block.
230:
algorithm). These combined modes are referred to as
174:
The block cipher modes ECB, CBC, OFB, CFB, CTR, and
6918:
6674:
6587:
6541:
6505:
6459:
6408:
6336:
6313:
6242:
6086:
6047:
6009:
5914:
5873:
5847:
5716:
5686:
5655:
5645:
5604:
5536:
5500:
5289:
5208:
4754:
4681:
4629:
3895:
Encryption Modes with Almost Free Message Integrity
3077:
3069:
3061:
3051:
2703:(OFB) mode makes a block cipher into a synchronous
2689:
2681:
2673:
2663:
1990:
1982:
1974:
1964:
1607:
1599:
1591:
1581:
1194:
1186:
1178:
1168:
1021:
1013:
1005:
995:
554:
546:
538:
528:
3612:
2980:
2941:
2891:
2831:
2774:
2621:
2515:
2409:
2303:
2207:
1927:
1794:
1489:
1449:
1365:
1325:
153:Recommendation for Block Cipher Modes of Operation
4452:
4450:
3460:(CSPRNGs) can also be built using block ciphers.
1450:{\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}
1326:{\displaystyle C_{i}=E_{K}(P_{i}\oplus C_{i-1}),}
617:which is then evaluated at a key-dependent point
200:The Keyed-Hash Message Authentication Code (HMAC)
4431:Advances in Cryptology, Proceedings of CRYPTO 82
4406:Advances in Cryptology, Proceedings of CRYPTO 82
1147:Modes other than ECB result in pseudo-randomness
1135:Using ECB allows patterns to be easily discerned
4270:Kaufman, C.; Perlman, R.; Speciner, M. (2002).
3931:(Technical report). NIST Special Publications.
3033:once the plaintext or ciphertext is available.
3852:; Donescu, Pompiliu (2002). Matsui, M. (ed.).
3555:Ferguson, N.; Schneier, B.; Kohno, T. (2010).
3377:Other modes and other cryptographic primitives
1946:, most notably, but otherwise is not common.
1535:CBC decryption example with a toy 2-bit cipher
1521:CBC encryption example with a toy 2-bit cipher
1035:(ECB) mode (named after conventional physical
487:, integrity-aware parallelizable mode (IAPM),
141:National Institute of Standards and Technology
6652:
5960:
5582:
4602:
3823:"Netlogon CFB8 considered harmful. OFB8 also"
2598:
2559:
2492:
2453:
2382:
2334:
2263:NIST SP800-38A defines CFB with a bit-width.
625:. The result is then encrypted, producing an
485:integrity-aware cipher block chaining (IACBC)
8:
4408:. New York: Plenum Press. pp. 263–282.
3677:"Chapter 3 - Domain 3: Security engineering"
1031:The simplest of the encryption modes is the
577:that hamper its efficiency and performance.
234:, AE or "authenc". Examples of AE modes are
4433:. New York: Plenum Press. pp. 99–127.
3644:
3642:
3640:
3466:(MACs) are often built from block ciphers.
981:) is any deterministic function, often the
6659:
6645:
6637:
5967:
5953:
5945:
5652:
5589:
5575:
5567:
4609:
4595:
4587:
4583:
4579:
3550:
3548:
3454:for descriptions of several such methods.
1571:the decryption is the original plaintext.
4353:
4157:. National Academies Press. p. 132.
4151:Dam, Kenneth W.; Lin, Herbert S. (1996).
4063:"AES-GCM-SIV: Specification and Analysis"
4031:
3971:
3940:
3906:
3866:
2970:
2961:
2955:
2924:
2911:
2905:
2877:
2864:
2851:
2845:
2820:
2807:
2794:
2788:
2763:
2750:
2737:
2731:
2610:
2597:
2596:
2581:
2568:
2558:
2557:
2548:
2535:
2529:
2504:
2491:
2490:
2475:
2462:
2452:
2451:
2442:
2429:
2423:
2398:
2392:
2388:
2381:
2380:
2374:
2346:
2333:
2332:
2323:
2317:
2293:
2284:
2278:
2192:
2170:
2157:
2140:
2120:
2109:
2087:
2074:
2047:
2039:
2026:
2018:
2016:
1907:
1894:
1875:
1856:
1840:
1827:
1814:
1808:
1774:
1761:
1739:
1720:
1707:
1694:
1681:
1675:
1469:
1463:
1432:
1416:
1403:
1390:
1384:
1345:
1339:
1305:
1292:
1279:
1266:
1260:
147:as a block cipher and adding CTR mode in
3749:"Stream Cipher Reuse: A Graphic Example"
3439:Block ciphers can also be used in other
3250:Effect of bit errors in the IV or nonce
3237:
3235:traditional confidentiality-only modes.
2832:{\displaystyle P_{j}=C_{j}\oplus O_{j},}
2775:{\displaystyle C_{j}=P_{j}\oplus O_{j},}
1632:Propagating cipher block chaining (PCBC)
1575:Propagating cipher block chaining (PCBC)
746:
155:. Finally, in January, 2010, NIST added
4337:(NIST), Author: Morris Dworkin (2001).
3513:
3310:, …, until synchronization is restored
400:schemes exist. The simplest is to add
4386:
4376:
4184:. John Wiley & Sons. p. 208.
3303:, …, until synchronization is restored
3048:
2660:
2637:to lose alignment with the encryptor)
1961:
1578:
1165:
992:
525:
119:in an efficient way, and are known as
4564:from the original on 4 September 2017
3533:from the original on November 6, 2012
3144:in this diagram is equivalent to the
3088:Note: CTR mode (CM) is also known as
654:Synthetic initialization vector (SIV)
420:method, which is to add a single one
7:
4508:from the original on 24 October 2017
3755:from the original on 25 January 2015
3681:Eleventh Hour CISSP® (Third Edition)
4365:from the original on 28 August 2017
3411:) and wide-block encryption modes (
2892:{\displaystyle O_{j}=E_{K}(I_{j}),}
2259:CFB-1, CFB-8, CFB-64, CFB-128, etc.
894:Plaintext XOR F(Y, Key); Ciphertext
4538:from the original on 23 March 2018
4105:from the original on 29 March 2017
3784:from the original on June 30, 2012
3729:from the original on April 2, 2013
3689:10.1016/b978-0-12-811248-9.00003-6
3592:from the original on April 2, 2013
3382:for example key feedback mode and
2981:{\displaystyle I_{0}={\text{IV}}.}
2304:{\displaystyle I_{0}={\text{IV}}.}
646:(counter with CBC-MAC; CCM) is an
25:
4251:from the original on 16 July 2012
3216:adaptive chosen-ciphertext attack
1619:propagating cipher block chaining
1587:Propagating cipher block chaining
1212:must be used in the first block.
737:
6994:
6993:
4471:from the original on 2015-02-26.
4127:Handbook of Applied Cryptography
3892:Jutla, Charanjit S. (May 2001).
3751:. Cryptosmith LLC. 31 May 2008.
3664:from the original on 2012-03-17.
3615:Handbook of Applied Cryptography
3353:for bit error in counter block T
3174:
3160:
3017:
3003:
2248:Cipher feedback (CFB) decryption
2241:
2234:Cipher feedback (CFB) encryption
2227:
1652:
1638:
1528:
1514:
1238:
1224:
1140:
1128:
1116:
1080:
1066:
599:
84:are produced even when the same
7024:Block cipher modes of operation
3100:Like OFB, counter mode turns a
1623:plaintext cipher-block chaining
1568:Explicit initialization vectors
6855:Information-theoretic security
6564:NIST hash function competition
2942:{\displaystyle I_{j}=O_{j-1},}
2883:
2870:
2593:
2574:
2487:
2468:
2364:
2339:
2182:
2163:
2099:
2080:
1846:
1833:
1751:
1700:
1422:
1409:
1317:
1285:
47:block cipher mode of operation
1:
3994:Harkins, Dan (October 2008).
218:was formalized in 2007 under
6569:Password Hashing Competition
5980:message authentication codes
5976:Cryptographic hash functions
5881:block ciphers in stream mode
4217:. p. 20. Archived from
3922:Dworkin, Morris (May 2004).
3821:Blaufish (14 October 2020).
3683:, Syngress, pp. 47–93,
3503:One-way compression function
3464:Message authentication codes
3452:one-way compression function
3232:message authentication codes
49:is an algorithm that uses a
6971:Message authentication code
6926:Cryptographic hash function
6739:Cryptographic hash function
6523:Merkle–Damgård construction
3774:B. Moeller (May 20, 2004),
3493:Message authentication code
3448:cryptographic hash function
3116:CTR mode was introduced by
2641:CFB compared to other modes
1218:Cipher block chaining (CBC)
1162:Cipher block chaining (CBC)
206:was released in 2005 under
180:message authentication code
127:History and standardization
7045:
6850:Harvest now, decrypt later
5865:alternating step generator
4498:"Basic Block Cipher Modes"
4130:. CRC Press. p. 228.
3959:Counter with CBC-MAC (CCM)
732:Confidentiality only modes
636:
476:
434:residual block termination
424:, followed by enough zero
380:works on units of a fixed
369:
300:
297:Initialization vector (IV)
277:(with ISO/IEC 10116), the
29:
6989:
6966:Post-quantum cryptography
6636:
5986:
5944:
5566:
5492:Time/memory/data tradeoff
4586:
4582:
4067:Cryptology ePrint Archive
4016:Gueron, S. (April 2019).
3244:Effect of bit errors in C
3230:(AEAD) or protocols with
3094:segmented integer counter
3070:Decryption parallelizable
3062:Encryption parallelizable
3056:
2682:Decryption parallelizable
2674:Encryption parallelizable
2668:
1983:Decryption parallelizable
1975:Encryption parallelizable
1969:
1600:Decryption parallelizable
1592:Encryption parallelizable
1586:
1490:{\displaystyle C_{0}=IV.}
1366:{\displaystyle C_{0}=IV,}
1187:Decryption parallelizable
1179:Encryption parallelizable
1173:
1060:Electronic Codebook (ECB)
1014:Decryption parallelizable
1006:Encryption parallelizable
1000:
989:Electronic codebook (ECB)
752:
547:Decryption parallelizable
539:Encryption parallelizable
533:
7029:Cryptographic algorithms
6956:Quantum key distribution
6946:Authenticated encryption
6801:Random number generation
6317:key derivation functions
5860:self-shrinking generator
5280:Whitening transformation
4484:Cryptography Engineering
4178:Schneier, Bruce (2015).
3908:10.1007/3-540-44987-6_32
3498:Authenticated encryption
3343:Specific bit errors in P
3318:Specific bit errors in P
3294:Specific bit errors in P
3283:Specific bit errors in P
3277:Specific bit errors in P
3228:authenticated encryption
3108:. It generates the next
648:authenticated encryption
509:Authenticated encryption
479:Authenticated encryption
232:authenticated encryption
194:was approved in 2002 as
121:authenticated encryption
6951:Public-key cryptography
6941:Symmetric-key algorithm
6744:Key derivation function
6704:Cryptographic primitive
6697:Authentication protocol
6687:Outline of cryptography
6682:History of cryptography
6595:Hash-based cryptography
6497:Length extension attack
5251:Confusion and diffusion
4355:10.6028/NIST.SP.800-38A
4304:Proceedings, Crypto '89
3942:10.6028/NIST.SP.800-38C
3868:10.1007/3-540-45473-X_8
3658:ISO Standards Catalogue
3441:cryptographic protocols
3134:chosen-plaintext attack
2711:blocks, which are then
623:finite field arithmetic
6692:Cryptographic protocol
6605:Message authentication
3619:. CRC Press. pp.
3421:disk encryption theory
3371:error-correcting codes
3349:Random bit errors in P
3324:Random bit errors in P
3306:Random bit errors in P
3299:Random bit errors in P
3272:Random bit errors in P
3258:Random bit errors in P
2982:
2943:
2893:
2833:
2776:
2718:error-correcting codes
2623:
2517:
2411:
2305:
2209:
1929:
1796:
1558:padding oracle attacks
1491:
1451:
1367:
1327:
1047:blocks into identical
372:Padding (cryptography)
356:pseudo-random function
137:DES Modes of Operation
42:
27:Cryptography algorithm
6845:End-to-end encryption
6791:Cryptojacking malware
5932:stream cipher attacks
5544:Initialization vector
3723:Cryptographic Toolkit
3586:Cryptographic Toolkit
3527:Cryptographic Toolkit
3220:Padding oracle attack
3146:initialization vector
2997:Output feedback (OFB)
2983:
2944:
2894:
2834:
2777:
2657:Output feedback (OFB)
2624:
2518:
2412:
2306:
2221:Cipher feedback (CFB)
2210:
1953:Cipher feedback (CFB)
1930:
1797:
1492:
1452:
1368:
1328:
1210:initialization vector
1174:Cipher block chaining
959:), Key); IV = token()
864:F(Y, Key); Ciphertext
820:F(Y, Key); Ciphertext
793:Cipher block chaining
671:Authentication key (K
448:bytes all with value
303:Initialization vector
78:initialization vector
40:
6961:Quantum cryptography
6885:Trusted timestamping
5927:correlation immunity
5323:3-subset MITM attack
4939:Intel Cascade Cipher
4919:Hasty Pudding cipher
4306:. Berlin: Springer.
3523:"Block cipher modes"
3090:integer counter mode
2954:
2904:
2844:
2787:
2730:
2528:
2422:
2316:
2277:
2015:
1807:
1674:
1659:PCBC mode decryption
1645:PCBC mode encryption
1462:
1383:
1338:
1259:
694:and encryption key K
593:Galois/Counter (GCM)
571:instruction pipeline
522:Galois/counter (GCM)
109:integrity protection
55:information security
6724:Cryptographic nonce
6492:Side-channel attack
5855:shrinking generator
5605:Widely used ciphers
5362:Differential-linear
4098:. NIST. p. 9.
4069:. Report (2017/168)
3181:CTR mode decryption
3167:CTR mode encryption
3024:OFB mode decryption
3010:OFB mode encryption
2651:ciphertext stealing
1545:ciphertext stealing
1245:CBC mode decryption
1231:CBC mode encryption
1087:ECB mode decryption
1073:ECB mode encryption
1033:electronic codebook
1001:Electronic codebook
764:Electronic codebook
749:
606:GCM mode encryption
430:ciphertext stealing
314:cryptographic nonce
169:ciphertext stealing
45:In cryptography, a
6830:Subliminal channel
6814:Pseudorandom noise
6761:Key (cryptography)
6549:CAESAR Competition
6533:HAIFA construction
6482:Brute-force attack
5922:correlation attack
5435:Differential-fault
4653:internal mechanics
4389:has generic name (
3654:-bit block cipher"
3078:Random read access
2978:
2939:
2889:
2829:
2772:
2690:Random read access
2619:
2513:
2407:
2301:
2205:
2203:
2127:
1991:Random read access
1925:
1792:
1608:Random read access
1487:
1447:
1363:
1323:
1195:Random read access
1022:Random read access
747:
627:authentication tag
555:Random read access
139:. In 2001, the US
43:
7011:
7010:
7007:
7006:
6890:Key-based routing
6880:Trapdoor function
6751:Digital signature
6632:
6631:
6628:
6627:
6426:ChaCha20-Poly1305
6243:Password hashing/
5940:
5939:
5712:
5711:
5562:
5561:
5549:Mode of operation
5226:Lai–Massey scheme
4502:www.quadibloc.com
4295:Kohl, J. (1990).
3878:978-3-540-43869-4
3850:Gligor, Virgil D.
3698:978-0-12-811248-9
3566:978-0-470-47424-2
3394:Modes Development
3360:
3359:
3192:Error propagation
3085:
3084:
2973:
2697:
2696:
2296:
2123:
2050:
1998:
1997:
1615:
1614:
1202:
1201:
1029:
1028:
983:identity function
971:
970:
748:Summary of modes
562:
561:
188:digital signature
16:(Redirected from
7036:
6997:
6996:
6825:Insecure channel
6661:
6654:
6647:
6638:
6513:Avalanche effect
6467:Collision attack
6010:Common functions
5969:
5962:
5955:
5946:
5653:
5591:
5584:
5577:
5568:
5420:Power-monitoring
5261:Avalanche effect
4969:Khufu and Khafre
4622:security summary
4611:
4604:
4597:
4588:
4584:
4580:
4574:
4573:
4571:
4569:
4554:
4548:
4547:
4545:
4543:
4528:"Cryptography I"
4524:
4518:
4517:
4515:
4513:
4494:
4488:
4487:
4479:
4473:
4472:
4470:
4463:
4454:
4445:
4444:
4426:
4420:
4419:
4401:
4395:
4394:
4388:
4384:
4382:
4374:
4372:
4370:
4364:
4357:
4343:
4334:
4325:
4324:
4322:
4316:. Archived from
4301:
4292:
4286:
4285:
4272:Network Security
4267:
4261:
4260:
4258:
4256:
4237:
4231:
4230:
4228:
4226:
4211:
4205:
4202:
4196:
4195:
4175:
4169:
4168:
4148:
4142:
4141:
4121:
4115:
4114:
4112:
4110:
4104:
4093:
4085:
4079:
4078:
4076:
4074:
4058:
4052:
4051:
4049:
4047:
4035:
4033:10.17487/RFC8452
4013:
4007:
4006:
4004:
4002:
3991:
3985:
3984:
3975:
3973:10.17487/RFC3610
3953:
3947:
3946:
3944:
3930:
3919:
3913:
3912:
3910:
3900:
3889:
3883:
3882:
3870:
3860:
3846:
3840:
3839:
3837:
3835:
3818:
3812:
3811:
3809:
3807:
3792:
3786:
3785:
3771:
3765:
3764:
3762:
3760:
3745:
3739:
3738:
3736:
3734:
3714:
3708:
3707:
3706:
3705:
3672:
3666:
3665:
3646:
3635:
3634:
3618:
3608:
3602:
3601:
3599:
3597:
3582:"Proposed modes"
3577:
3571:
3570:
3552:
3543:
3542:
3540:
3538:
3518:
3238:
3178:
3164:
3118:Whitfield Diffie
3049:
3021:
3007:
2987:
2985:
2984:
2979:
2974:
2971:
2966:
2965:
2948:
2946:
2945:
2940:
2935:
2934:
2916:
2915:
2898:
2896:
2895:
2890:
2882:
2881:
2869:
2868:
2856:
2855:
2838:
2836:
2835:
2830:
2825:
2824:
2812:
2811:
2799:
2798:
2781:
2779:
2778:
2773:
2768:
2767:
2755:
2754:
2742:
2741:
2707:. It generates
2661:
2628:
2626:
2625:
2620:
2615:
2614:
2602:
2601:
2592:
2591:
2573:
2572:
2563:
2562:
2553:
2552:
2540:
2539:
2522:
2520:
2519:
2514:
2509:
2508:
2496:
2495:
2486:
2485:
2467:
2466:
2457:
2456:
2447:
2446:
2434:
2433:
2416:
2414:
2413:
2408:
2403:
2402:
2397:
2396:
2386:
2385:
2379:
2378:
2357:
2356:
2338:
2337:
2328:
2327:
2310:
2308:
2307:
2302:
2297:
2294:
2289:
2288:
2245:
2231:
2214:
2212:
2211:
2206:
2204:
2197:
2196:
2181:
2180:
2162:
2161:
2145:
2144:
2131:
2130:
2124:
2121:
2114:
2113:
2098:
2097:
2079:
2078:
2051:
2048:
2031:
2030:
1962:
1938:PCBC is used in
1934:
1932:
1931:
1926:
1912:
1911:
1899:
1898:
1886:
1885:
1867:
1866:
1845:
1844:
1832:
1831:
1819:
1818:
1801:
1799:
1798:
1793:
1779:
1778:
1766:
1765:
1750:
1749:
1731:
1730:
1712:
1711:
1699:
1698:
1686:
1685:
1656:
1642:
1579:
1532:
1518:
1496:
1494:
1493:
1488:
1474:
1473:
1456:
1454:
1453:
1448:
1443:
1442:
1421:
1420:
1408:
1407:
1395:
1394:
1372:
1370:
1369:
1364:
1350:
1349:
1332:
1330:
1329:
1324:
1316:
1315:
1297:
1296:
1284:
1283:
1271:
1270:
1242:
1228:
1166:
1144:
1132:
1120:
1084:
1070:
993:
750:
620:
603:
583:
526:
486:
21:
7044:
7043:
7039:
7038:
7037:
7035:
7034:
7033:
7014:
7013:
7012:
7003:
6985:
6914:
6670:
6665:
6624:
6583:
6542:Standardization
6537:
6528:Sponge function
6501:
6477:Birthday attack
6472:Preimage attack
6455:
6411:
6404:
6332:
6315:
6314:General purpose
6309:
6244:
6238:
6087:Other functions
6082:
6049:SHA-3 finalists
6043:
6005:
5982:
5973:
5936:
5910:
5869:
5843:
5708:
5682:
5641:
5600:
5595:
5558:
5532:
5501:Standardization
5496:
5425:Electromagnetic
5377:Integral/Square
5334:Piling-up lemma
5318:Biclique attack
5307:EFF DES cracker
5291:
5285:
5216:Feistel network
5204:
4829:CIPHERUNICORN-E
4824:CIPHERUNICORN-A
4756:
4750:
4683:
4677:
4631:
4625:
4615:
4577:
4567:
4565:
4556:
4555:
4551:
4541:
4539:
4526:
4525:
4521:
4511:
4509:
4496:
4495:
4491:
4481:
4480:
4476:
4468:
4461:
4456:
4455:
4448:
4441:
4428:
4427:
4423:
4416:
4403:
4402:
4398:
4385:
4375:
4368:
4366:
4362:
4341:
4336:
4335:
4328:
4320:
4314:
4299:
4294:
4293:
4289:
4282:
4269:
4268:
4264:
4254:
4252:
4245:www.iks-jena.de
4239:
4238:
4234:
4224:
4222:
4213:
4212:
4208:
4203:
4199:
4192:
4177:
4176:
4172:
4165:
4150:
4149:
4145:
4138:
4123:
4122:
4118:
4108:
4106:
4102:
4091:
4087:
4086:
4082:
4072:
4070:
4060:
4059:
4055:
4045:
4043:
4015:
4014:
4010:
4000:
3998:
3993:
3992:
3988:
3955:
3954:
3950:
3928:
3921:
3920:
3916:
3898:
3891:
3890:
3886:
3879:
3858:
3848:
3847:
3843:
3833:
3831:
3820:
3819:
3815:
3805:
3803:
3795:Tervoort, Tom.
3794:
3793:
3789:
3773:
3772:
3768:
3758:
3756:
3747:
3746:
3742:
3732:
3730:
3719:"Current modes"
3716:
3715:
3711:
3703:
3701:
3699:
3674:
3673:
3669:
3648:
3647:
3638:
3631:
3610:
3609:
3605:
3595:
3593:
3579:
3578:
3574:
3567:
3554:
3553:
3546:
3536:
3534:
3520:
3519:
3515:
3511:
3488:Disk encryption
3484:
3379:
3356:
3352:
3346:
3335:
3331:
3327:
3321:
3309:
3302:
3298:
3297:
3286:
3280:
3276:
3275:
3261:
3247:
3194:
3188:
3186:
3185:
3184:
3183:
3182:
3179:
3170:
3169:
3168:
3165:
3156:
3155:
3047:
3031:
3029:
3028:
3027:
3026:
3025:
3022:
3013:
3012:
3011:
3008:
2999:
2998:
2991:
2957:
2952:
2951:
2920:
2907:
2902:
2901:
2873:
2860:
2847:
2842:
2841:
2816:
2803:
2790:
2785:
2784:
2759:
2746:
2733:
2728:
2727:
2701:output feedback
2669:Output feedback
2659:
2643:
2606:
2577:
2564:
2544:
2531:
2526:
2525:
2500:
2471:
2458:
2438:
2425:
2420:
2419:
2387:
2370:
2342:
2319:
2314:
2313:
2280:
2275:
2274:
2261:
2255:
2253:
2252:
2251:
2250:
2249:
2246:
2237:
2236:
2235:
2232:
2223:
2222:
2202:
2201:
2188:
2166:
2153:
2146:
2136:
2133:
2132:
2126:
2125:
2118:
2105:
2083:
2070:
2067:
2066:
2055:
2040:
2032:
2022:
2013:
2012:
2002:cipher feedback
1970:Cipher feedback
1960:
1955:
1903:
1890:
1871:
1852:
1836:
1823:
1810:
1805:
1804:
1770:
1757:
1735:
1716:
1703:
1690:
1677:
1672:
1671:
1666:
1664:
1663:
1662:
1661:
1660:
1657:
1648:
1647:
1646:
1643:
1634:
1633:
1577:
1540:
1539:
1538:
1537:
1536:
1533:
1524:
1523:
1522:
1519:
1510:
1509:
1503:
1465:
1460:
1459:
1428:
1412:
1399:
1386:
1381:
1380:
1341:
1336:
1335:
1301:
1288:
1275:
1262:
1257:
1256:
1250:
1249:
1248:
1247:
1246:
1243:
1234:
1233:
1232:
1229:
1220:
1219:
1164:
1152:
1151:
1150:
1149:
1148:
1145:
1137:
1136:
1133:
1125:
1124:
1121:
1100:
1097:
1094:
1092:
1091:
1090:
1089:
1088:
1085:
1076:
1075:
1074:
1071:
1062:
1061:
1054:
991:
967:
962:Plaintext XOR Y
950:
934:
929:Plaintext XOR Y
925:
921:
914:
903:Output feedback
897:
891:
884:
873:Cipher feedback
867:
860:
853:
847:XOR (Ciphertext
846:
840:
829:Propagating CBC
823:
817:
810:
804:
788:
781:
775:
738:weakness of ECB
734:
708:
697:
693:
682:
674:
656:
641:
635:
618:
611:
610:
609:
608:
607:
604:
595:
594:
587:
581:
575:pipeline stalls
524:
484:
481:
475:
470:
374:
368:
305:
299:
129:
113:confidentiality
59:confidentiality
35:
28:
23:
22:
18:Encryption mode
15:
12:
11:
5:
7042:
7040:
7032:
7031:
7026:
7016:
7015:
7009:
7008:
7005:
7004:
7002:
7001:
6990:
6987:
6986:
6984:
6983:
6978:
6976:Random numbers
6973:
6968:
6963:
6958:
6953:
6948:
6943:
6938:
6933:
6928:
6922:
6920:
6916:
6915:
6913:
6912:
6907:
6902:
6900:Garlic routing
6897:
6892:
6887:
6882:
6877:
6872:
6867:
6862:
6857:
6852:
6847:
6842:
6837:
6832:
6827:
6822:
6820:Secure channel
6817:
6811:
6810:
6809:
6798:
6793:
6788:
6783:
6781:Key stretching
6778:
6773:
6768:
6763:
6758:
6753:
6748:
6747:
6746:
6741:
6731:
6729:Cryptovirology
6726:
6721:
6716:
6714:Cryptocurrency
6711:
6706:
6701:
6700:
6699:
6689:
6684:
6678:
6676:
6672:
6671:
6666:
6664:
6663:
6656:
6649:
6641:
6634:
6633:
6630:
6629:
6626:
6625:
6623:
6622:
6617:
6612:
6607:
6602:
6597:
6591:
6589:
6585:
6584:
6582:
6581:
6576:
6571:
6566:
6561:
6556:
6551:
6545:
6543:
6539:
6538:
6536:
6535:
6530:
6525:
6520:
6518:Hash collision
6515:
6509:
6507:
6503:
6502:
6500:
6499:
6494:
6489:
6484:
6479:
6474:
6469:
6463:
6461:
6457:
6456:
6454:
6453:
6448:
6443:
6438:
6433:
6428:
6423:
6417:
6415:
6406:
6405:
6403:
6402:
6397:
6392:
6387:
6382:
6377:
6368:
6363:
6358:
6353:
6348:
6342:
6340:
6334:
6333:
6331:
6330:
6327:
6321:
6319:
6311:
6310:
6308:
6307:
6302:
6297:
6292:
6287:
6282:
6277:
6272:
6267:
6262:
6257:
6251:
6249:
6246:key stretching
6240:
6239:
6237:
6236:
6231:
6226:
6221:
6216:
6211:
6206:
6201:
6196:
6191:
6186:
6181:
6176:
6171:
6166:
6161:
6156:
6151:
6146:
6141:
6136:
6131:
6126:
6121:
6116:
6111:
6106:
6101:
6096:
6090:
6088:
6084:
6083:
6081:
6080:
6074:
6069:
6064:
6059:
6053:
6051:
6045:
6044:
6042:
6041:
6036:
6031:
6026:
6020:
6013:
6011:
6007:
6006:
6004:
6003:
5998:
5993:
5987:
5984:
5983:
5974:
5972:
5971:
5964:
5957:
5949:
5942:
5941:
5938:
5937:
5935:
5934:
5929:
5924:
5918:
5916:
5912:
5911:
5909:
5908:
5903:
5898:
5893:
5888:
5886:shift register
5883:
5877:
5875:
5871:
5870:
5868:
5867:
5862:
5857:
5851:
5849:
5845:
5844:
5842:
5841:
5836:
5831:
5826:
5821:
5816:
5811:
5806:
5801:
5796:
5791:
5786:
5781:
5776:
5771:
5766:
5761:
5756:
5751:
5746:
5741:
5736:
5731:
5726:
5720:
5718:
5714:
5713:
5710:
5709:
5707:
5706:
5701:
5696:
5690:
5688:
5684:
5683:
5681:
5680:
5675:
5670:
5665:
5659:
5657:
5650:
5643:
5642:
5640:
5639:
5634:
5629:
5624:
5619:
5614:
5608:
5606:
5602:
5601:
5598:Stream ciphers
5596:
5594:
5593:
5586:
5579:
5571:
5564:
5563:
5560:
5559:
5557:
5556:
5551:
5546:
5540:
5538:
5534:
5533:
5531:
5530:
5525:
5520:
5515:
5510:
5504:
5502:
5498:
5497:
5495:
5494:
5489:
5484:
5479:
5474:
5469:
5464:
5459:
5454:
5449:
5444:
5439:
5438:
5437:
5432:
5427:
5422:
5417:
5407:
5402:
5397:
5392:
5384:
5379:
5374:
5367:Distinguishing
5364:
5359:
5358:
5357:
5352:
5347:
5337:
5327:
5326:
5325:
5320:
5310:
5299:
5297:
5287:
5286:
5284:
5283:
5273:
5268:
5263:
5258:
5253:
5248:
5243:
5238:
5233:
5231:Product cipher
5228:
5223:
5218:
5212:
5210:
5206:
5205:
5203:
5202:
5197:
5192:
5187:
5182:
5177:
5172:
5167:
5162:
5157:
5152:
5147:
5142:
5137:
5132:
5127:
5122:
5117:
5112:
5107:
5102:
5097:
5092:
5087:
5082:
5077:
5072:
5067:
5062:
5057:
5052:
5047:
5042:
5037:
5032:
5027:
5022:
5017:
5012:
5007:
5002:
4997:
4986:
4981:
4976:
4971:
4966:
4961:
4956:
4951:
4946:
4941:
4936:
4931:
4926:
4921:
4916:
4911:
4906:
4901:
4896:
4891:
4886:
4881:
4876:
4871:
4866:
4861:
4859:Cryptomeria/C2
4856:
4851:
4846:
4841:
4836:
4831:
4826:
4821:
4816:
4811:
4806:
4801:
4796:
4791:
4786:
4781:
4776:
4771:
4766:
4760:
4758:
4752:
4751:
4749:
4748:
4743:
4738:
4733:
4728:
4723:
4718:
4713:
4708:
4703:
4698:
4693:
4687:
4685:
4679:
4678:
4676:
4675:
4670:
4665:
4660:
4646:
4641:
4635:
4633:
4627:
4626:
4616:
4614:
4613:
4606:
4599:
4591:
4576:
4575:
4549:
4519:
4489:
4474:
4446:
4439:
4421:
4414:
4396:
4326:
4323:on 2009-06-12.
4312:
4287:
4280:
4262:
4232:
4206:
4197:
4190:
4170:
4163:
4143:
4136:
4116:
4080:
4053:
4008:
3986:
3948:
3914:
3884:
3877:
3841:
3813:
3787:
3766:
3740:
3709:
3697:
3667:
3636:
3629:
3603:
3572:
3565:
3544:
3512:
3510:
3507:
3506:
3505:
3500:
3495:
3490:
3483:
3480:
3478:are examples.
3378:
3375:
3358:
3357:
3354:
3350:
3347:
3344:
3341:
3337:
3336:
3333:
3329:
3325:
3322:
3319:
3316:
3312:
3311:
3307:
3304:
3300:
3295:
3292:
3288:
3287:
3284:
3281:
3278:
3273:
3270:
3266:
3265:
3262:
3259:
3256:
3252:
3251:
3248:
3245:
3242:
3224:
3223:
3212:
3208:
3207:
3204:
3193:
3190:
3180:
3173:
3172:
3171:
3166:
3159:
3158:
3157:
3153:
3152:
3151:
3150:
3140:Note that the
3122:Martin Hellman
3098:
3097:
3083:
3082:
3079:
3075:
3074:
3071:
3067:
3066:
3063:
3059:
3058:
3054:
3053:
3046:
3043:
3023:
3016:
3015:
3014:
3009:
3002:
3001:
3000:
2996:
2995:
2994:
2993:
2989:
2988:
2977:
2969:
2964:
2960:
2949:
2938:
2933:
2930:
2927:
2923:
2919:
2914:
2910:
2899:
2888:
2885:
2880:
2876:
2872:
2867:
2863:
2859:
2854:
2850:
2839:
2828:
2823:
2819:
2815:
2810:
2806:
2802:
2797:
2793:
2782:
2771:
2766:
2762:
2758:
2753:
2749:
2745:
2740:
2736:
2695:
2694:
2691:
2687:
2686:
2683:
2679:
2678:
2675:
2671:
2670:
2666:
2665:
2658:
2655:
2642:
2639:
2630:
2629:
2618:
2613:
2609:
2605:
2600:
2595:
2590:
2587:
2584:
2580:
2576:
2571:
2567:
2561:
2556:
2551:
2547:
2543:
2538:
2534:
2523:
2512:
2507:
2503:
2499:
2494:
2489:
2484:
2481:
2478:
2474:
2470:
2465:
2461:
2455:
2450:
2445:
2441:
2437:
2432:
2428:
2417:
2406:
2401:
2395:
2391:
2384:
2377:
2373:
2369:
2366:
2363:
2360:
2355:
2352:
2349:
2345:
2341:
2336:
2331:
2326:
2322:
2311:
2300:
2292:
2287:
2283:
2260:
2257:
2247:
2240:
2239:
2238:
2233:
2226:
2225:
2224:
2220:
2219:
2218:
2217:
2216:
2215:
2200:
2195:
2191:
2187:
2184:
2179:
2176:
2173:
2169:
2165:
2160:
2156:
2152:
2149:
2147:
2143:
2139:
2135:
2134:
2129:
2119:
2117:
2112:
2108:
2104:
2101:
2096:
2093:
2090:
2086:
2082:
2077:
2073:
2069:
2068:
2065:
2062:
2059:
2056:
2054:
2046:
2045:
2043:
2038:
2035:
2033:
2029:
2025:
2021:
2020:
1996:
1995:
1992:
1988:
1987:
1984:
1980:
1979:
1976:
1972:
1971:
1967:
1966:
1959:
1958:Full-block CFB
1956:
1954:
1951:
1936:
1935:
1924:
1921:
1918:
1915:
1910:
1906:
1902:
1897:
1893:
1889:
1884:
1881:
1878:
1874:
1870:
1865:
1862:
1859:
1855:
1851:
1848:
1843:
1839:
1835:
1830:
1826:
1822:
1817:
1813:
1802:
1791:
1788:
1785:
1782:
1777:
1773:
1769:
1764:
1760:
1756:
1753:
1748:
1745:
1742:
1738:
1734:
1729:
1726:
1723:
1719:
1715:
1710:
1706:
1702:
1697:
1693:
1689:
1684:
1680:
1658:
1651:
1650:
1649:
1644:
1637:
1636:
1635:
1631:
1630:
1629:
1628:
1613:
1612:
1609:
1605:
1604:
1601:
1597:
1596:
1593:
1589:
1588:
1584:
1583:
1576:
1573:
1534:
1527:
1526:
1525:
1520:
1513:
1512:
1511:
1507:
1506:
1505:
1504:
1502:
1499:
1498:
1497:
1486:
1483:
1480:
1477:
1472:
1468:
1457:
1446:
1441:
1438:
1435:
1431:
1427:
1424:
1419:
1415:
1411:
1406:
1402:
1398:
1393:
1389:
1374:
1373:
1362:
1359:
1356:
1353:
1348:
1344:
1333:
1322:
1319:
1314:
1311:
1308:
1304:
1300:
1295:
1291:
1287:
1282:
1278:
1274:
1269:
1265:
1244:
1237:
1236:
1235:
1230:
1223:
1222:
1221:
1217:
1216:
1215:
1214:
1200:
1199:
1196:
1192:
1191:
1188:
1184:
1183:
1180:
1176:
1175:
1171:
1170:
1163:
1160:
1156:replay attacks
1146:
1139:
1138:
1134:
1127:
1126:
1123:Original image
1122:
1115:
1114:
1113:
1112:
1111:
1086:
1079:
1078:
1077:
1072:
1065:
1064:
1063:
1059:
1058:
1057:
1056:
1027:
1026:
1023:
1019:
1018:
1015:
1011:
1010:
1007:
1003:
1002:
998:
997:
990:
987:
969:
968:
963:
960:
946:
943:
940:
936:
935:
930:
927:
923:
916:
910:
907:
904:
900:
899:
895:
892:
886:
880:
877:
874:
870:
869:
865:
862:
855:
848:
842:
836:
833:
830:
826:
825:
821:
818:
812:
811:XOR Ciphertext
806:
800:
797:
794:
790:
789:
786:
783:
777:
771:
768:
765:
761:
760:
757:
754:
733:
730:
707:
704:
695:
691:
680:
677:
676:
672:
669:
666:
655:
652:
637:Main article:
634:
631:
605:
598:
597:
596:
592:
591:
590:
589:
560:
559:
556:
552:
551:
548:
544:
543:
540:
536:
535:
534:Galois/counter
531:
530:
523:
520:
477:Main article:
474:
471:
469:
466:
370:Main article:
367:
364:
363:
362:
359:
301:Main article:
298:
295:
128:
125:
32:Modus operandi
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
7041:
7030:
7027:
7025:
7022:
7021:
7019:
7000:
6992:
6991:
6988:
6982:
6981:Steganography
6979:
6977:
6974:
6972:
6969:
6967:
6964:
6962:
6959:
6957:
6954:
6952:
6949:
6947:
6944:
6942:
6939:
6937:
6936:Stream cipher
6934:
6932:
6929:
6927:
6924:
6923:
6921:
6917:
6911:
6908:
6906:
6903:
6901:
6898:
6896:
6895:Onion routing
6893:
6891:
6888:
6886:
6883:
6881:
6878:
6876:
6875:Shared secret
6873:
6871:
6868:
6866:
6863:
6861:
6858:
6856:
6853:
6851:
6848:
6846:
6843:
6841:
6838:
6836:
6833:
6831:
6828:
6826:
6823:
6821:
6818:
6815:
6812:
6807:
6804:
6803:
6802:
6799:
6797:
6794:
6792:
6789:
6787:
6784:
6782:
6779:
6777:
6774:
6772:
6771:Key generator
6769:
6767:
6764:
6762:
6759:
6757:
6754:
6752:
6749:
6745:
6742:
6740:
6737:
6736:
6735:
6734:Hash function
6732:
6730:
6727:
6725:
6722:
6720:
6717:
6715:
6712:
6710:
6709:Cryptanalysis
6707:
6705:
6702:
6698:
6695:
6694:
6693:
6690:
6688:
6685:
6683:
6680:
6679:
6677:
6673:
6669:
6662:
6657:
6655:
6650:
6648:
6643:
6642:
6639:
6635:
6621:
6618:
6616:
6613:
6611:
6610:Proof of work
6608:
6606:
6603:
6601:
6598:
6596:
6593:
6592:
6590:
6586:
6580:
6577:
6575:
6572:
6570:
6567:
6565:
6562:
6560:
6557:
6555:
6552:
6550:
6547:
6546:
6544:
6540:
6534:
6531:
6529:
6526:
6524:
6521:
6519:
6516:
6514:
6511:
6510:
6508:
6504:
6498:
6495:
6493:
6490:
6488:
6487:Rainbow table
6485:
6483:
6480:
6478:
6475:
6473:
6470:
6468:
6465:
6464:
6462:
6458:
6452:
6449:
6447:
6444:
6442:
6439:
6437:
6434:
6432:
6429:
6427:
6424:
6422:
6419:
6418:
6416:
6413:
6410:Authenticated
6407:
6401:
6398:
6396:
6393:
6391:
6388:
6386:
6383:
6381:
6378:
6376:
6372:
6369:
6367:
6364:
6362:
6359:
6357:
6354:
6352:
6349:
6347:
6344:
6343:
6341:
6339:
6338:MAC functions
6335:
6328:
6326:
6323:
6322:
6320:
6318:
6312:
6306:
6303:
6301:
6298:
6296:
6293:
6291:
6288:
6286:
6283:
6281:
6278:
6276:
6273:
6271:
6268:
6266:
6263:
6261:
6258:
6256:
6253:
6252:
6250:
6247:
6241:
6235:
6232:
6230:
6227:
6225:
6222:
6220:
6217:
6215:
6212:
6210:
6207:
6205:
6202:
6200:
6197:
6195:
6192:
6190:
6187:
6185:
6182:
6180:
6177:
6175:
6172:
6170:
6167:
6165:
6162:
6160:
6157:
6155:
6152:
6150:
6147:
6145:
6142:
6140:
6137:
6135:
6132:
6130:
6127:
6125:
6122:
6120:
6117:
6115:
6112:
6110:
6107:
6105:
6102:
6100:
6097:
6095:
6092:
6091:
6089:
6085:
6078:
6075:
6073:
6070:
6068:
6065:
6063:
6060:
6058:
6055:
6054:
6052:
6050:
6046:
6040:
6037:
6035:
6032:
6030:
6027:
6025:(compromised)
6024:
6021:
6019:(compromised)
6018:
6015:
6014:
6012:
6008:
6002:
6001:Known attacks
5999:
5997:
5994:
5992:
5989:
5988:
5985:
5981:
5977:
5970:
5965:
5963:
5958:
5956:
5951:
5950:
5947:
5943:
5933:
5930:
5928:
5925:
5923:
5920:
5919:
5917:
5913:
5907:
5904:
5902:
5899:
5897:
5894:
5892:
5889:
5887:
5884:
5882:
5879:
5878:
5876:
5872:
5866:
5863:
5861:
5858:
5856:
5853:
5852:
5850:
5846:
5840:
5837:
5835:
5832:
5830:
5827:
5825:
5822:
5820:
5817:
5815:
5812:
5810:
5807:
5805:
5802:
5800:
5797:
5795:
5792:
5790:
5787:
5785:
5782:
5780:
5777:
5775:
5772:
5770:
5767:
5765:
5762:
5760:
5757:
5755:
5752:
5750:
5747:
5745:
5742:
5740:
5737:
5735:
5732:
5730:
5727:
5725:
5722:
5721:
5719:
5717:Other ciphers
5715:
5705:
5702:
5700:
5697:
5695:
5692:
5691:
5689:
5685:
5679:
5676:
5674:
5671:
5669:
5666:
5664:
5661:
5660:
5658:
5654:
5651:
5648:
5644:
5638:
5635:
5633:
5630:
5628:
5625:
5623:
5620:
5618:
5615:
5613:
5610:
5609:
5607:
5603:
5599:
5592:
5587:
5585:
5580:
5578:
5573:
5572:
5569:
5565:
5555:
5552:
5550:
5547:
5545:
5542:
5541:
5539:
5535:
5529:
5526:
5524:
5521:
5519:
5516:
5514:
5511:
5509:
5506:
5505:
5503:
5499:
5493:
5490:
5488:
5485:
5483:
5480:
5478:
5475:
5473:
5470:
5468:
5465:
5463:
5460:
5458:
5455:
5453:
5450:
5448:
5447:Interpolation
5445:
5443:
5440:
5436:
5433:
5431:
5428:
5426:
5423:
5421:
5418:
5416:
5413:
5412:
5411:
5408:
5406:
5403:
5401:
5398:
5396:
5393:
5391:
5390:
5385:
5383:
5380:
5378:
5375:
5372:
5368:
5365:
5363:
5360:
5356:
5353:
5351:
5348:
5346:
5343:
5342:
5341:
5338:
5335:
5331:
5328:
5324:
5321:
5319:
5316:
5315:
5314:
5311:
5308:
5304:
5301:
5300:
5298:
5295:
5294:cryptanalysis
5288:
5281:
5277:
5276:Key whitening
5274:
5272:
5269:
5267:
5264:
5262:
5259:
5257:
5254:
5252:
5249:
5247:
5244:
5242:
5239:
5237:
5234:
5232:
5229:
5227:
5224:
5222:
5219:
5217:
5214:
5213:
5211:
5207:
5201:
5198:
5196:
5193:
5191:
5188:
5186:
5183:
5181:
5178:
5176:
5173:
5171:
5168:
5166:
5163:
5161:
5158:
5156:
5153:
5151:
5148:
5146:
5143:
5141:
5138:
5136:
5133:
5131:
5128:
5126:
5123:
5121:
5118:
5116:
5113:
5111:
5108:
5106:
5103:
5101:
5098:
5096:
5093:
5091:
5088:
5086:
5083:
5081:
5078:
5076:
5073:
5071:
5068:
5066:
5065:New Data Seal
5063:
5061:
5058:
5056:
5053:
5051:
5048:
5046:
5043:
5041:
5038:
5036:
5033:
5031:
5028:
5026:
5023:
5021:
5018:
5016:
5013:
5011:
5008:
5006:
5003:
5001:
4998:
4995:
4991:
4987:
4985:
4982:
4980:
4977:
4975:
4972:
4970:
4967:
4965:
4962:
4960:
4957:
4955:
4952:
4950:
4947:
4945:
4942:
4940:
4937:
4935:
4932:
4930:
4927:
4925:
4922:
4920:
4917:
4915:
4912:
4910:
4907:
4905:
4902:
4900:
4897:
4895:
4892:
4890:
4887:
4885:
4882:
4880:
4877:
4875:
4872:
4870:
4867:
4865:
4862:
4860:
4857:
4855:
4852:
4850:
4847:
4845:
4842:
4840:
4837:
4835:
4832:
4830:
4827:
4825:
4822:
4820:
4817:
4815:
4812:
4810:
4807:
4805:
4804:BEAR and LION
4802:
4800:
4797:
4795:
4792:
4790:
4787:
4785:
4782:
4780:
4777:
4775:
4772:
4770:
4767:
4765:
4762:
4761:
4759:
4753:
4747:
4744:
4742:
4739:
4737:
4734:
4732:
4729:
4727:
4724:
4722:
4719:
4717:
4714:
4712:
4709:
4707:
4704:
4702:
4699:
4697:
4694:
4692:
4689:
4688:
4686:
4680:
4674:
4671:
4669:
4666:
4664:
4661:
4658:
4654:
4650:
4647:
4645:
4642:
4640:
4637:
4636:
4634:
4628:
4623:
4619:
4618:Block ciphers
4612:
4607:
4605:
4600:
4598:
4593:
4592:
4589:
4585:
4581:
4563:
4559:
4553:
4550:
4537:
4533:
4529:
4523:
4520:
4507:
4503:
4499:
4493:
4490:
4486:. p. 71.
4485:
4478:
4475:
4467:
4460:
4453:
4451:
4447:
4442:
4436:
4432:
4425:
4422:
4417:
4411:
4407:
4400:
4397:
4392:
4380:
4361:
4356:
4351:
4347:
4346:csrc.nist.gov
4340:
4333:
4331:
4327:
4319:
4315:
4309:
4305:
4298:
4291:
4288:
4283:
4277:
4273:
4266:
4263:
4250:
4246:
4242:
4236:
4233:
4221:on 2015-01-07
4220:
4216:
4210:
4207:
4201:
4198:
4193:
4191:9781119096726
4187:
4183:
4182:
4174:
4171:
4166:
4164:9780309054751
4160:
4156:
4155:
4147:
4144:
4139:
4137:9780429881329
4133:
4129:
4128:
4120:
4117:
4101:
4097:
4090:
4084:
4081:
4068:
4064:
4057:
4054:
4042:
4039:
4034:
4029:
4025:
4021:
4020:
4012:
4009:
3997:
3990:
3987:
3982:
3979:
3974:
3969:
3965:
3961:
3960:
3952:
3949:
3943:
3938:
3934:
3927:
3926:
3918:
3915:
3909:
3904:
3897:
3896:
3888:
3885:
3880:
3874:
3869:
3864:
3857:
3856:
3851:
3845:
3842:
3830:
3829:
3824:
3817:
3814:
3802:
3798:
3791:
3788:
3783:
3779:
3778:
3770:
3767:
3754:
3750:
3744:
3741:
3728:
3724:
3720:
3713:
3710:
3700:
3694:
3690:
3686:
3682:
3678:
3671:
3668:
3663:
3659:
3655:
3653:
3645:
3643:
3641:
3637:
3632:
3630:0-8493-8523-7
3626:
3622:
3617:
3616:
3607:
3604:
3591:
3587:
3583:
3576:
3573:
3568:
3562:
3558:
3551:
3549:
3545:
3532:
3528:
3524:
3517:
3514:
3508:
3504:
3501:
3499:
3496:
3494:
3491:
3489:
3486:
3485:
3481:
3479:
3477:
3473:
3469:
3465:
3461:
3459:
3455:
3453:
3449:
3444:
3442:
3437:
3435:
3430:
3424:
3422:
3418:
3414:
3410:
3406:
3402:
3397:
3395:
3391:
3387:
3385:
3376:
3374:
3372:
3367:
3363:
3348:
3342:
3339:
3338:
3323:
3317:
3314:
3313:
3305:
3293:
3290:
3289:
3282:
3271:
3268:
3267:
3263:
3257:
3254:
3253:
3249:
3243:
3240:
3239:
3236:
3233:
3229:
3221:
3217:
3213:
3210:
3209:
3205:
3202:
3201:
3200:
3197:
3191:
3189:
3177:
3163:
3154:Counter (CTR)
3149:
3147:
3143:
3138:
3135:
3129:
3125:
3123:
3119:
3114:
3111:
3107:
3106:stream cipher
3103:
3095:
3091:
3087:
3086:
3080:
3076:
3072:
3068:
3064:
3060:
3055:
3050:
3045:Counter (CTR)
3044:
3042:
3038:
3034:
3020:
3006:
2992:
2975:
2967:
2962:
2958:
2950:
2936:
2931:
2928:
2925:
2921:
2917:
2912:
2908:
2900:
2886:
2878:
2874:
2865:
2861:
2857:
2852:
2848:
2840:
2826:
2821:
2817:
2813:
2808:
2804:
2800:
2795:
2791:
2783:
2769:
2764:
2760:
2756:
2751:
2747:
2743:
2738:
2734:
2726:
2725:
2724:
2721:
2719:
2714:
2710:
2706:
2705:stream cipher
2702:
2692:
2688:
2684:
2680:
2676:
2672:
2667:
2662:
2656:
2654:
2652:
2646:
2640:
2638:
2634:
2616:
2611:
2607:
2603:
2588:
2585:
2582:
2578:
2569:
2565:
2554:
2549:
2545:
2541:
2536:
2532:
2524:
2510:
2505:
2501:
2497:
2482:
2479:
2476:
2472:
2463:
2459:
2448:
2443:
2439:
2435:
2430:
2426:
2418:
2404:
2399:
2393:
2375:
2371:
2367:
2361:
2358:
2353:
2350:
2347:
2343:
2329:
2324:
2320:
2312:
2298:
2290:
2285:
2281:
2273:
2272:
2271:
2268:
2267:
2258:
2256:
2244:
2230:
2198:
2193:
2189:
2185:
2177:
2174:
2171:
2167:
2158:
2154:
2150:
2148:
2141:
2137:
2115:
2110:
2106:
2102:
2094:
2091:
2088:
2084:
2075:
2071:
2063:
2060:
2057:
2052:
2041:
2036:
2034:
2027:
2023:
2011:
2010:
2009:
2007:
2006:stream cipher
2003:
1993:
1989:
1985:
1981:
1977:
1973:
1968:
1963:
1957:
1952:
1950:
1947:
1945:
1941:
1922:
1919:
1916:
1913:
1908:
1904:
1900:
1895:
1891:
1887:
1882:
1879:
1876:
1872:
1868:
1863:
1860:
1857:
1853:
1849:
1841:
1837:
1828:
1824:
1820:
1815:
1811:
1803:
1789:
1786:
1783:
1780:
1775:
1771:
1767:
1762:
1758:
1754:
1746:
1743:
1740:
1736:
1732:
1727:
1724:
1721:
1717:
1713:
1708:
1704:
1695:
1691:
1687:
1682:
1678:
1670:
1669:
1668:
1655:
1641:
1627:
1624:
1620:
1610:
1606:
1602:
1598:
1594:
1590:
1585:
1580:
1574:
1572:
1569:
1565:
1563:
1559:
1554:
1548:
1546:
1531:
1517:
1500:
1484:
1481:
1478:
1475:
1470:
1466:
1458:
1444:
1439:
1436:
1433:
1429:
1425:
1417:
1413:
1404:
1400:
1396:
1391:
1387:
1379:
1378:
1377:
1360:
1357:
1354:
1351:
1346:
1342:
1334:
1320:
1312:
1309:
1306:
1302:
1298:
1293:
1289:
1280:
1276:
1272:
1267:
1263:
1255:
1254:
1253:
1241:
1227:
1213:
1211:
1207:
1197:
1193:
1189:
1185:
1181:
1177:
1172:
1167:
1161:
1159:
1157:
1143:
1131:
1119:
1110:
1108:
1104:
1098:
1095:
1083:
1069:
1055:
1052:
1050:
1046:
1042:
1038:
1034:
1024:
1020:
1016:
1012:
1008:
1004:
999:
994:
988:
986:
984:
980:
976:
966:
961:
958:
954:
949:
944:
941:
938:
937:
933:
928:
919:
913:
908:
905:
902:
901:
893:
889:
883:
878:
875:
872:
871:
863:
858:
854:XOR PlainText
851:
845:
839:
834:
831:
828:
827:
819:
815:
809:
803:
798:
795:
792:
791:
784:
780:
776:= F(PlainText
774:
769:
766:
763:
762:
758:
755:
751:
745:
741:
739:
731:
729:
727:
723:
719:
715:
712:
705:
703:
701:
688:
684:
670:
667:
664:
663:
662:
659:
653:
651:
649:
645:
640:
632:
630:
628:
624:
616:
602:
588:
585:
578:
576:
572:
566:
557:
553:
549:
545:
541:
537:
532:
527:
521:
519:
517:
512:
510:
506:
502:
498:
494:
490:
480:
472:
467:
465:
462:
458:
453:
451:
447:
443:
439:
435:
431:
427:
423:
419:
415:
411:
407:
403:
399:
395:
391:
387:
383:
379:
373:
365:
360:
357:
353:
352:
351:
347:
343:
339:
335:
332:
330:
325:
323:
319:
315:
309:
304:
296:
294:
292:
288:
284:
280:
276:
272:
267:
265:
261:
257:
253:
249:
245:
241:
237:
233:
227:
225:
221:
217:
213:
209:
205:
201:
197:
193:
189:
185:
181:
177:
172:
170:
166:
162:
158:
154:
150:
146:
142:
138:
134:
126:
124:
122:
118:
114:
110:
105:
103:
102:stream cipher
99:
95:
91:
87:
83:
79:
74:
72:
68:
64:
60:
56:
52:
48:
39:
33:
19:
6931:Block cipher
6776:Key schedule
6766:Key exchange
6756:Kleptography
6719:Cryptosystem
6668:Cryptography
5880:
5548:
5452:Partitioning
5410:Side-channel
5388:
5355:Higher-order
5340:Differential
5221:Key schedule
4566:. Retrieved
4552:
4540:. Retrieved
4531:
4522:
4510:. Retrieved
4501:
4492:
4483:
4477:
4430:
4424:
4405:
4399:
4387:|first=
4379:cite journal
4367:. Retrieved
4345:
4318:the original
4303:
4290:
4271:
4265:
4253:. Retrieved
4244:
4235:
4223:. Retrieved
4219:the original
4209:
4200:
4180:
4173:
4153:
4146:
4126:
4119:
4107:. Retrieved
4095:
4083:
4071:. Retrieved
4066:
4056:
4044:. Retrieved
4018:
4011:
3999:. Retrieved
3989:
3958:
3951:
3924:
3917:
3894:
3887:
3854:
3844:
3832:. Retrieved
3826:
3816:
3804:. Retrieved
3800:
3790:
3776:
3769:
3757:. Retrieved
3743:
3731:. Retrieved
3722:
3712:
3702:, retrieved
3680:
3670:
3657:
3651:
3614:
3606:
3594:. Retrieved
3585:
3575:
3556:
3535:. Retrieved
3526:
3516:
3462:
3456:
3445:
3438:
3425:
3398:
3393:
3388:
3384:Davies–Meyer
3380:
3368:
3364:
3361:
3225:
3198:
3195:
3187:
3139:
3130:
3126:
3115:
3102:block cipher
3099:
3093:
3089:
3039:
3035:
3030:
2990:
2722:
2700:
2698:
2647:
2644:
2635:
2631:
2269:
2264:
2262:
2254:
2001:
1999:
1948:
1937:
1665:
1622:
1618:
1616:
1567:
1566:
1552:
1549:
1541:
1375:
1251:
1203:
1153:
1103:bitmap image
1099:
1096:
1093:
1053:
1032:
1030:
978:
974:
972:
964:
956:
952:
947:
931:
926:= F(IV, Key)
917:
911:
887:
885:= Ciphertext
881:
856:
849:
843:
837:
813:
807:
801:
778:
772:
742:
735:
725:
721:
720:
716:
709:
699:
689:
685:
678:
660:
657:
643:
642:
612:
586:
579:
567:
563:
513:
482:
468:Common modes
454:
449:
445:
385:
384:(known as a
378:block cipher
375:
348:
344:
340:
336:
333:
326:
322:pseudorandom
310:
306:
268:
228:
223:
211:
199:
173:
164:
152:
136:
130:
117:authenticity
106:
75:
63:authenticity
51:block cipher
46:
44:
6919:Mathematics
6910:Mix network
6600:Merkle tree
6588:Utilization
6574:NSA Suite B
5537:Utilization
5523:NSA Suite B
5508:AES process
5457:Rubber-hose
5395:Related-key
5303:Brute-force
4682:Less common
3434:AES-GCM-SIV
3226:For modern
3096:(SIC) mode.
1940:Kerberos v4
841:= PlainText
805:= PlainText
759:Ciphertext
722:AES-GCM-SIV
711:AES-GCM-SIV
706:AES-GCM-SIV
82:ciphertexts
53:to provide
7018:Categories
6870:Ciphertext
6840:Decryption
6835:Encryption
6796:Ransomware
6412:encryption
6189:RadioGatún
5996:Comparison
5901:T-function
5848:Generators
5724:Achterbahn
5487:Chi-square
5405:Rotational
5345:Impossible
5266:Block size
5160:Spectr-H64
4984:Ladder-DES
4979:Kuznyechik
4924:Hierocrypt
4794:BassOmatic
4757:algorithms
4684:algorithms
4657:Triple DES
4632:algorithms
4440:0306413663
4415:0306413663
4313:0387973176
4281:0130460192
4073:19 October
4046:August 14,
4001:21 October
3945:. 800-38C.
3834:14 October
3806:14 October
3704:2020-11-01
3509:References
3092:(ICM) and
1560:, such as
1049:ciphertext
615:polynomial
402:null bytes
386:block size
289:, and the
94:block size
6860:Plaintext
6329:KDF1/KDF2
6248:functions
6234:Whirlpool
5814:SOBER-128
5744:KCipher-2
5678:SOSEMANUK
5649:Portfolio
5462:Black-bag
5382:Boomerang
5371:Known-key
5350:Truncated
5175:Threefish
5170:SXAL/MBAL
5060:MultiSwap
5015:MacGuffin
4974:KN-Cipher
4914:Grand Cru
4869:CS-Cipher
4849:COCONUT98
4225:7 January
3759:7 January
3733:April 12,
3596:April 14,
3537:April 12,
3386:hashing.
3124:in 1979.
3110:keystream
2929:−
2814:⊕
2757:⊕
2709:keystream
2604:⊕
2586:−
2555:
2498:⊕
2480:−
2449:
2359:≪
2351:−
2186:⊕
2175:−
2122:otherwise
2103:⊕
2092:−
1901:⊕
1880:−
1869:⊕
1861:−
1850:⊕
1768:⊕
1744:−
1733:⊕
1725:−
1714:⊕
1437:−
1426:⊕
1310:−
1299:⊕
1045:plaintext
1041:diffusion
1037:codebooks
951:= F(IV +
922:, Key); Y
702:AES-256.
668:Plaintext
461:keystream
406:plaintext
329:SP800-38A
248:SP800-38D
240:SP800-38C
220:SP800-38D
208:SP800-38B
161:SP800-38E
149:SP800-38A
86:plaintext
69:called a
6999:Category
6905:Kademlia
6865:Codetext
6808:(CSPRNG)
6554:CRYPTREC
6385:Poly1305
6305:yescrypt
6219:Streebog
6099:CubeHash
6079:(winner)
5687:Hardware
5656:Software
5627:Crypto-1
5513:CRYPTREC
5477:Weak key
5430:Acoustic
5271:Key size
5115:Red Pike
4934:IDEA NXT
4814:Chiasmus
4809:CAST-256
4789:BaseKing
4774:Akelarre
4769:Adiantum
4736:Skipjack
4701:CAST-128
4696:Camellia
4644:Blowfish
4568:28 April
4562:Archived
4542:28 April
4536:Archived
4532:Coursera
4512:28 April
4506:Archived
4466:Archived
4369:28 April
4360:Archived
4255:28 April
4249:Archived
4100:Archived
4096:NIST.gov
3782:archived
3753:Archived
3727:Archived
3725:. NIST.
3662:Archived
3660:. 2006.
3590:Archived
3588:. NIST.
3531:Archived
3529:. NIST.
3482:See also
3429:Key Wrap
1051:blocks.
756:Formulas
639:CCM mode
621:, using
442:Ferguson
438:Schneier
196:FIPS 198
182:such as
57:such as
6675:General
6460:Attacks
6390:SipHash
6346:CBC-MAC
6280:LM hash
6260:Balloon
6124:HAS-160
5915:Attacks
5704:Trivium
5673:Salsa20
5647:eSTREAM
5554:Padding
5472:Rebound
5180:Treyfer
5130:SAVILLE
5090:PRESENT
5080:NOEKEON
5025:MAGENTA
5020:Madryga
5000:Lucifer
4864:CRYPTON
4673:Twofish
4663:Serpent
4109:1 April
3621:228–233
3468:CBC-MAC
3104:into a
3057:Counter
1508:Example
1501:Example
939:Counter
726:GCM-SIV
404:to the
398:padding
366:Padding
186:, or a
184:CBC-MAC
157:XTS-AES
133:FIPS 81
123:modes.
6786:Keygen
6620:Pepper
6559:NESSIE
6506:Design
6300:scrypt
6295:PBKDF2
6270:Catena
6265:bcrypt
6255:Argon2
6214:Snefru
6209:Shabal
6204:SWIFFT
6184:RIPEMD
6179:N-hash
6154:MASH-2
6149:MASH-1
6134:Kupyna
6094:BLAKE3
6077:Keccak
6062:Grøstl
6039:BLAKE2
5874:Theory
5824:Turing
5819:Spritz
5794:Scream
5764:Phelix
5759:Panama
5729:F-FCSR
5699:MICKEY
5668:Rabbit
5663:HC-128
5622:ChaCha
5518:NESSIE
5467:Davies
5415:Timing
5330:Linear
5290:Attack
5209:Design
5200:Zodiac
5165:Square
5140:SHACAL
5135:SC2000
5095:Prince
5075:Nimbus
5070:NewDES
5055:MULTI2
5045:MISTY1
4988:LOKI (
4964:KHAZAD
4959:KeeLoq
4954:KASUMI
4949:Kalyna
4834:CLEFIA
4819:CIKS-1
4779:Anubis
4630:Common
4437:
4412:
4310:
4278:
4188:
4161:
4134:
3875:
3828:GitHub
3801:Secura
3695:
3627:
3563:
3450:. See
3407:, and
3332:, …, P
1562:POODLE
973:Note:
832:(PCBC)
782:, Key)
503:, and
457:XORing
414:string
412:style
318:random
281:, the
262:, and
214:, and
98:padded
6816:(PRN)
6414:modes
6290:Makwa
6285:Lyra2
6275:crypt
6224:Tiger
6174:MDC-2
6129:HAVAL
6114:Fugue
6072:Skein
6057:BLAKE
6034:SHA-3
6029:SHA-2
6023:SHA-1
5896:NLFSR
5809:SOBER
5739:ISAAC
5694:Grain
5400:Slide
5256:Round
5241:P-box
5236:S-box
5195:XXTEA
5155:Speck
5150:Simon
5145:SHARK
5125:SAFER
5110:REDOC
5035:Mercy
4994:89/91
4944:Iraqi
4909:G-DES
4899:FEA-M
4879:DES-X
4844:Cobra
4799:BATON
4784:Ascon
4764:3-Way
4755:Other
4469:(PDF)
4462:(PDF)
4363:(PDF)
4342:(PDF)
4321:(PDF)
4300:(PDF)
4103:(PDF)
4092:(PDF)
3929:(PDF)
3899:(PDF)
3859:(PDF)
3142:nonce
2713:XORed
1944:WASTE
1206:XORed
1107:pixel
942:(CTR)
915:= F(Y
906:(OFB)
898:= IV
876:(CFB)
868:= IV
824:= IV
796:(CBC)
767:(ECB)
71:block
6615:Salt
6579:CNSA
6446:IAPM
6400:VMAC
6395:UMAC
6380:PMAC
6375:CMAC
6371:OMAC
6366:NMAC
6361:HMAC
6356:GMAC
6325:HKDF
6194:SIMD
6144:Lane
6119:GOST
6104:ECOH
5991:List
5978:and
5891:LFSR
5839:WAKE
5834:VMPC
5829:VEST
5804:SNOW
5799:SEAL
5789:RC4A
5784:RC4+
5779:QUAD
5769:Pike
5754:ORYX
5749:MUGI
5734:FISH
5617:A5/2
5612:A5/1
5528:CNSA
5387:Mod
5313:MITM
5085:NUSH
5040:MESH
5030:MARS
4904:FROG
4894:FEAL
4874:DEAL
4854:Crab
4839:CMEA
4746:XTEA
4731:SEED
4711:IDEA
4706:GOST
4691:ARIA
4570:2018
4544:2018
4514:2018
4435:ISBN
4410:ISBN
4391:help
4371:2018
4308:ISBN
4276:ISBN
4257:2018
4227:2015
4186:ISBN
4159:ISBN
4132:ISBN
4111:2017
4075:2020
4048:2019
4041:8452
4024:IETF
4003:2020
3981:3610
3964:IETF
3933:NIST
3873:ISBN
3836:2020
3808:2020
3761:2015
3735:2013
3693:ISBN
3625:ISBN
3598:2013
3561:ISBN
3539:2013
3476:PMAC
3474:and
3472:OMAC
3415:and
3390:NIST
3241:Mode
3120:and
2699:The
2000:The
1942:and
1617:The
1582:PCBC
753:Mode
516:AEAD
440:and
426:bits
392:and
382:size
291:IETF
287:ANSI
283:IEEE
271:NIST
260:IAPM
216:GMAC
204:CMAC
192:HMAC
115:and
67:bits
6451:OCB
6441:GCM
6436:EAX
6431:CWC
6421:CCM
6351:DAA
6229:VSH
6199:SM3
6169:MD6
6164:MD4
6159:MD2
6139:LSH
6109:FSB
6017:MD5
5637:RC4
5482:Tau
5442:XSL
5246:SPN
5190:xmx
5185:UES
5120:S-1
5105:RC2
5050:MMB
4929:ICE
4884:DFC
4741:TEA
4726:RC6
4721:RC5
4716:LEA
4668:SM4
4649:DES
4639:AES
4350:doi
4038:RFC
4028:doi
3978:RFC
3968:doi
3937:doi
3903:doi
3863:doi
3685:doi
3423:).
3417:EME
3413:CMC
3409:XTS
3405:XEX
3401:LRW
3340:CTR
3328:, P
3315:OFB
3301:i+1
3291:CFB
3279:i+1
3269:CBC
3255:ECB
3081:Yes
3073:Yes
3065:Yes
3052:CTR
2664:OFB
2546:MSB
2440:MSB
2390:mod
1994:Yes
1986:Yes
1965:CFB
1621:or
1553:can
1198:Yes
1190:Yes
1169:CBC
1025:Yes
1017:Yes
1009:Yes
996:ECB
700:not
683:).
558:Yes
550:Yes
542:Yes
529:GCM
505:GCM
501:CCM
497:CWC
493:EAX
489:OCB
432:or
422:bit
418:DES
394:CBC
390:ECB
320:or
279:IEC
275:ISO
264:OCB
256:EAX
252:CWC
250:),
244:GCM
242:),
236:CCM
176:XTS
159:in
145:AES
90:key
61:or
7020::
6067:JH
5906:IV
5774:Py
5632:E0
5010:M8
5005:M6
4992:,
4990:97
4889:E2
4655:,
4534:.
4530:.
4504:.
4500:.
4464:.
4449:^
4383::
4381:}}
4377:{{
4358:.
4348:.
4344:.
4329:^
4302:.
4247:.
4243:.
4094:.
4065:.
4036:.
4026:.
4022:.
3976:.
3966:.
3962:.
3935:.
3871:.
3825:.
3799:.
3780:,
3721:.
3691:,
3679:,
3656:.
3639:^
3623:.
3584:.
3547:^
3525:.
3470:,
3403:,
3396:.
3264:—
2972:IV
2693:No
2685:No
2677:No
2295:IV
2049:IV
1978:No
1611:No
1603:No
1595:No
1564:.
1182:No
985:.
920:−1
890:−1
859:−1
852:−1
816:−1
740:.
675:).
507:.
499:,
495:,
491:,
452:.
376:A
331:.
293:.
285:,
273:,
266:.
258:,
254:,
226:.
222:,
210:,
202:,
198:,
163:,
151:,
135:,
104:.
6660:e
6653:t
6646:v
6373:/
5968:e
5961:t
5954:v
5590:e
5583:t
5576:v
5389:n
5373:)
5369:(
5336:)
5332:(
5309:)
5305:(
5296:)
5292:(
5282:)
5278:(
5100:Q
4996:)
4659:)
4651:(
4624:)
4620:(
4610:e
4603:t
4596:v
4572:.
4546:.
4516:.
4443:.
4418:.
4393:)
4373:.
4352::
4284:.
4259:.
4229:.
4194:.
4167:.
4140:.
4113:.
4077:.
4050:.
4030::
4005:.
3983:.
3970::
3939::
3911:.
3905::
3881:.
3865::
3838:.
3810:.
3763:.
3737:.
3687::
3652:n
3633:.
3600:.
3569:.
3541:.
3355:i
3351:i
3345:i
3334:n
3330:2
3326:1
3320:i
3308:1
3296:i
3285:1
3274:i
3260:i
3246:i
2976:.
2968:=
2963:0
2959:I
2937:,
2932:1
2926:j
2922:O
2918:=
2913:j
2909:I
2887:,
2884:)
2879:j
2875:I
2871:(
2866:K
2862:E
2858:=
2853:j
2849:O
2827:,
2822:j
2818:O
2809:j
2805:C
2801:=
2796:j
2792:P
2770:,
2765:j
2761:O
2752:j
2748:P
2744:=
2739:j
2735:C
2617:,
2612:i
2608:C
2599:)
2594:)
2589:1
2583:i
2579:I
2575:(
2570:K
2566:E
2560:(
2550:s
2542:=
2537:i
2533:P
2511:,
2506:i
2502:P
2493:)
2488:)
2483:1
2477:i
2473:I
2469:(
2464:K
2460:E
2454:(
2444:s
2436:=
2431:i
2427:C
2405:,
2400:b
2394:2
2383:)
2376:i
2372:C
2368:+
2365:)
2362:s
2354:1
2348:i
2344:I
2340:(
2335:(
2330:=
2325:i
2321:I
2299:.
2291:=
2286:0
2282:I
2199:,
2194:i
2190:C
2183:)
2178:1
2172:i
2168:C
2164:(
2159:K
2155:E
2151:=
2142:i
2138:P
2116:,
2111:i
2107:P
2100:)
2095:1
2089:i
2085:C
2081:(
2076:K
2072:E
2064:0
2061:=
2058:i
2053:,
2042:{
2037:=
2028:i
2024:C
1923:.
1920:V
1917:I
1914:=
1909:0
1905:C
1896:0
1892:P
1888:,
1883:1
1877:i
1873:C
1864:1
1858:i
1854:P
1847:)
1842:i
1838:C
1834:(
1829:K
1825:D
1821:=
1816:i
1812:P
1790:,
1787:V
1784:I
1781:=
1776:0
1772:C
1763:0
1759:P
1755:,
1752:)
1747:1
1741:i
1737:C
1728:1
1722:i
1718:P
1709:i
1705:P
1701:(
1696:K
1692:E
1688:=
1683:i
1679:C
1485:.
1482:V
1479:I
1476:=
1471:0
1467:C
1445:,
1440:1
1434:i
1430:C
1423:)
1418:i
1414:C
1410:(
1405:K
1401:D
1397:=
1392:i
1388:P
1361:,
1358:V
1355:I
1352:=
1347:0
1343:C
1321:,
1318:)
1313:1
1307:i
1303:C
1294:i
1290:P
1286:(
1281:K
1277:E
1273:=
1268:i
1264:C
979:i
977:(
975:g
965:i
957:i
955:(
953:g
948:i
945:Y
932:i
924:0
918:i
912:i
909:Y
896:0
888:i
882:i
879:Y
866:0
861:)
857:i
850:i
844:i
838:i
835:Y
822:0
814:i
808:i
802:i
799:Y
787:i
785:Y
779:i
773:i
770:Y
696:2
692:1
681:2
673:1
619:H
582:E
450:n
446:n
410:C
246:(
238:(
34:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
