607:
38:
1536:
7001:
3182:
3168:
1660:
1646:
1148:
1136:
3025:
3011:
2249:
2235:
1522:
1246:
1232:
1088:
1074:
3119:
be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk". However, today CTR mode is widely accepted, and any problems are considered a weakness of the underlying block cipher, which is expected to be secure regardless of systemic bias in its input. Along with CBC, CTR mode is one of two block cipher modes recommended by Niels
Ferguson and Bruce Schneier.
1124:
2219:
3371:
It might be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks. Some felt that such resilience was desirable in the face of random
3142:
in many cases, since the attacker may be able to manipulate the entire IV–counter pair to cause a collision. Once an attacker controls the IV–counter pair and plaintext, XOR of the ciphertext with the known plaintext would yield a value that, when XORed with the ciphertext of the other block sharing
341:
In CBC mode, the IV must be unpredictable (random or pseudorandom) at encryption time; in particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the
3432:
Many modes use an initialization vector (IV) which, depending on the mode, may have requirements such as being only used once (a nonce) or being unpredictable ahead of its publication, etc. Reusing an IV with the same key in CTR, GCM or OFB mode results in XORing the same keystream with two or more
3038:
Each output feedback block cipher operation depends on all previous ones, and so cannot be performed in parallel. However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel
574:
GCM is defined for block ciphers with a block size of 128 bits. Galois message authentication code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length. GCM can take full
345:
For some keys, an all-zero initialization vector may generate some block cipher modes (CFB-8, OFB-8) to get the internal state stuck at all-zero. For CFB-8, an all-zero IV and an all-zero plaintext, causes 1/256 of keys to generate no encryption, plaintext is returned as ciphertext. For OFB-8, using
3118:
block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to
2642:
CFB may also self synchronize in some special cases other than those specified. For example, a one bit change in CFB-128 with an underlying 128 bit block cipher, will re-synchronize after two blocks. (However, CFB-128 etc. will not handle bit loss gracefully; a one-bit loss will cause the decryptor
2271:
The CFB mode also requires an integer parameter, denoted s, such that 1 ≤ s ≤ b. In the specification of the CFB mode below, each plaintext segment (Pj) and ciphertext segment (Cj) consists of s bits. The value of s is sometimes incorporated into the name of the mode, e.g., the 1-bit CFB mode, the
1576:
take advantage of this property by prepending a single random block to the plaintext. Encryption is done as normal, except the IV does not need to be communicated to the decryption routine. Whatever IV decryption uses, only the random block is "corrupted". It can be safely discarded and the rest of
1556:
Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous block, not the plaintext, so one does not need to decrypt the previous block before using it as
570:
Galois/counter mode (GCM) combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is the ease of parallel computation of the Galois field multiplication used for authentication. This feature permits higher throughput than encryption algorithms.
3387:
Many more modes of operation for block ciphers have been suggested. Some have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and should never be used. Still others don't categorize as confidentiality, authenticity, or authenticated encryption –
463:
block, producing a final ciphertext block that is the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be the same size as the original plaintext data, and for applications that
3137:
If the IV/nonce is random, then they can be combined with the counter using any invertible operation (concatenation, addition, or XOR) to produce the actual unique counter block for encryption. In case of a non-random nonce (such as a packet counter), the nonce and counter should be concatenated
3046:
Using OFB mode with a partial block as feedback like CFB mode reduces the average cycle length by a factor of 2 or more. A mathematical model proposed by Davies and Parkin and substantiated by experimental results showed that only with full feedback an average cycle length near to the obtainable
2638:
CFB-1 is considered self synchronizing and resilient to loss of ciphertext; "When the 1-bit CFB mode is used, then the synchronization is automatically restored b+1 positions after the inserted or deleted bit. For other values of s in the CFB mode, and for the other confidentiality modes in this
1631:
mode was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, as well as when encrypting. In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted. Like with CBC mode, an
3133:
CTR mode has similar characteristics to OFB, but also allows a random-access property during decryption. CTR mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.
229:
The cryptographic community observed that compositing (combining) a confidentiality mode with an authenticity mode could be difficult and error prone. They therefore began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive (an encryption
3240:
chained in MAC-Then-Encrypt order, any bit error should completely abort decryption and must not generate any specific bit errors to decryptor. I.e. if decryption succeeded, there should not be any bit error. As such error propagation is less important subject in modern cipher modes than in
1561:
be parallelized. Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact. This peculiarity is exploited in different
1548:
CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as
734:, with a few very small changes (e.g. how AES-CTR is initialized), but which yields practical benefits to its security "This addition allows for encrypting up to 2 messages with the same key, compared to the significant limitation of only 2 messages that were allowed with GCM-SIV."
307:
An initialization vector (IV) or starting variable (SV) is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
2020:
692:
SIV can support external nonce-based authenticated encryption, in which case one of the authenticated data fields is utilized for this purpose. RFC5297 specifies that for interoperability purposes the last authenticated data field should be used external nonce.
723:
AES-GCM-SIV synthesizes the internal IV. It derives a hash of the additional authenticated data and plaintext using the POLYVAL Galois hash function. The hash is then encrypted an AES-key, and used as authentication tag and AES-CTR initialization vector.
590:, usually AES. The result of this encryption is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.
311:
An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a
719:
is a mode of operation for the
Advanced Encryption Standard which provides similar performance to Galois/counter mode as well as misuse resistance in the event of the reuse of a cryptographic nonce. The construction is defined in RFC 8452.
337:
For OFB and CTR, reusing an IV causes key bitstream re-use, which breaks security. This can be seen because both modes effectively create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the key and IV only.
2633:
2527:
1939:
1806:
749:
Different cipher modes mask patterns by cascading outputs from the cipher block or other globally deterministic variables into the subsequent cipher block. The inputs of the listed modes are summarized in the following table:
3042:
It is possible to obtain an OFB mode keystream by using CBC mode with a constant string of zeroes as input. This can be useful, because it allows the usage of fast hardware implementations of CBC mode for OFB mode encryption.
342:
IV (or the previous block of ciphertext) before the next plaintext is specified, they can check their guess about plaintext of some block that was encrypted with the same key before (this is known as the TLS CBC IV attack).
3138:(e.g., storing the nonce in the upper 64 bits and the counter in the lower 64 bits of a 128-bit counter block). Simply adding or XORing the nonce and counter into a single value would break the security under a
2421:
3437:
algorithm and the SIV (RFC 5297) AEAD mode do not require an IV as an input, and return the same ciphertext and authentication tag every time for a given plaintext and key. Other IV misuse-resistant modes such as
3449:. They are generally used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically secure, care must be taken to design these modes of operation correctly.
358:(PRF) construction called S2V on the input (additional data and plaintext), preventing any external data from directly controlling the IV. External nonces / IV may be fed into S2V as an additional data field.
2721:
with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many
2654:
CFB, OFB and CTR share two advantages over CBC mode: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though
349:
Some modes (such as AES-SIV and AES-GCM-SIV) are built to be more nonce-misuse resistant, i.e. resilient to scenarios in which the randomness generation is faulty or under the control of the attacker.
742:
Many modes of operation have been defined. Some of these are described below. The purpose of cipher modes is to mask patterns which exist in encrypted data, as illustrated in the description of the
2639:
recommendation, the synchronization must be restored externally." (NIST SP800-38A). I.e. 1-bit loss in a 128-bit-wide block cipher like AES will render 129 invalid bits before emitting valid bits.
3228:, CBC can be decrypted in the attack by guessing encryption secrets based on error responses. The Padding Oracle attack variant "CBC-R" (CBC Reverse) lets the attacker construct any valid message.
2214:{\displaystyle {\begin{aligned}C_{i}&={\begin{cases}{\text{IV}},&i=0\\E_{K}(C_{i-1})\oplus P_{i},&{\text{otherwise}}\end{cases}}\\P_{i}&=E_{K}(C_{i-1})\oplus C_{i},\end{aligned}}}
2025:
1955:
On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this does not affect the decryption of subsequent blocks. For this reason, PCBC is not used in
Kerberos v5.
1461:
1337:
408:
to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is trivial, for example, if the plaintext is a
3442:
benefit from an IV input, for example in the maximum amount of data that can be safely encrypted with one key, while not failing catastrophically if the same IV is used multiple times.
3375:
However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected. If resistance to random error is desirable,
2843:
2786:
1214:
with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an
1045:). The message is divided into blocks, and each block is encrypted separately. ECB is not recommended for use in cryptographic protocols: the disadvantage of this method is a lack of
107:
Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded
2903:
2992:
2315:
1115:
has supposedly been encrypted, the overall image may still be discerned, as the pattern of identically colored pixels in the original remains visible in the encrypted version.
3154:(IV) in the other diagrams. However, if the offset/location information is corrupt, it will be impossible to partially recover such data due to the dependence on byte offset.
2953:
2010:(CFB) mode, in its simplest form uses the entire output of the block cipher. In this variation, it is very similar to CBC, turning a block cipher into a self-synchronizing
444:
suggest two possibilities, both simple: append a byte with value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the last block with
4210:
William F. Ehrsam, Carl H. W. Meyer, John L. Smith, Walter L. Tuchman, "Message verification and transmission error detection by block chaining", US Patent 4074066, 1976.
1632:
initialization vector is used in the first block. Unlike CBC, decrypting PCBC with the incorrect IV (initialization vector) causes all blocks of plaintext to be corrupt.
1501:
1377:
1557:
the IV for the decryption of the current one. This means that a plaintext block can be recovered from two adjacent blocks of ciphertext. As a consequence, decryption
100:
to a full block if it is smaller than the current block size. There are, however, modes that do not require padding because they effectively use a block cipher as a
80:(IV), for each encryption operation. The IV must be non-repeating, and for some modes must also be random. The initialization vector is used to ensure that distinct
3667:
2651:
Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized.
178:
provide confidentiality, but they do not protect against accidental modification or malicious tampering. Modification or tampering can be detected with a separate
4471:
6981:
6811:
3463:
2533:
2427:
361:
AES-GCM-SIVs synthesize an internal IV by running POLYVAL Galois mode of authentication on input (additional data and plaintext), followed by an AES operation.
4566:. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce. 4 January 2017.
156:
4105:
1812:
1679:
483:
A number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive. Examples of such modes are ,
428:
to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as
455:
CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since the modes work by
282:
73:. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
3202:"Error propagation" properties describe how a decryption behaves during bit errors, i.e. how error in one bit cascades to different decrypted bits.
656:
algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.
346:
all zero initialization vector will generate no encryption for 1/256 of keys. OFB-8 encryption returns the plaintext unencrypted for affected keys.
96:, but during transformation the block size is always fixed. Block cipher modes operate on whole blocks and require that the final data fragment be
334:
For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages.
1107:
A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a
704:, naming schemes for SIV AEAD-variants may lead to some confusion; for example AEAD_AES_SIV_CMAC_256 refers to AES-SIV with two AES-128 keys and
324:. Some block ciphers have particular problems with certain initialization vectors, such as all zero IV generating no encryption (for some keys).
2321:
269:
Modes of operation are defined by a number of national and internationally recognized standards bodies. Notable standards organizations include
65:. A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of
4567:
3938:
3595:
274:
270:
140:
4365:
4302:
6664:
5594:
3433:
plaintexts, a clear misuse of a stream, with a catastrophic loss of security. Deterministic authenticated encryption modes such as the NIST
3372:
errors (e.g., line noise), while others argued that error correcting increased the scope for attackers to maliciously tamper with a message.
1210:
Ehrsam, Meyer, Smith and
Tuchman invented the cipher block chaining (CBC) mode of operation in 1976. In CBC mode, each block of plaintext is
667:
SIV synthesizes an internal IV using the pseudorandom function S2V. S2V is a keyed hash is based on CMAC, and the input to the function is:
6584:
5533:
4614:
4254:
3732:
518:(authenticated encryption with associated data) schemes. For example, EAX mode is a double-pass AEAD scheme while OCB mode is single-pass.
5972:
3422:
3418:
3406:
6001:
459:
the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last
5839:
3405:
Disk encryption often uses special purpose modes specifically designed for the application. Tweakable narrow-block encryption modes (
278:
7029:
3536:
635:
that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.
586:
Like in CTR, blocks are numbered sequentially, and then this block number is combined with an IV and encrypted with a block cipher
190:. The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC.
5360:
4716:
327:
It is recommended to review relevant IV requirements for the particular block cipher mode in relevant specification, for example
3389:
6600:
5350:
4844:
3882:
3758:
3702:
3570:
286:
5513:
5487:
5355:
5251:
515:
4511:
3655:
6361:
5328:
3867:. Fast Software Encryption 2001. Lecture Notes in Computer Science. Vol. 2355. Berlin: Springer. pp. 92–108.
1388:
1264:
6528:
4464:
3787:
7034:
6657:
5901:
5587:
4195:
4168:
4141:
3634:
3221:
393:
389:
131:
The earliest modes of operation, ECB, CBC, OFB, and CFB (see below for all), date back to 1981 and were specified in
4410:
Davies, D. W.; Parkin, G. I. P. (1983). "The average cycle size of the key stream in output feedback encipherment".
3217:
Specific bit errors in stream cipher modes (OFB, CTR, etc.) are trivial. They affect only the specific bit intended.
3047:
maximum can be achieved. For this reason, support for truncated feedback was removed from the specification of OFB.
5497:
4607:
4541:
1553:. Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.
5965:
5376:
4220:
4029:
3969:
290:
3681:
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2017-01-01), Conrad, Eric; Misenar, Seth; Feldman, Joshua (eds.),
6860:
6569:
6054:
6006:
5896:
4444:
4419:
4317:
4285:
4094:
3929:
514:
In addition, some modes also allow for the authentication of unencrypted associated data, and these are called
328:
247:
239:
219:
207:
160:
148:
2792:
2735:
6356:
4002:"Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)"
3803:"Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)"
6650:
6574:
5580:
4644:
3722:
3585:
3526:
3508:
3457:
3237:
165:
Recommendation for Block Cipher Modes of
Operation: The XTS-AES Mode for Confidentiality on Storage Devices
144:
17:
6976:
6931:
6744:
6343:
5985:
5981:
5440:
4600:
3498:
3469:
3453:
2849:
179:
3682:
2959:
2282:
6855:
5958:
5870:
5729:
5457:
5367:
5345:
4658:
3931:
Recommendation for Block Cipher Modes of
Operation: The CCM Mode for Authentication and Confidentiality
433:
3859:
6971:
6239:
5462:
5318:
5271:
4746:
381:
93:
6044:
4563:
3587:
2909:
2050:
6961:
6951:
6806:
6579:
6415:
6114:
6109:
5865:
5528:
5410:
5285:
4654:
4344:
4323:
3503:
3233:
653:
508:
478:
417:
409:
231:
120:
6956:
6946:
6749:
6709:
6702:
6692:
6687:
6502:
6322:
5467:
5256:
4627:
3410:
3139:
1046:
628:
4246:
3724:
3626:
3619:
6697:
6610:
5996:
5559:
5435:
5430:
5382:
3656:"ISO/IEC 10116:2006 – Information technology – Security techniques – Modes of operation for an
3446:
3426:
2014:. CFB decryption in this variation is almost identical to CBC encryption performed in reverse:
1467:
1343:
397:
371:
355:
195:
97:
4396:
2729:
Because of the symmetry of the XOR operation, encryption and decryption are exactly the same:
167:. Other confidentiality modes exist which have not been approved by NIST. For example, CTS is
7004:
6850:
6796:
6625:
6275:
6229:
6119:
6077:
6062:
5937:
5911:
5764:
5549:
5372:
5231:
4809:
4384:
3376:
3225:
3151:
2723:
1563:
1215:
685:
SIV encrypts the S2V output and the plaintext using AES-CTR, keyed with the encryption key (K
302:
77:
3209:
Random bit errors occur independently in any bit position with an expected probability of ½.
6966:
6890:
6295:
6199:
6149:
6124:
5932:
5452:
5335:
5261:
4944:
4924:
4043:
3983:
576:
132:
108:
70:
54:
3224:
may intelligently combine many different specific bit errors to break the cipher mode. In
8:
6729:
6620:
6497:
6446:
6385:
6285:
6204:
6164:
6144:
5860:
5415:
5392:
4711:
3481:
3147:
2656:
2628:{\displaystyle P_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus C_{i},}
2522:{\displaystyle C_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus P_{i},}
1945:
1550:
527:
504:
436:, which do not cause any extra ciphertext, at the expense of some additional complexity.
429:
313:
243:
215:
168:
4345:"SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques"
3528:
6835:
6819:
6766:
6554:
6538:
6487:
6072:
5927:
5400:
5308:
5020:
4949:
4919:
4864:
3694:
1160:
ECB mode can also make protocols without integrity protection even more susceptible to
638:
632:
89:
3899:
3616:
3205:
Bit errors may occur intentionally in attacks or randomly due to transmission errors.
416:
which contains no null bytes except at the end. Slightly more complex is the original
224:
Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC
6895:
6885:
6756:
6431:
5120:
4819:
4779:
4774:
4741:
4701:
4649:
4440:
4415:
4313:
4281:
4191:
4164:
4137:
3878:
3698:
3630:
3566:
988:
664:
Synthetic initialization vector (SIV) is a nonce-misuse resistant block cipher mode.
187:
1934:{\displaystyle P_{i}=D_{K}(C_{i})\oplus P_{i-1}\oplus C_{i-1},P_{0}\oplus C_{0}=IV.}
1801:{\displaystyle C_{i}=E_{K}(P_{i}\oplus P_{i-1}\oplus C_{i-1}),P_{0}\oplus C_{0}=IV,}
212:
Recommendation for Block Cipher Modes of
Operation: The CMAC Mode for Authentication
6830:
6518:
6472:
6234:
5709:
5492:
5387:
5266:
5125:
5005:
4974:
4668:
4435:
Jueneman, Robert R. (1983). "Analysis of certain aspects of output feedback mode".
4355:
4033:
3973:
3942:
3908:
3868:
3855:
3690:
3212:
Specific bit errors occur in the same bit position(s) as the original bit error(s).
3123:
575:
advantage of parallel processing and implementing GCM can make efficient use of an
111:
as an entirely separate cryptographic goal. Some modern modes of operation combine
3754:
606:
6533:
6482:
6477:
6265:
5980:
5829:
5824:
5799:
5673:
5339:
5323:
5312:
5246:
5205:
5170:
5100:
5080:
4954:
4834:
4829:
4784:
4185:
4158:
4131:
3861:
Fast
Encryption and Authentication: XCBC Encryption and XECB Authentication Modes
3493:
112:
58:
5627:
4046:
4023:
3986:
3963:
3723:
NIST Computer
Security Division's (CSD) Security Technology Group (STG) (2013).
3586:
NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013).
3527:
NIST Computer Security Division's (CSD) Security Technology Group (STG) (2013).
1111:
which contains large areas of uniform color. While the color of each individual
6905:
6825:
6786:
6734:
6719:
6523:
6251:
5891:
5744:
5699:
5477:
5425:
5236:
5221:
5160:
5155:
5040:
4789:
4503:
3907:. Eurocrypt 2001. Lecture Notes in Computer Science. Vol. 2045. Springer.
3802:
3127:
1258:
If the first block has index 1, the mathematical formula for CBC encryption is
580:
464:
transmit data in streaming form where it is inconvenient to add padding bytes.
441:
437:
413:
401:
116:
62:
31:
3828:
354:
Synthetic initialization vectors (SIV) synthesize an internal IV by running a
37:
7023:
6986:
6941:
6900:
6880:
6776:
6739:
6714:
6615:
6492:
5844:
5804:
5784:
5774:
5739:
5603:
5472:
5420:
5299:
5281:
5070:
5045:
5035:
4859:
4849:
4696:
3913:
3368:(Source: SP800-38A Table D.2: Summary of Effect of Bit Errors on Decryption)
3111:
2710:
2011:
1161:
472:
316:. Many block cipher modes have stronger requirements, such as the IV must be
101:
6194:
4360:
3947:
3873:
3781:
6936:
6781:
6771:
6761:
6724:
6673:
5405:
5226:
5190:
5055:
4934:
4889:
4721:
4673:
4623:
3107:
1108:
456:
377:
321:
50:
4465:"Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption"
2416:{\displaystyle I_{i}={\big (}(I_{i-1}\ll s)+C_{i}{\big )}{\bmod {2}}^{b},}
671:
Additional authenticated data (zero, one or many AAD fields are supported)
6915:
6605:
6451:
6380:
6376:
5779:
5637:
5015:
5010:
4894:
3477:
3439:
716:
259:
4533:
6875:
6845:
6840:
6801:
5906:
5447:
5165:
5105:
4989:
4984:
4929:
4799:
4662:
1054:
620:
81:
4224:
4130:
Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (2018).
4001:
3563:
Cryptography Engineering: Design Principles and Practical Applications
6865:
6280:
6159:
5819:
5749:
5683:
5180:
5175:
5065:
4979:
4874:
4854:
4038:
3978:
3783:
Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures
3115:
2714:
2276:
These modes will truncate the output of the underlying block cipher.
1535:
1050:
460:
405:
85:
6067:
4280:(2nd ed.). Upper Saddle River, NJ: Prentice Hall. p. 319.
1147:
1135:
1049:, wherein it fails to hide data patterns when it encrypts identical
639:
Counter with cipher block chaining message authentication code (CCM)
396:) require that the final block be padded before encryption. Several
388:), but messages come in a variety of lengths. So some modes (namely
143:(NIST) revised its list of approved modes of operation by including
6910:
6870:
6559:
6456:
6441:
6436:
6426:
6390:
6310:
6224:
6104:
5632:
5518:
5482:
5276:
4939:
4814:
4794:
4706:
4247:"Kryptographie FAQ: Frage 84: What are the Counter and PCBC Modes?"
4068:
3617:
Alfred J. Menezes; Paul C. van Oorschot; Scott A. Vanstone (1996).
3434:
3414:
3181:
3167:
1042:
644:
500:
496:
492:
488:
263:
255:
251:
235:
175:
30:"Mode of operation" redirects here. For "method of operation", see
1659:
1645:
6395:
6351:
6129:
5678:
5652:
5185:
5135:
5095:
5085:
5030:
5025:
4869:
4678:
3560:
3473:
3382:
3024:
3010:
2248:
2234:
1521:
1245:
1231:
1087:
1073:
183:
4187:
Applied Cryptography: Protocols, Algorithms and Source Code in C
511:
modes are classified as single-pass modes or double-pass modes.
6791:
6564:
6305:
6300:
6270:
6260:
6219:
6214:
6209:
6189:
6184:
6154:
6139:
6099:
5769:
5734:
5704:
5668:
5523:
5145:
5140:
5075:
5060:
5050:
4995:
4969:
4964:
4959:
4839:
4824:
3833:
1567:
317:
5794:
5789:
4303:"The Use of Encryption in Kerberos for Network Authentication"
3452:
There are several schemes which use a block cipher to build a
650:
Counter with cipher block chaining message authentication code
6290:
6179:
6134:
6082:
6039:
6034:
6028:
5814:
5241:
5200:
5150:
5130:
5115:
4904:
4884:
4804:
4769:
2395:
2272:
8-bit CFB mode, the 64-bit CFB mode, or the 128-bit CFB mode.
1949:
1112:
92:. Block ciphers may be capable of operating on more than one
76:
Most modes require a unique binary sequence, often called an
4067:
Gueron, Shay; Langley, Adam; Lindell, Yehuda (14 Dec 2018).
4025:
AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
2659:
can also be used for CBC mode to make padding unnecessary).
171:
mode and available in many popular cryptographic libraries.
6405:
6400:
6371:
6366:
6330:
5834:
5809:
5759:
5754:
5622:
5617:
5090:
4999:
4914:
4909:
4899:
4879:
4751:
4736:
4488:
Ferguson, Niels; Schneier, Bruce; Kohno, Tadayoshi (2010).
4129:
3395:
3220:
Specific bit errors in more complex modes such (e.g. CBC):
2134:
1580:
1164:, since each block gets decrypted in exactly the same way.
203:
191:
3425:) are designed to securely encrypt sectors of a disk (see
2726:
to function normally even when applied before encryption.
730:
is an improvement over the very similarly named algorithm
473:
Authenticated encryption with additional data (AEAD) modes
6174:
6169:
6022:
5642:
5195:
5110:
4731:
4726:
4221:"The Transport Layer Security (TLS) Protocol Version 1.1"
3962:
Whiting, D.; Housley, R.; Ferguson, N. (September 2003).
3379:
should be applied to the ciphertext before transmission.
2718:
1211:
579:
or a hardware pipeline. The CBC mode of operation incurs
425:
421:
66:
41:
Six common block cipher modes of operation for encrypting
4463:
Lipmaa, Helger; Wagner, David; Rogaway, Phillip (2000).
4338:
4336:
3565:. Indianapolis: Wiley Publishing, Inc. pp. 63, 64.
3398:
maintains a list of proposed modes for block ciphers at
659:
88:
is encrypted multiple times independently with the same
4160:
Cryptography's Role in Securing the Information Society
3464:
Cryptographically secure pseudorandom number generators
619:
The ciphertext blocks are considered coefficients of a
6812:
Cryptographically secure pseudorandom number generator
4275:
3961:
3520:
2264:
1123:
696:
Owing to the use of two keys, the authentication key K
4487:
4333:
2962:
2912:
2852:
2795:
2738:
2536:
2430:
2324:
2285:
2023:
1815:
1682:
1673:
Encryption and decryption algorithms are as follows:
1470:
1391:
1382:
while the mathematical formula for CBC decryption is
1346:
1267:
4622:
4584:
4564:"Modes Development – Block Cipher Techniques – CSRC"
4095:"Recommendation for Block Cipher Modes of Operation"
4066:
3680:
3143:
the same IV–counter pair, would decrypt that block.
230:
algorithm). These combined modes are referred to as
174:
The block cipher modes ECB, CBC, OFB, CFB, CTR, and
4462:
3901:
Encryption Modes with Almost Free Message Integrity
2709:(OFB) mode makes a block cipher into a synchronous
3618:
3579:
2986:
2947:
2897:
2837:
2780:
2627:
2521:
2415:
2309:
2213:
1933:
1800:
1495:
1455:
1371:
1331:
153:Recommendation for Block Cipher Modes of Operation
4458:
4456:
3716:
3466:(CSPRNGs) can also be built using block ciphers.
1456:{\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}
1332:{\displaystyle C_{i}=E_{K}(P_{i}\oplus C_{i-1}),}
623:which is then evaluated at a key-dependent point
200:The Keyed-Hash Message Authentication Code (HMAC)
7021:
4437:Advances in Cryptology, Proceedings of CRYPTO 82
4412:Advances in Cryptology, Proceedings of CRYPTO 82
1153:Modes other than ECB result in pseudo-randomness
1141:Using ECB allows patterns to be easily discerned
4276:Kaufman, C.; Perlman, R.; Speciner, M. (2002).
3937:(Technical report). NIST Special Publications.
3039:once the plaintext or ciphertext is available.
4453:
3921:
3858:; Donescu, Pompiliu (2002). Matsui, M. (ed.).
3561:Ferguson, N.; Schneier, B.; Kohno, T. (2010).
3383:Other modes and other cryptographic primitives
2646:
1952:, most notably, but otherwise is not common.
1541:CBC decryption example with a toy 2-bit cipher
1527:CBC encryption example with a toy 2-bit cipher
1167:
1041:(ECB) mode (named after conventional physical
487:, integrity-aware parallelizable mode (IAPM),
141:National Institute of Standards and Technology
126:
6658:
5966:
5588:
4608:
3854:
3829:"Netlogon CFB8 considered harmful. OFB8 also"
2604:
2565:
2498:
2459:
2388:
2340:
2269:NIST SP800-38A defines CFB with a bit-width.
737:
631:. The result is then encrypted, producing an
485:integrity-aware cipher block chaining (IACBC)
296:
4414:. New York: Plenum Press. pp. 263–282.
4409:
3683:"Chapter 3 - Domain 3: Security engineering"
1037:The simplest of the encryption modes is the
994:
583:that hamper its efficiency and performance.
234:, AE or "authenc". Examples of AE modes are
4439:. New York: Plenum Press. pp. 99–127.
3955:
3650:
3648:
3646:
3472:(MACs) are often built from block ciphers.
987:) is any deterministic function, often the
6665:
6651:
5973:
5959:
5595:
5581:
4615:
4601:
3779:
3556:
3554:
3460:for descriptions of several such methods.
1577:the decryption is the original plaintext.
4359:
4163:. National Academies Press. p. 132.
4157:Dam, Kenneth W.; Lin, Herbert S. (1996).
4069:"AES-GCM-SIV: Specification and Analysis"
4037:
3977:
3946:
3912:
3872:
147:as a block cipher and adding CTR mode in
4434:
4183:
3826:
3755:"Stream Cipher Reuse: A Graphic Example"
3643:
3445:Block ciphers can also be used in other
3256:Effect of bit errors in the IV or nonce
3241:traditional confidentiality-only modes.
2838:{\displaystyle P_{j}=C_{j}\oplus O_{j},}
2781:{\displaystyle C_{j}=P_{j}\oplus O_{j},}
2662:
1958:
1638:Propagating cipher block chaining (PCBC)
1581:Propagating cipher block chaining (PCBC)
155:. Finally, in January, 2010, NIST added
36:
4343:(NIST), Author: Morris Dworkin (2001).
3999:
3927:
3551:
3316:, …, until synchronization is restored
521:
400:schemes exist. The simplest is to add
14:
7022:
4342:
4190:. John Wiley & Sons. p. 208.
4156:
4021:
3309:, …, until synchronization is restored
2643:to lose alignment with the encryptor)
119:in an efficient way, and are known as
6646:
5954:
5576:
4596:
4570:from the original on 4 September 2017
3897:
3539:from the original on November 6, 2012
3150:in this diagram is equivalent to the
3094:Note: CTR mode (CM) is also known as
660:Synthetic initialization vector (SIV)
420:method, which is to add a single one
4514:from the original on 24 October 2017
4300:
3800:
3761:from the original on 25 January 2015
3687:Eleventh Hour CISSP® (Third Edition)
3197:
4371:from the original on 28 August 2017
3417:) and wide-block encryption modes (
2898:{\displaystyle O_{j}=E_{K}(I_{j}),}
2265:CFB-1, CFB-8, CFB-64, CFB-128, etc.
900:Plaintext XOR F(Y, Key); Ciphertext
24:
5602:
4544:from the original on 23 March 2018
4111:from the original on 29 March 2017
3790:from the original on June 30, 2012
3735:from the original on April 2, 2013
3695:10.1016/b978-0-12-811248-9.00003-6
3610:
3598:from the original on April 2, 2013
3388:for example key feedback mode and
2987:{\displaystyle I_{0}={\text{IV}}.}
2310:{\displaystyle I_{0}={\text{IV}}.}
652:(counter with CBC-MAC; CCM) is an
25:
7046:
4257:from the original on 16 July 2012
3222:adaptive chosen-ciphertext attack
1963:
1625:propagating cipher block chaining
1593:Propagating cipher block chaining
1218:must be used in the first block.
743:
7000:
6999:
6672:
4477:from the original on 2015-02-26.
4133:Handbook of Applied Cryptography
3898:Jutla, Charanjit S. (May 2001).
3757:. Cryptosmith LLC. 31 May 2008.
3670:from the original on 2012-03-17.
3621:Handbook of Applied Cryptography
3359:for bit error in counter block T
3269:
3180:
3166:
3050:
3023:
3009:
2254:Cipher feedback (CFB) decryption
2247:
2240:Cipher feedback (CFB) encryption
2233:
1658:
1644:
1534:
1520:
1244:
1230:
1146:
1134:
1122:
1086:
1072:
605:
84:are produced even when the same
7030:Block cipher modes of operation
4556:
4526:
4496:
4481:
4428:
4403:
4294:
4269:
4239:
4213:
4204:
4177:
4150:
4123:
4087:
4060:
4015:
3993:
3891:
3848:
3820:
3794:
3106:Like OFB, counter mode turns a
1629:plaintext cipher-block chaining
1574:Explicit initialization vectors
467:
6861:Information-theoretic security
6570:NIST hash function competition
3773:
3747:
3674:
2948:{\displaystyle I_{j}=O_{j-1},}
2889:
2876:
2599:
2580:
2493:
2474:
2370:
2345:
2188:
2169:
2105:
2086:
1852:
1839:
1757:
1706:
1428:
1415:
1323:
1291:
711:
47:block cipher mode of operation
13:
1:
4000:Harkins, Dan (October 2008).
3514:
218:was formalized in 2007 under
6575:Password Hashing Competition
5986:message authentication codes
5982:Cryptographic hash functions
5887:block ciphers in stream mode
4223:. p. 20. Archived from
3928:Dworkin, Morris (May 2004).
3827:Blaufish (14 October 2020).
3689:, Syngress, pp. 47–93,
3509:One-way compression function
3470:Message authentication codes
3458:one-way compression function
3238:message authentication codes
49:is an algorithm that uses a
7:
6977:Message authentication code
6932:Cryptographic hash function
6745:Cryptographic hash function
6529:Merkle–Damgård construction
3780:B. Moeller (May 20, 2004),
3499:Message authentication code
3487:
3454:cryptographic hash function
3122:CTR mode was introduced by
2647:CFB compared to other modes
1224:Cipher block chaining (CBC)
1168:Cipher block chaining (CBC)
206:was released in 2005 under
180:message authentication code
127:History and standardization
10:
7051:
6856:Harvest now, decrypt later
5871:alternating step generator
4504:"Basic Block Cipher Modes"
4136:. CRC Press. p. 228.
3965:Counter with CBC-MAC (CCM)
1506:
738:Confidentiality only modes
642:
525:
476:
434:residual block termination
424:, followed by enough zero
380:works on units of a fixed
369:
365:
300:
297:Initialization vector (IV)
277:(with ISO/IEC 10116), the
29:
6995:
6972:Post-quantum cryptography
6924:
6680:
6642:
6593:
6547:
6511:
6465:
6414:
6342:
6319:
6248:
6092:
6053:
6015:
5992:
5950:
5920:
5879:
5853:
5722:
5692:
5661:
5651:
5610:
5572:
5542:
5506:
5498:Time/memory/data tradeoff
5295:
5214:
4760:
4687:
4635:
4592:
4588:
4073:Cryptology ePrint Archive
4022:Gueron, S. (April 2019).
3250:Effect of bit errors in C
3236:(AEAD) or protocols with
3100:segmented integer counter
3083:
3076:Decryption parallelizable
3075:
3068:Encryption parallelizable
3067:
3062:
3057:
2695:
2688:Decryption parallelizable
2687:
2680:Encryption parallelizable
2679:
2674:
2669:
1996:
1989:Decryption parallelizable
1988:
1981:Encryption parallelizable
1980:
1975:
1970:
1613:
1606:Decryption parallelizable
1605:
1598:Encryption parallelizable
1597:
1592:
1587:
1496:{\displaystyle C_{0}=IV.}
1372:{\displaystyle C_{0}=IV,}
1200:
1193:Decryption parallelizable
1192:
1185:Encryption parallelizable
1184:
1179:
1174:
1066:Electronic Codebook (ECB)
1027:
1020:Decryption parallelizable
1019:
1012:Encryption parallelizable
1011:
1006:
1001:
995:Electronic codebook (ECB)
758:
560:
553:Decryption parallelizable
552:
545:Encryption parallelizable
544:
539:
534:
7035:Cryptographic algorithms
6962:Quantum key distribution
6952:Authenticated encryption
6807:Random number generation
6323:key derivation functions
5866:self-shrinking generator
5286:Whitening transformation
4490:Cryptography Engineering
4184:Schneier, Bruce (2015).
3914:10.1007/3-540-44987-6_32
3504:Authenticated encryption
3349:Specific bit errors in P
3324:Specific bit errors in P
3300:Specific bit errors in P
3289:Specific bit errors in P
3283:Specific bit errors in P
3234:authenticated encryption
3114:. It generates the next
654:authenticated encryption
509:Authenticated encryption
479:Authenticated encryption
232:authenticated encryption
194:was approved in 2002 as
121:authenticated encryption
6957:Public-key cryptography
6947:Symmetric-key algorithm
6750:Key derivation function
6710:Cryptographic primitive
6703:Authentication protocol
6693:Outline of cryptography
6688:History of cryptography
6601:Hash-based cryptography
6503:Length extension attack
5257:Confusion and diffusion
4361:10.6028/NIST.SP.800-38A
4310:Proceedings, Crypto '89
3948:10.6028/NIST.SP.800-38C
3874:10.1007/3-540-45473-X_8
3664:ISO Standards Catalogue
3447:cryptographic protocols
3140:chosen-plaintext attack
2717:blocks, which are then
629:finite field arithmetic
6698:Cryptographic protocol
6611:Message authentication
3625:. CRC Press. pp.
3427:disk encryption theory
3377:error-correcting codes
3355:Random bit errors in P
3330:Random bit errors in P
3312:Random bit errors in P
3305:Random bit errors in P
3278:Random bit errors in P
3264:Random bit errors in P
2988:
2949:
2899:
2839:
2782:
2724:error-correcting codes
2629:
2523:
2417:
2311:
2215:
1935:
1802:
1564:padding oracle attacks
1497:
1457:
1373:
1333:
1053:blocks into identical
372:Padding (cryptography)
356:pseudo-random function
137:DES Modes of Operation
42:
27:Cryptography algorithm
6851:End-to-end encryption
6797:Cryptojacking malware
5938:stream cipher attacks
5550:Initialization vector
3729:Cryptographic Toolkit
3592:Cryptographic Toolkit
3533:Cryptographic Toolkit
3226:Padding oracle attack
3152:initialization vector
3003:Output feedback (OFB)
2989:
2950:
2900:
2840:
2783:
2663:Output feedback (OFB)
2630:
2524:
2418:
2312:
2227:Cipher feedback (CFB)
2216:
1959:Cipher feedback (CFB)
1936:
1803:
1498:
1458:
1374:
1334:
1216:initialization vector
1180:Cipher block chaining
965:), Key); IV = token()
870:F(Y, Key); Ciphertext
826:F(Y, Key); Ciphertext
799:Cipher block chaining
677:Authentication key (K
448:bytes all with value
303:Initialization vector
78:initialization vector
40:
6967:Quantum cryptography
6891:Trusted timestamping
5933:correlation immunity
5329:3-subset MITM attack
4945:Intel Cascade Cipher
4925:Hasty Pudding cipher
4312:. Berlin: Springer.
3529:"Block cipher modes"
3096:integer counter mode
2960:
2910:
2850:
2793:
2736:
2534:
2428:
2322:
2283:
2021:
1813:
1680:
1665:PCBC mode decryption
1651:PCBC mode encryption
1468:
1389:
1344:
1265:
700:and encryption key K
599:Galois/Counter (GCM)
577:instruction pipeline
522:Galois/counter (GCM)
109:integrity protection
55:information security
6730:Cryptographic nonce
6498:Side-channel attack
5861:shrinking generator
5611:Widely used ciphers
5368:Differential-linear
4104:. NIST. p. 9.
4075:. Report (2017/168)
3187:CTR mode decryption
3173:CTR mode encryption
3030:OFB mode decryption
3016:OFB mode encryption
2657:ciphertext stealing
1551:ciphertext stealing
1251:CBC mode decryption
1237:CBC mode encryption
1093:ECB mode decryption
1079:ECB mode encryption
1039:electronic codebook
1007:Electronic codebook
770:Electronic codebook
755:
612:GCM mode encryption
528:Galois/Counter Mode
430:ciphertext stealing
314:cryptographic nonce
169:ciphertext stealing
45:In cryptography, a
6836:Subliminal channel
6820:Pseudorandom noise
6767:Key (cryptography)
6555:CAESAR Competition
6539:HAIFA construction
6488:Brute-force attack
5928:correlation attack
5441:Differential-fault
4659:internal mechanics
4395:has generic name (
3660:-bit block cipher"
3084:Random read access
2984:
2945:
2895:
2835:
2778:
2696:Random read access
2625:
2519:
2413:
2307:
2211:
2209:
2133:
1997:Random read access
1931:
1798:
1614:Random read access
1493:
1453:
1369:
1329:
1201:Random read access
1028:Random read access
753:
633:authentication tag
561:Random read access
139:. In 2001, the US
43:
7017:
7016:
7013:
7012:
6896:Key-based routing
6886:Trapdoor function
6757:Digital signature
6638:
6637:
6634:
6633:
6432:ChaCha20-Poly1305
6249:Password hashing/
5946:
5945:
5718:
5717:
5568:
5567:
5555:Mode of operation
5232:Lai–Massey scheme
4508:www.quadibloc.com
4301:Kohl, J. (1990).
3884:978-3-540-43869-4
3856:Gligor, Virgil D.
3704:978-0-12-811248-9
3572:978-0-470-47424-2
3400:Modes Development
3366:
3365:
3198:Error propagation
3091:
3090:
2979:
2703:
2702:
2302:
2129:
2056:
2004:
2003:
1621:
1620:
1208:
1207:
1035:
1034:
989:identity function
977:
976:
754:Summary of modes
568:
567:
188:digital signature
16:(Redirected from
7042:
7003:
7002:
6831:Insecure channel
6667:
6660:
6653:
6644:
6643:
6519:Avalanche effect
6473:Collision attack
6016:Common functions
5975:
5968:
5961:
5952:
5951:
5659:
5658:
5597:
5590:
5583:
5574:
5573:
5426:Power-monitoring
5267:Avalanche effect
4975:Khufu and Khafre
4628:security summary
4617:
4610:
4603:
4594:
4593:
4590:
4589:
4586:
4585:
4580:
4579:
4577:
4575:
4560:
4554:
4553:
4551:
4549:
4534:"Cryptography I"
4530:
4524:
4523:
4521:
4519:
4500:
4494:
4493:
4485:
4479:
4478:
4476:
4469:
4460:
4451:
4450:
4432:
4426:
4425:
4407:
4401:
4400:
4394:
4390:
4388:
4380:
4378:
4376:
4370:
4363:
4349:
4340:
4331:
4330:
4328:
4322:. Archived from
4307:
4298:
4292:
4291:
4278:Network Security
4273:
4267:
4266:
4264:
4262:
4243:
4237:
4236:
4234:
4232:
4217:
4211:
4208:
4202:
4201:
4181:
4175:
4174:
4154:
4148:
4147:
4127:
4121:
4120:
4118:
4116:
4110:
4099:
4091:
4085:
4084:
4082:
4080:
4064:
4058:
4057:
4055:
4053:
4041:
4039:10.17487/RFC8452
4019:
4013:
4012:
4010:
4008:
3997:
3991:
3990:
3981:
3979:10.17487/RFC3610
3959:
3953:
3952:
3950:
3936:
3925:
3919:
3918:
3916:
3906:
3895:
3889:
3888:
3876:
3866:
3852:
3846:
3845:
3843:
3841:
3824:
3818:
3817:
3815:
3813:
3798:
3792:
3791:
3777:
3771:
3770:
3768:
3766:
3751:
3745:
3744:
3742:
3740:
3720:
3714:
3713:
3712:
3711:
3678:
3672:
3671:
3652:
3641:
3640:
3624:
3614:
3608:
3607:
3605:
3603:
3588:"Proposed modes"
3583:
3577:
3576:
3558:
3549:
3548:
3546:
3544:
3524:
3244:
3243:
3184:
3170:
3124:Whitfield Diffie
3055:
3054:
3027:
3013:
2993:
2991:
2990:
2985:
2980:
2977:
2972:
2971:
2954:
2952:
2951:
2946:
2941:
2940:
2922:
2921:
2904:
2902:
2901:
2896:
2888:
2887:
2875:
2874:
2862:
2861:
2844:
2842:
2841:
2836:
2831:
2830:
2818:
2817:
2805:
2804:
2787:
2785:
2784:
2779:
2774:
2773:
2761:
2760:
2748:
2747:
2713:. It generates
2667:
2666:
2634:
2632:
2631:
2626:
2621:
2620:
2608:
2607:
2598:
2597:
2579:
2578:
2569:
2568:
2559:
2558:
2546:
2545:
2528:
2526:
2525:
2520:
2515:
2514:
2502:
2501:
2492:
2491:
2473:
2472:
2463:
2462:
2453:
2452:
2440:
2439:
2422:
2420:
2419:
2414:
2409:
2408:
2403:
2402:
2392:
2391:
2385:
2384:
2363:
2362:
2344:
2343:
2334:
2333:
2316:
2314:
2313:
2308:
2303:
2300:
2295:
2294:
2251:
2237:
2220:
2218:
2217:
2212:
2210:
2203:
2202:
2187:
2186:
2168:
2167:
2151:
2150:
2137:
2136:
2130:
2127:
2120:
2119:
2104:
2103:
2085:
2084:
2057:
2054:
2037:
2036:
1968:
1967:
1944:PCBC is used in
1940:
1938:
1937:
1932:
1918:
1917:
1905:
1904:
1892:
1891:
1873:
1872:
1851:
1850:
1838:
1837:
1825:
1824:
1807:
1805:
1804:
1799:
1785:
1784:
1772:
1771:
1756:
1755:
1737:
1736:
1718:
1717:
1705:
1704:
1692:
1691:
1662:
1648:
1585:
1584:
1538:
1524:
1502:
1500:
1499:
1494:
1480:
1479:
1462:
1460:
1459:
1454:
1449:
1448:
1427:
1426:
1414:
1413:
1401:
1400:
1378:
1376:
1375:
1370:
1356:
1355:
1338:
1336:
1335:
1330:
1322:
1321:
1303:
1302:
1290:
1289:
1277:
1276:
1248:
1234:
1172:
1171:
1150:
1138:
1126:
1090:
1076:
999:
998:
756:
752:
626:
609:
589:
532:
531:
486:
21:
7050:
7049:
7045:
7044:
7043:
7041:
7040:
7039:
7020:
7019:
7018:
7009:
6991:
6920:
6676:
6671:
6630:
6589:
6548:Standardization
6543:
6534:Sponge function
6507:
6483:Birthday attack
6478:Preimage attack
6461:
6417:
6410:
6338:
6321:
6320:General purpose
6315:
6250:
6244:
6093:Other functions
6088:
6055:SHA-3 finalists
6049:
6011:
5988:
5979:
5942:
5916:
5875:
5849:
5714:
5688:
5647:
5606:
5601:
5564:
5538:
5507:Standardization
5502:
5431:Electromagnetic
5383:Integral/Square
5340:Piling-up lemma
5324:Biclique attack
5313:EFF DES cracker
5297:
5291:
5222:Feistel network
5210:
4835:CIPHERUNICORN-E
4830:CIPHERUNICORN-A
4762:
4756:
4689:
4683:
4637:
4631:
4621:
4583:
4573:
4571:
4562:
4561:
4557:
4547:
4545:
4532:
4531:
4527:
4517:
4515:
4502:
4501:
4497:
4486:
4482:
4474:
4467:
4461:
4454:
4447:
4433:
4429:
4422:
4408:
4404:
4392:
4391:
4382:
4381:
4374:
4372:
4368:
4347:
4341:
4334:
4326:
4320:
4305:
4299:
4295:
4288:
4274:
4270:
4260:
4258:
4251:www.iks-jena.de
4245:
4244:
4240:
4230:
4228:
4219:
4218:
4214:
4209:
4205:
4198:
4182:
4178:
4171:
4155:
4151:
4144:
4128:
4124:
4114:
4112:
4108:
4097:
4093:
4092:
4088:
4078:
4076:
4065:
4061:
4051:
4049:
4020:
4016:
4006:
4004:
3998:
3994:
3960:
3956:
3934:
3926:
3922:
3904:
3896:
3892:
3885:
3864:
3853:
3849:
3839:
3837:
3825:
3821:
3811:
3809:
3801:Tervoort, Tom.
3799:
3795:
3778:
3774:
3764:
3762:
3753:
3752:
3748:
3738:
3736:
3725:"Current modes"
3721:
3717:
3709:
3707:
3705:
3679:
3675:
3654:
3653:
3644:
3637:
3615:
3611:
3601:
3599:
3584:
3580:
3573:
3559:
3552:
3542:
3540:
3525:
3521:
3517:
3494:Disk encryption
3490:
3385:
3362:
3358:
3352:
3341:
3337:
3333:
3327:
3315:
3308:
3304:
3303:
3292:
3286:
3282:
3281:
3267:
3253:
3200:
3194:
3192:
3191:
3190:
3189:
3188:
3185:
3176:
3175:
3174:
3171:
3162:
3161:
3053:
3037:
3035:
3034:
3033:
3032:
3031:
3028:
3019:
3018:
3017:
3014:
3005:
3004:
2997:
2976:
2967:
2963:
2961:
2958:
2957:
2930:
2926:
2917:
2913:
2911:
2908:
2907:
2883:
2879:
2870:
2866:
2857:
2853:
2851:
2848:
2847:
2826:
2822:
2813:
2809:
2800:
2796:
2794:
2791:
2790:
2769:
2765:
2756:
2752:
2743:
2739:
2737:
2734:
2733:
2707:output feedback
2675:Output feedback
2665:
2649:
2616:
2612:
2603:
2602:
2587:
2583:
2574:
2570:
2564:
2563:
2554:
2550:
2541:
2537:
2535:
2532:
2531:
2510:
2506:
2497:
2496:
2481:
2477:
2468:
2464:
2458:
2457:
2448:
2444:
2435:
2431:
2429:
2426:
2425:
2404:
2398:
2394:
2393:
2387:
2386:
2380:
2376:
2352:
2348:
2339:
2338:
2329:
2325:
2323:
2320:
2319:
2299:
2290:
2286:
2284:
2281:
2280:
2267:
2261:
2259:
2258:
2257:
2256:
2255:
2252:
2243:
2242:
2241:
2238:
2229:
2228:
2208:
2207:
2198:
2194:
2176:
2172:
2163:
2159:
2152:
2146:
2142:
2139:
2138:
2132:
2131:
2126:
2124:
2115:
2111:
2093:
2089:
2080:
2076:
2073:
2072:
2061:
2053:
2046:
2045:
2038:
2032:
2028:
2024:
2022:
2019:
2018:
2008:cipher feedback
1976:Cipher feedback
1966:
1961:
1913:
1909:
1900:
1896:
1881:
1877:
1862:
1858:
1846:
1842:
1833:
1829:
1820:
1816:
1814:
1811:
1810:
1780:
1776:
1767:
1763:
1745:
1741:
1726:
1722:
1713:
1709:
1700:
1696:
1687:
1683:
1681:
1678:
1677:
1672:
1670:
1669:
1668:
1667:
1666:
1663:
1654:
1653:
1652:
1649:
1640:
1639:
1583:
1546:
1545:
1544:
1543:
1542:
1539:
1530:
1529:
1528:
1525:
1516:
1515:
1509:
1475:
1471:
1469:
1466:
1465:
1438:
1434:
1422:
1418:
1409:
1405:
1396:
1392:
1390:
1387:
1386:
1351:
1347:
1345:
1342:
1341:
1311:
1307:
1298:
1294:
1285:
1281:
1272:
1268:
1266:
1263:
1262:
1256:
1255:
1254:
1253:
1252:
1249:
1240:
1239:
1238:
1235:
1226:
1225:
1170:
1158:
1157:
1156:
1155:
1154:
1151:
1143:
1142:
1139:
1131:
1130:
1127:
1106:
1103:
1100:
1098:
1097:
1096:
1095:
1094:
1091:
1082:
1081:
1080:
1077:
1068:
1067:
1060:
997:
973:
968:Plaintext XOR Y
956:
940:
935:Plaintext XOR Y
931:
927:
920:
909:Output feedback
903:
897:
890:
879:Cipher feedback
873:
866:
859:
853:XOR (Ciphertext
852:
846:
835:Propagating CBC
829:
823:
816:
810:
794:
787:
781:
744:weakness of ECB
740:
714:
703:
699:
688:
680:
662:
647:
641:
624:
617:
616:
615:
614:
613:
610:
601:
600:
593:
587:
581:pipeline stalls
530:
524:
484:
481:
475:
470:
374:
368:
305:
299:
129:
113:confidentiality
59:confidentiality
35:
28:
23:
22:
15:
12:
11:
5:
7048:
7038:
7037:
7032:
7015:
7014:
7011:
7010:
7008:
7007:
6996:
6993:
6992:
6990:
6989:
6984:
6982:Random numbers
6979:
6974:
6969:
6964:
6959:
6954:
6949:
6944:
6939:
6934:
6928:
6926:
6922:
6921:
6919:
6918:
6913:
6908:
6906:Garlic routing
6903:
6898:
6893:
6888:
6883:
6878:
6873:
6868:
6863:
6858:
6853:
6848:
6843:
6838:
6833:
6828:
6826:Secure channel
6823:
6817:
6816:
6815:
6804:
6799:
6794:
6789:
6787:Key stretching
6784:
6779:
6774:
6769:
6764:
6759:
6754:
6753:
6752:
6747:
6737:
6735:Cryptovirology
6732:
6727:
6722:
6720:Cryptocurrency
6717:
6712:
6707:
6706:
6705:
6695:
6690:
6684:
6682:
6678:
6677:
6670:
6669:
6662:
6655:
6647:
6640:
6639:
6636:
6635:
6632:
6631:
6629:
6628:
6623:
6618:
6613:
6608:
6603:
6597:
6595:
6591:
6590:
6588:
6587:
6582:
6577:
6572:
6567:
6562:
6557:
6551:
6549:
6545:
6544:
6542:
6541:
6536:
6531:
6526:
6524:Hash collision
6521:
6515:
6513:
6509:
6508:
6506:
6505:
6500:
6495:
6490:
6485:
6480:
6475:
6469:
6467:
6463:
6462:
6460:
6459:
6454:
6449:
6444:
6439:
6434:
6429:
6423:
6421:
6412:
6411:
6409:
6408:
6403:
6398:
6393:
6388:
6383:
6374:
6369:
6364:
6359:
6354:
6348:
6346:
6340:
6339:
6337:
6336:
6333:
6327:
6325:
6317:
6316:
6314:
6313:
6308:
6303:
6298:
6293:
6288:
6283:
6278:
6273:
6268:
6263:
6257:
6255:
6252:key stretching
6246:
6245:
6243:
6242:
6237:
6232:
6227:
6222:
6217:
6212:
6207:
6202:
6197:
6192:
6187:
6182:
6177:
6172:
6167:
6162:
6157:
6152:
6147:
6142:
6137:
6132:
6127:
6122:
6117:
6112:
6107:
6102:
6096:
6094:
6090:
6089:
6087:
6086:
6080:
6075:
6070:
6065:
6059:
6057:
6051:
6050:
6048:
6047:
6042:
6037:
6032:
6026:
6019:
6017:
6013:
6012:
6010:
6009:
6004:
5999:
5993:
5990:
5989:
5978:
5977:
5970:
5963:
5955:
5948:
5947:
5944:
5943:
5941:
5940:
5935:
5930:
5924:
5922:
5918:
5917:
5915:
5914:
5909:
5904:
5899:
5894:
5892:shift register
5889:
5883:
5881:
5877:
5876:
5874:
5873:
5868:
5863:
5857:
5855:
5851:
5850:
5848:
5847:
5842:
5837:
5832:
5827:
5822:
5817:
5812:
5807:
5802:
5797:
5792:
5787:
5782:
5777:
5772:
5767:
5762:
5757:
5752:
5747:
5742:
5737:
5732:
5726:
5724:
5720:
5719:
5716:
5715:
5713:
5712:
5707:
5702:
5696:
5694:
5690:
5689:
5687:
5686:
5681:
5676:
5671:
5665:
5663:
5656:
5649:
5648:
5646:
5645:
5640:
5635:
5630:
5625:
5620:
5614:
5612:
5608:
5607:
5604:Stream ciphers
5600:
5599:
5592:
5585:
5577:
5570:
5569:
5566:
5565:
5563:
5562:
5557:
5552:
5546:
5544:
5540:
5539:
5537:
5536:
5531:
5526:
5521:
5516:
5510:
5508:
5504:
5503:
5501:
5500:
5495:
5490:
5485:
5480:
5475:
5470:
5465:
5460:
5455:
5450:
5445:
5444:
5443:
5438:
5433:
5428:
5423:
5413:
5408:
5403:
5398:
5390:
5385:
5380:
5373:Distinguishing
5370:
5365:
5364:
5363:
5358:
5353:
5343:
5333:
5332:
5331:
5326:
5316:
5305:
5303:
5293:
5292:
5290:
5289:
5279:
5274:
5269:
5264:
5259:
5254:
5249:
5244:
5239:
5237:Product cipher
5234:
5229:
5224:
5218:
5216:
5212:
5211:
5209:
5208:
5203:
5198:
5193:
5188:
5183:
5178:
5173:
5168:
5163:
5158:
5153:
5148:
5143:
5138:
5133:
5128:
5123:
5118:
5113:
5108:
5103:
5098:
5093:
5088:
5083:
5078:
5073:
5068:
5063:
5058:
5053:
5048:
5043:
5038:
5033:
5028:
5023:
5018:
5013:
5008:
5003:
4992:
4987:
4982:
4977:
4972:
4967:
4962:
4957:
4952:
4947:
4942:
4937:
4932:
4927:
4922:
4917:
4912:
4907:
4902:
4897:
4892:
4887:
4882:
4877:
4872:
4867:
4865:Cryptomeria/C2
4862:
4857:
4852:
4847:
4842:
4837:
4832:
4827:
4822:
4817:
4812:
4807:
4802:
4797:
4792:
4787:
4782:
4777:
4772:
4766:
4764:
4758:
4757:
4755:
4754:
4749:
4744:
4739:
4734:
4729:
4724:
4719:
4714:
4709:
4704:
4699:
4693:
4691:
4685:
4684:
4682:
4681:
4676:
4671:
4666:
4652:
4647:
4641:
4639:
4633:
4632:
4620:
4619:
4612:
4605:
4597:
4582:
4581:
4555:
4525:
4495:
4480:
4452:
4445:
4427:
4420:
4402:
4332:
4329:on 2009-06-12.
4318:
4293:
4286:
4268:
4238:
4212:
4203:
4196:
4176:
4169:
4149:
4142:
4122:
4086:
4059:
4014:
3992:
3954:
3920:
3890:
3883:
3847:
3819:
3793:
3772:
3746:
3715:
3703:
3673:
3642:
3635:
3609:
3578:
3571:
3550:
3518:
3516:
3513:
3512:
3511:
3506:
3501:
3496:
3489:
3486:
3484:are examples.
3384:
3381:
3364:
3363:
3360:
3356:
3353:
3350:
3347:
3343:
3342:
3339:
3335:
3331:
3328:
3325:
3322:
3318:
3317:
3313:
3310:
3306:
3301:
3298:
3294:
3293:
3290:
3287:
3284:
3279:
3276:
3272:
3271:
3268:
3265:
3262:
3258:
3257:
3254:
3251:
3248:
3230:
3229:
3218:
3214:
3213:
3210:
3199:
3196:
3186:
3179:
3178:
3177:
3172:
3165:
3164:
3163:
3159:
3158:
3157:
3156:
3146:Note that the
3128:Martin Hellman
3104:
3103:
3089:
3088:
3085:
3081:
3080:
3077:
3073:
3072:
3069:
3065:
3064:
3060:
3059:
3052:
3049:
3029:
3022:
3021:
3020:
3015:
3008:
3007:
3006:
3002:
3001:
3000:
2999:
2995:
2994:
2983:
2975:
2970:
2966:
2955:
2944:
2939:
2936:
2933:
2929:
2925:
2920:
2916:
2905:
2894:
2891:
2886:
2882:
2878:
2873:
2869:
2865:
2860:
2856:
2845:
2834:
2829:
2825:
2821:
2816:
2812:
2808:
2803:
2799:
2788:
2777:
2772:
2768:
2764:
2759:
2755:
2751:
2746:
2742:
2701:
2700:
2697:
2693:
2692:
2689:
2685:
2684:
2681:
2677:
2676:
2672:
2671:
2664:
2661:
2648:
2645:
2636:
2635:
2624:
2619:
2615:
2611:
2606:
2601:
2596:
2593:
2590:
2586:
2582:
2577:
2573:
2567:
2562:
2557:
2553:
2549:
2544:
2540:
2529:
2518:
2513:
2509:
2505:
2500:
2495:
2490:
2487:
2484:
2480:
2476:
2471:
2467:
2461:
2456:
2451:
2447:
2443:
2438:
2434:
2423:
2412:
2407:
2401:
2397:
2390:
2383:
2379:
2375:
2372:
2369:
2366:
2361:
2358:
2355:
2351:
2347:
2342:
2337:
2332:
2328:
2317:
2306:
2298:
2293:
2289:
2266:
2263:
2253:
2246:
2245:
2244:
2239:
2232:
2231:
2230:
2226:
2225:
2224:
2223:
2222:
2221:
2206:
2201:
2197:
2193:
2190:
2185:
2182:
2179:
2175:
2171:
2166:
2162:
2158:
2155:
2153:
2149:
2145:
2141:
2140:
2135:
2125:
2123:
2118:
2114:
2110:
2107:
2102:
2099:
2096:
2092:
2088:
2083:
2079:
2075:
2074:
2071:
2068:
2065:
2062:
2060:
2052:
2051:
2049:
2044:
2041:
2039:
2035:
2031:
2027:
2026:
2002:
2001:
1998:
1994:
1993:
1990:
1986:
1985:
1982:
1978:
1977:
1973:
1972:
1965:
1964:Full-block CFB
1962:
1960:
1957:
1942:
1941:
1930:
1927:
1924:
1921:
1916:
1912:
1908:
1903:
1899:
1895:
1890:
1887:
1884:
1880:
1876:
1871:
1868:
1865:
1861:
1857:
1854:
1849:
1845:
1841:
1836:
1832:
1828:
1823:
1819:
1808:
1797:
1794:
1791:
1788:
1783:
1779:
1775:
1770:
1766:
1762:
1759:
1754:
1751:
1748:
1744:
1740:
1735:
1732:
1729:
1725:
1721:
1716:
1712:
1708:
1703:
1699:
1695:
1690:
1686:
1664:
1657:
1656:
1655:
1650:
1643:
1642:
1641:
1637:
1636:
1635:
1634:
1619:
1618:
1615:
1611:
1610:
1607:
1603:
1602:
1599:
1595:
1594:
1590:
1589:
1582:
1579:
1540:
1533:
1532:
1531:
1526:
1519:
1518:
1517:
1513:
1512:
1511:
1510:
1508:
1505:
1504:
1503:
1492:
1489:
1486:
1483:
1478:
1474:
1463:
1452:
1447:
1444:
1441:
1437:
1433:
1430:
1425:
1421:
1417:
1412:
1408:
1404:
1399:
1395:
1380:
1379:
1368:
1365:
1362:
1359:
1354:
1350:
1339:
1328:
1325:
1320:
1317:
1314:
1310:
1306:
1301:
1297:
1293:
1288:
1284:
1280:
1275:
1271:
1250:
1243:
1242:
1241:
1236:
1229:
1228:
1227:
1223:
1222:
1221:
1220:
1206:
1205:
1202:
1198:
1197:
1194:
1190:
1189:
1186:
1182:
1181:
1177:
1176:
1169:
1166:
1162:replay attacks
1152:
1145:
1144:
1140:
1133:
1132:
1129:Original image
1128:
1121:
1120:
1119:
1118:
1117:
1092:
1085:
1084:
1083:
1078:
1071:
1070:
1069:
1065:
1064:
1063:
1062:
1033:
1032:
1029:
1025:
1024:
1021:
1017:
1016:
1013:
1009:
1008:
1004:
1003:
996:
993:
975:
974:
969:
966:
952:
949:
946:
942:
941:
936:
933:
929:
922:
916:
913:
910:
906:
905:
901:
898:
892:
886:
883:
880:
876:
875:
871:
868:
861:
854:
848:
842:
839:
836:
832:
831:
827:
824:
818:
817:XOR Ciphertext
812:
806:
803:
800:
796:
795:
792:
789:
783:
777:
774:
771:
767:
766:
763:
760:
739:
736:
713:
710:
701:
697:
686:
683:
682:
678:
675:
672:
661:
658:
643:Main article:
640:
637:
611:
604:
603:
602:
598:
597:
596:
595:
566:
565:
562:
558:
557:
554:
550:
549:
546:
542:
541:
540:Galois/counter
537:
536:
526:Main article:
523:
520:
477:Main article:
474:
471:
469:
466:
370:Main article:
367:
364:
363:
362:
359:
301:Main article:
298:
295:
128:
125:
32:Modus operandi
26:
9:
6:
4:
3:
2:
7047:
7036:
7033:
7031:
7028:
7027:
7025:
7006:
6998:
6997:
6994:
6988:
6987:Steganography
6985:
6983:
6980:
6978:
6975:
6973:
6970:
6968:
6965:
6963:
6960:
6958:
6955:
6953:
6950:
6948:
6945:
6943:
6942:Stream cipher
6940:
6938:
6935:
6933:
6930:
6929:
6927:
6923:
6917:
6914:
6912:
6909:
6907:
6904:
6902:
6901:Onion routing
6899:
6897:
6894:
6892:
6889:
6887:
6884:
6882:
6881:Shared secret
6879:
6877:
6874:
6872:
6869:
6867:
6864:
6862:
6859:
6857:
6854:
6852:
6849:
6847:
6844:
6842:
6839:
6837:
6834:
6832:
6829:
6827:
6824:
6821:
6818:
6813:
6810:
6809:
6808:
6805:
6803:
6800:
6798:
6795:
6793:
6790:
6788:
6785:
6783:
6780:
6778:
6777:Key generator
6775:
6773:
6770:
6768:
6765:
6763:
6760:
6758:
6755:
6751:
6748:
6746:
6743:
6742:
6741:
6740:Hash function
6738:
6736:
6733:
6731:
6728:
6726:
6723:
6721:
6718:
6716:
6715:Cryptanalysis
6713:
6711:
6708:
6704:
6701:
6700:
6699:
6696:
6694:
6691:
6689:
6686:
6685:
6683:
6679:
6675:
6668:
6663:
6661:
6656:
6654:
6649:
6648:
6645:
6641:
6627:
6624:
6622:
6619:
6617:
6616:Proof of work
6614:
6612:
6609:
6607:
6604:
6602:
6599:
6598:
6596:
6592:
6586:
6583:
6581:
6578:
6576:
6573:
6571:
6568:
6566:
6563:
6561:
6558:
6556:
6553:
6552:
6550:
6546:
6540:
6537:
6535:
6532:
6530:
6527:
6525:
6522:
6520:
6517:
6516:
6514:
6510:
6504:
6501:
6499:
6496:
6494:
6493:Rainbow table
6491:
6489:
6486:
6484:
6481:
6479:
6476:
6474:
6471:
6470:
6468:
6464:
6458:
6455:
6453:
6450:
6448:
6445:
6443:
6440:
6438:
6435:
6433:
6430:
6428:
6425:
6424:
6422:
6419:
6416:Authenticated
6413:
6407:
6404:
6402:
6399:
6397:
6394:
6392:
6389:
6387:
6384:
6382:
6378:
6375:
6373:
6370:
6368:
6365:
6363:
6360:
6358:
6355:
6353:
6350:
6349:
6347:
6345:
6344:MAC functions
6341:
6334:
6332:
6329:
6328:
6326:
6324:
6318:
6312:
6309:
6307:
6304:
6302:
6299:
6297:
6294:
6292:
6289:
6287:
6284:
6282:
6279:
6277:
6274:
6272:
6269:
6267:
6264:
6262:
6259:
6258:
6256:
6253:
6247:
6241:
6238:
6236:
6233:
6231:
6228:
6226:
6223:
6221:
6218:
6216:
6213:
6211:
6208:
6206:
6203:
6201:
6198:
6196:
6193:
6191:
6188:
6186:
6183:
6181:
6178:
6176:
6173:
6171:
6168:
6166:
6163:
6161:
6158:
6156:
6153:
6151:
6148:
6146:
6143:
6141:
6138:
6136:
6133:
6131:
6128:
6126:
6123:
6121:
6118:
6116:
6113:
6111:
6108:
6106:
6103:
6101:
6098:
6097:
6095:
6091:
6084:
6081:
6079:
6076:
6074:
6071:
6069:
6066:
6064:
6061:
6060:
6058:
6056:
6052:
6046:
6043:
6041:
6038:
6036:
6033:
6031:(compromised)
6030:
6027:
6025:(compromised)
6024:
6021:
6020:
6018:
6014:
6008:
6007:Known attacks
6005:
6003:
6000:
5998:
5995:
5994:
5991:
5987:
5983:
5976:
5971:
5969:
5964:
5962:
5957:
5956:
5953:
5949:
5939:
5936:
5934:
5931:
5929:
5926:
5925:
5923:
5919:
5913:
5910:
5908:
5905:
5903:
5900:
5898:
5895:
5893:
5890:
5888:
5885:
5884:
5882:
5878:
5872:
5869:
5867:
5864:
5862:
5859:
5858:
5856:
5852:
5846:
5843:
5841:
5838:
5836:
5833:
5831:
5828:
5826:
5823:
5821:
5818:
5816:
5813:
5811:
5808:
5806:
5803:
5801:
5798:
5796:
5793:
5791:
5788:
5786:
5783:
5781:
5778:
5776:
5773:
5771:
5768:
5766:
5763:
5761:
5758:
5756:
5753:
5751:
5748:
5746:
5743:
5741:
5738:
5736:
5733:
5731:
5728:
5727:
5725:
5723:Other ciphers
5721:
5711:
5708:
5706:
5703:
5701:
5698:
5697:
5695:
5691:
5685:
5682:
5680:
5677:
5675:
5672:
5670:
5667:
5666:
5664:
5660:
5657:
5654:
5650:
5644:
5641:
5639:
5636:
5634:
5631:
5629:
5626:
5624:
5621:
5619:
5616:
5615:
5613:
5609:
5605:
5598:
5593:
5591:
5586:
5584:
5579:
5578:
5575:
5571:
5561:
5558:
5556:
5553:
5551:
5548:
5547:
5545:
5541:
5535:
5532:
5530:
5527:
5525:
5522:
5520:
5517:
5515:
5512:
5511:
5509:
5505:
5499:
5496:
5494:
5491:
5489:
5486:
5484:
5481:
5479:
5476:
5474:
5471:
5469:
5466:
5464:
5461:
5459:
5456:
5454:
5453:Interpolation
5451:
5449:
5446:
5442:
5439:
5437:
5434:
5432:
5429:
5427:
5424:
5422:
5419:
5418:
5417:
5414:
5412:
5409:
5407:
5404:
5402:
5399:
5397:
5396:
5391:
5389:
5386:
5384:
5381:
5378:
5374:
5371:
5369:
5366:
5362:
5359:
5357:
5354:
5352:
5349:
5348:
5347:
5344:
5341:
5337:
5334:
5330:
5327:
5325:
5322:
5321:
5320:
5317:
5314:
5310:
5307:
5306:
5304:
5301:
5300:cryptanalysis
5294:
5287:
5283:
5282:Key whitening
5280:
5278:
5275:
5273:
5270:
5268:
5265:
5263:
5260:
5258:
5255:
5253:
5250:
5248:
5245:
5243:
5240:
5238:
5235:
5233:
5230:
5228:
5225:
5223:
5220:
5219:
5217:
5213:
5207:
5204:
5202:
5199:
5197:
5194:
5192:
5189:
5187:
5184:
5182:
5179:
5177:
5174:
5172:
5169:
5167:
5164:
5162:
5159:
5157:
5154:
5152:
5149:
5147:
5144:
5142:
5139:
5137:
5134:
5132:
5129:
5127:
5124:
5122:
5119:
5117:
5114:
5112:
5109:
5107:
5104:
5102:
5099:
5097:
5094:
5092:
5089:
5087:
5084:
5082:
5079:
5077:
5074:
5072:
5071:New Data Seal
5069:
5067:
5064:
5062:
5059:
5057:
5054:
5052:
5049:
5047:
5044:
5042:
5039:
5037:
5034:
5032:
5029:
5027:
5024:
5022:
5019:
5017:
5014:
5012:
5009:
5007:
5004:
5001:
4997:
4993:
4991:
4988:
4986:
4983:
4981:
4978:
4976:
4973:
4971:
4968:
4966:
4963:
4961:
4958:
4956:
4953:
4951:
4948:
4946:
4943:
4941:
4938:
4936:
4933:
4931:
4928:
4926:
4923:
4921:
4918:
4916:
4913:
4911:
4908:
4906:
4903:
4901:
4898:
4896:
4893:
4891:
4888:
4886:
4883:
4881:
4878:
4876:
4873:
4871:
4868:
4866:
4863:
4861:
4858:
4856:
4853:
4851:
4848:
4846:
4843:
4841:
4838:
4836:
4833:
4831:
4828:
4826:
4823:
4821:
4818:
4816:
4813:
4811:
4810:BEAR and LION
4808:
4806:
4803:
4801:
4798:
4796:
4793:
4791:
4788:
4786:
4783:
4781:
4778:
4776:
4773:
4771:
4768:
4767:
4765:
4759:
4753:
4750:
4748:
4745:
4743:
4740:
4738:
4735:
4733:
4730:
4728:
4725:
4723:
4720:
4718:
4715:
4713:
4710:
4708:
4705:
4703:
4700:
4698:
4695:
4694:
4692:
4686:
4680:
4677:
4675:
4672:
4670:
4667:
4664:
4660:
4656:
4653:
4651:
4648:
4646:
4643:
4642:
4640:
4634:
4629:
4625:
4624:Block ciphers
4618:
4613:
4611:
4606:
4604:
4599:
4598:
4595:
4591:
4587:
4569:
4565:
4559:
4543:
4539:
4535:
4529:
4513:
4509:
4505:
4499:
4492:. p. 71.
4491:
4484:
4473:
4466:
4459:
4457:
4448:
4442:
4438:
4431:
4423:
4417:
4413:
4406:
4398:
4386:
4367:
4362:
4357:
4353:
4352:csrc.nist.gov
4346:
4339:
4337:
4325:
4321:
4315:
4311:
4304:
4297:
4289:
4283:
4279:
4272:
4256:
4252:
4248:
4242:
4227:on 2015-01-07
4226:
4222:
4216:
4207:
4199:
4197:9781119096726
4193:
4189:
4188:
4180:
4172:
4170:9780309054751
4166:
4162:
4161:
4153:
4145:
4143:9780429881329
4139:
4135:
4134:
4126:
4107:
4103:
4096:
4090:
4074:
4070:
4063:
4048:
4045:
4040:
4035:
4031:
4027:
4026:
4018:
4003:
3996:
3988:
3985:
3980:
3975:
3971:
3967:
3966:
3958:
3949:
3944:
3940:
3933:
3932:
3924:
3915:
3910:
3903:
3902:
3894:
3886:
3880:
3875:
3870:
3863:
3862:
3857:
3851:
3836:
3835:
3830:
3823:
3808:
3804:
3797:
3789:
3785:
3784:
3776:
3760:
3756:
3750:
3734:
3730:
3726:
3719:
3706:
3700:
3696:
3692:
3688:
3684:
3677:
3669:
3665:
3661:
3659:
3651:
3649:
3647:
3638:
3636:0-8493-8523-7
3632:
3628:
3623:
3622:
3613:
3597:
3593:
3589:
3582:
3574:
3568:
3564:
3557:
3555:
3538:
3534:
3530:
3523:
3519:
3510:
3507:
3505:
3502:
3500:
3497:
3495:
3492:
3491:
3485:
3483:
3479:
3475:
3471:
3467:
3465:
3461:
3459:
3455:
3450:
3448:
3443:
3441:
3436:
3430:
3428:
3424:
3420:
3416:
3412:
3408:
3403:
3401:
3397:
3393:
3391:
3380:
3378:
3373:
3369:
3354:
3348:
3345:
3344:
3329:
3323:
3320:
3319:
3311:
3299:
3296:
3295:
3288:
3277:
3274:
3273:
3263:
3260:
3259:
3255:
3249:
3246:
3245:
3242:
3239:
3235:
3227:
3223:
3219:
3216:
3215:
3211:
3208:
3207:
3206:
3203:
3195:
3183:
3169:
3160:Counter (CTR)
3155:
3153:
3149:
3144:
3141:
3135:
3131:
3129:
3125:
3120:
3117:
3113:
3112:stream cipher
3109:
3101:
3097:
3093:
3092:
3086:
3082:
3078:
3074:
3070:
3066:
3061:
3056:
3051:Counter (CTR)
3048:
3044:
3040:
3026:
3012:
2998:
2981:
2973:
2968:
2964:
2956:
2942:
2937:
2934:
2931:
2927:
2923:
2918:
2914:
2906:
2892:
2884:
2880:
2871:
2867:
2863:
2858:
2854:
2846:
2832:
2827:
2823:
2819:
2814:
2810:
2806:
2801:
2797:
2789:
2775:
2770:
2766:
2762:
2757:
2753:
2749:
2744:
2740:
2732:
2731:
2730:
2727:
2725:
2720:
2716:
2712:
2711:stream cipher
2708:
2698:
2694:
2690:
2686:
2682:
2678:
2673:
2668:
2660:
2658:
2652:
2644:
2640:
2622:
2617:
2613:
2609:
2594:
2591:
2588:
2584:
2575:
2571:
2560:
2555:
2551:
2547:
2542:
2538:
2530:
2516:
2511:
2507:
2503:
2488:
2485:
2482:
2478:
2469:
2465:
2454:
2449:
2445:
2441:
2436:
2432:
2424:
2410:
2405:
2399:
2381:
2377:
2373:
2367:
2364:
2359:
2356:
2353:
2349:
2335:
2330:
2326:
2318:
2304:
2296:
2291:
2287:
2279:
2278:
2277:
2274:
2273:
2262:
2250:
2236:
2204:
2199:
2195:
2191:
2183:
2180:
2177:
2173:
2164:
2160:
2156:
2154:
2147:
2143:
2121:
2116:
2112:
2108:
2100:
2097:
2094:
2090:
2081:
2077:
2069:
2066:
2063:
2058:
2047:
2042:
2040:
2033:
2029:
2017:
2016:
2015:
2013:
2012:stream cipher
2009:
1999:
1995:
1991:
1987:
1983:
1979:
1974:
1969:
1956:
1953:
1951:
1947:
1928:
1925:
1922:
1919:
1914:
1910:
1906:
1901:
1897:
1893:
1888:
1885:
1882:
1878:
1874:
1869:
1866:
1863:
1859:
1855:
1847:
1843:
1834:
1830:
1826:
1821:
1817:
1809:
1795:
1792:
1789:
1786:
1781:
1777:
1773:
1768:
1764:
1760:
1752:
1749:
1746:
1742:
1738:
1733:
1730:
1727:
1723:
1719:
1714:
1710:
1701:
1697:
1693:
1688:
1684:
1676:
1675:
1674:
1661:
1647:
1633:
1630:
1626:
1616:
1612:
1608:
1604:
1600:
1596:
1591:
1586:
1578:
1575:
1571:
1569:
1565:
1560:
1554:
1552:
1537:
1523:
1490:
1487:
1484:
1481:
1476:
1472:
1464:
1450:
1445:
1442:
1439:
1435:
1431:
1423:
1419:
1410:
1406:
1402:
1397:
1393:
1385:
1384:
1383:
1366:
1363:
1360:
1357:
1352:
1348:
1340:
1326:
1318:
1315:
1312:
1308:
1304:
1299:
1295:
1286:
1282:
1278:
1273:
1269:
1261:
1260:
1259:
1247:
1233:
1219:
1217:
1213:
1203:
1199:
1195:
1191:
1187:
1183:
1178:
1173:
1165:
1163:
1149:
1137:
1125:
1116:
1114:
1110:
1104:
1101:
1089:
1075:
1061:
1058:
1056:
1052:
1048:
1044:
1040:
1030:
1026:
1022:
1018:
1014:
1010:
1005:
1000:
992:
990:
986:
982:
972:
967:
964:
960:
955:
950:
947:
944:
943:
939:
934:
925:
919:
914:
911:
908:
907:
899:
895:
889:
884:
881:
878:
877:
869:
864:
860:XOR PlainText
857:
851:
845:
840:
837:
834:
833:
825:
821:
815:
809:
804:
801:
798:
797:
790:
786:
782:= F(PlainText
780:
775:
772:
769:
768:
764:
761:
757:
751:
747:
745:
735:
733:
729:
725:
721:
718:
709:
707:
694:
690:
676:
673:
670:
669:
668:
665:
657:
655:
651:
646:
636:
634:
630:
622:
608:
594:
591:
584:
582:
578:
572:
563:
559:
555:
551:
547:
543:
538:
533:
529:
519:
517:
512:
510:
506:
502:
498:
494:
490:
480:
465:
462:
458:
453:
451:
447:
443:
439:
435:
431:
427:
423:
419:
415:
411:
407:
403:
399:
395:
391:
387:
383:
379:
373:
360:
357:
353:
352:
351:
347:
343:
339:
335:
332:
330:
325:
323:
319:
315:
309:
304:
294:
292:
288:
284:
280:
276:
272:
267:
265:
261:
257:
253:
249:
245:
241:
237:
233:
227:
225:
221:
217:
213:
209:
205:
201:
197:
193:
189:
185:
181:
177:
172:
170:
166:
162:
158:
154:
150:
146:
142:
138:
134:
124:
122:
118:
114:
110:
105:
103:
102:stream cipher
99:
95:
91:
87:
83:
79:
74:
72:
68:
64:
60:
56:
52:
48:
39:
33:
19:
6937:Block cipher
6782:Key schedule
6772:Key exchange
6762:Kleptography
6725:Cryptosystem
6674:Cryptography
5886:
5554:
5458:Partitioning
5416:Side-channel
5394:
5361:Higher-order
5346:Differential
5227:Key schedule
4572:. Retrieved
4558:
4546:. Retrieved
4537:
4528:
4516:. Retrieved
4507:
4498:
4489:
4483:
4436:
4430:
4411:
4405:
4393:|first=
4385:cite journal
4373:. Retrieved
4351:
4324:the original
4309:
4296:
4277:
4271:
4259:. Retrieved
4250:
4241:
4229:. Retrieved
4225:the original
4215:
4206:
4186:
4179:
4159:
4152:
4132:
4125:
4113:. Retrieved
4101:
4089:
4077:. Retrieved
4072:
4062:
4050:. Retrieved
4024:
4017:
4005:. Retrieved
3995:
3964:
3957:
3930:
3923:
3900:
3893:
3860:
3850:
3838:. Retrieved
3832:
3822:
3810:. Retrieved
3806:
3796:
3782:
3775:
3763:. Retrieved
3749:
3737:. Retrieved
3728:
3718:
3708:, retrieved
3686:
3676:
3663:
3657:
3620:
3612:
3600:. Retrieved
3591:
3581:
3562:
3541:. Retrieved
3532:
3522:
3468:
3462:
3451:
3444:
3431:
3404:
3399:
3394:
3390:Davies–Meyer
3386:
3374:
3370:
3367:
3231:
3204:
3201:
3193:
3145:
3136:
3132:
3121:
3108:block cipher
3105:
3099:
3095:
3045:
3041:
3036:
2996:
2728:
2706:
2704:
2653:
2650:
2641:
2637:
2275:
2270:
2268:
2260:
2007:
2005:
1954:
1943:
1671:
1628:
1624:
1622:
1573:
1572:
1558:
1555:
1547:
1381:
1257:
1209:
1159:
1109:bitmap image
1105:
1102:
1099:
1059:
1038:
1036:
984:
980:
978:
970:
962:
958:
953:
937:
932:= F(IV, Key)
923:
917:
893:
891:= Ciphertext
887:
862:
855:
849:
843:
819:
813:
807:
784:
778:
748:
741:
731:
727:
726:
722:
715:
705:
695:
691:
684:
666:
663:
649:
648:
618:
592:
585:
573:
569:
513:
482:
468:Common modes
454:
449:
445:
385:
384:(known as a
378:block cipher
375:
348:
344:
340:
336:
333:
326:
322:pseudorandom
310:
306:
268:
228:
223:
211:
199:
173:
164:
152:
136:
130:
117:authenticity
106:
75:
63:authenticity
51:block cipher
46:
44:
18:Counter mode
6925:Mathematics
6916:Mix network
6606:Merkle tree
6594:Utilization
6580:NSA Suite B
5543:Utilization
5529:NSA Suite B
5514:AES process
5463:Rubber-hose
5401:Related-key
5309:Brute-force
4688:Less common
3440:AES-GCM-SIV
3232:For modern
3102:(SIC) mode.
1946:Kerberos v4
847:= PlainText
811:= PlainText
765:Ciphertext
728:AES-GCM-SIV
717:AES-GCM-SIV
712:AES-GCM-SIV
82:ciphertexts
53:to provide
7024:Categories
6876:Ciphertext
6846:Decryption
6841:Encryption
6802:Ransomware
6418:encryption
6195:RadioGatún
6002:Comparison
5907:T-function
5854:Generators
5730:Achterbahn
5493:Chi-square
5411:Rotational
5351:Impossible
5272:Block size
5166:Spectr-H64
4990:Ladder-DES
4985:Kuznyechik
4930:Hierocrypt
4800:BassOmatic
4763:algorithms
4690:algorithms
4663:Triple DES
4638:algorithms
4446:0306413663
4421:0306413663
4319:0387973176
4287:0130460192
4079:19 October
4052:August 14,
4007:21 October
3951:. 800-38C.
3840:14 October
3812:14 October
3710:2020-11-01
3515:References
3098:(ICM) and
1566:, such as
1055:ciphertext
621:polynomial
402:null bytes
386:block size
289:, and the
94:block size
6866:Plaintext
6335:KDF1/KDF2
6254:functions
6240:Whirlpool
5820:SOBER-128
5750:KCipher-2
5684:SOSEMANUK
5655:Portfolio
5468:Black-bag
5388:Boomerang
5377:Known-key
5356:Truncated
5181:Threefish
5176:SXAL/MBAL
5066:MultiSwap
5021:MacGuffin
4980:KN-Cipher
4920:Grand Cru
4875:CS-Cipher
4855:COCONUT98
4231:7 January
3765:7 January
3739:April 12,
3602:April 14,
3543:April 12,
3392:hashing.
3130:in 1979.
3116:keystream
2935:−
2820:⊕
2763:⊕
2715:keystream
2610:⊕
2592:−
2561:
2504:⊕
2486:−
2455:
2365:≪
2357:−
2192:⊕
2181:−
2128:otherwise
2109:⊕
2098:−
1907:⊕
1886:−
1875:⊕
1867:−
1856:⊕
1774:⊕
1750:−
1739:⊕
1731:−
1720:⊕
1443:−
1432:⊕
1316:−
1305:⊕
1051:plaintext
1047:diffusion
1043:codebooks
957:= F(IV +
928:, Key); Y
708:AES-256.
674:Plaintext
461:keystream
406:plaintext
329:SP800-38A
248:SP800-38D
240:SP800-38C
220:SP800-38D
208:SP800-38B
161:SP800-38E
149:SP800-38A
86:plaintext
69:called a
7005:Category
6911:Kademlia
6871:Codetext
6814:(CSPRNG)
6560:CRYPTREC
6391:Poly1305
6311:yescrypt
6225:Streebog
6105:CubeHash
6085:(winner)
5693:Hardware
5662:Software
5633:Crypto-1
5519:CRYPTREC
5483:Weak key
5436:Acoustic
5277:Key size
5121:Red Pike
4940:IDEA NXT
4820:Chiasmus
4815:CAST-256
4795:BaseKing
4780:Akelarre
4775:Adiantum
4742:Skipjack
4707:CAST-128
4702:Camellia
4650:Blowfish
4574:28 April
4568:Archived
4548:28 April
4542:Archived
4538:Coursera
4518:28 April
4512:Archived
4472:Archived
4375:28 April
4366:Archived
4261:28 April
4255:Archived
4106:Archived
4102:NIST.gov
3788:archived
3759:Archived
3733:Archived
3731:. NIST.
3668:Archived
3666:. 2006.
3596:Archived
3594:. NIST.
3537:Archived
3535:. NIST.
3488:See also
3435:Key Wrap
1057:blocks.
762:Formulas
645:CCM mode
627:, using
442:Ferguson
438:Schneier
196:FIPS 198
182:such as
57:such as
6681:General
6466:Attacks
6396:SipHash
6352:CBC-MAC
6286:LM hash
6266:Balloon
6130:HAS-160
5921:Attacks
5710:Trivium
5679:Salsa20
5653:eSTREAM
5560:Padding
5478:Rebound
5186:Treyfer
5136:SAVILLE
5096:PRESENT
5086:NOEKEON
5031:MAGENTA
5026:Madryga
5006:Lucifer
4870:CRYPTON
4679:Twofish
4669:Serpent
4115:1 April
3627:228–233
3474:CBC-MAC
3110:into a
3063:Counter
1514:Example
1507:Example
945:Counter
732:GCM-SIV
404:to the
398:padding
366:Padding
186:, or a
184:CBC-MAC
157:XTS-AES
133:FIPS 81
123:modes.
6792:Keygen
6626:Pepper
6565:NESSIE
6512:Design
6306:scrypt
6301:PBKDF2
6276:Catena
6271:bcrypt
6261:Argon2
6220:Snefru
6215:Shabal
6210:SWIFFT
6190:RIPEMD
6185:N-hash
6160:MASH-2
6155:MASH-1
6140:Kupyna
6100:BLAKE3
6083:Keccak
6068:Grøstl
6045:BLAKE2
5880:Theory
5830:Turing
5825:Spritz
5800:Scream
5770:Phelix
5765:Panama
5735:F-FCSR
5705:MICKEY
5674:Rabbit
5669:HC-128
5628:ChaCha
5524:NESSIE
5473:Davies
5421:Timing
5336:Linear
5296:Attack
5215:Design
5206:Zodiac
5171:Square
5146:SHACAL
5141:SC2000
5101:Prince
5081:Nimbus
5076:NewDES
5061:MULTI2
5051:MISTY1
4994:LOKI (
4970:KHAZAD
4965:KeeLoq
4960:KASUMI
4955:Kalyna
4840:CLEFIA
4825:CIKS-1
4785:Anubis
4636:Common
4443:
4418:
4316:
4284:
4194:
4167:
4140:
3881:
3834:GitHub
3807:Secura
3701:
3633:
3569:
3456:. See
3413:, and
3338:, …, P
1568:POODLE
979:Note:
838:(PCBC)
788:, Key)
503:, and
457:XORing
414:string
412:style
318:random
281:, the
262:, and
214:, and
98:padded
6822:(PRN)
6420:modes
6296:Makwa
6291:Lyra2
6281:crypt
6230:Tiger
6180:MDC-2
6135:HAVAL
6120:Fugue
6078:Skein
6063:BLAKE
6040:SHA-3
6035:SHA-2
6029:SHA-1
5902:NLFSR
5815:SOBER
5745:ISAAC
5700:Grain
5406:Slide
5262:Round
5247:P-box
5242:S-box
5201:XXTEA
5161:Speck
5156:Simon
5151:SHARK
5131:SAFER
5116:REDOC
5041:Mercy
5000:89/91
4950:Iraqi
4915:G-DES
4905:FEA-M
4885:DES-X
4850:Cobra
4805:BATON
4790:Ascon
4770:3-Way
4761:Other
4475:(PDF)
4468:(PDF)
4369:(PDF)
4348:(PDF)
4327:(PDF)
4306:(PDF)
4109:(PDF)
4098:(PDF)
3935:(PDF)
3905:(PDF)
3865:(PDF)
3148:nonce
2719:XORed
1950:WASTE
1212:XORed
1113:pixel
948:(CTR)
921:= F(Y
912:(OFB)
904:= IV
882:(CFB)
874:= IV
830:= IV
802:(CBC)
773:(ECB)
71:block
6621:Salt
6585:CNSA
6452:IAPM
6406:VMAC
6401:UMAC
6386:PMAC
6381:CMAC
6377:OMAC
6372:NMAC
6367:HMAC
6362:GMAC
6331:HKDF
6200:SIMD
6150:Lane
6125:GOST
6110:ECOH
5997:List
5984:and
5897:LFSR
5845:WAKE
5840:VMPC
5835:VEST
5810:SNOW
5805:SEAL
5795:RC4A
5790:RC4+
5785:QUAD
5775:Pike
5760:ORYX
5755:MUGI
5740:FISH
5623:A5/2
5618:A5/1
5534:CNSA
5393:Mod
5319:MITM
5091:NUSH
5046:MESH
5036:MARS
4910:FROG
4900:FEAL
4880:DEAL
4860:Crab
4845:CMEA
4752:XTEA
4737:SEED
4717:IDEA
4712:GOST
4697:ARIA
4576:2018
4550:2018
4520:2018
4441:ISBN
4416:ISBN
4397:help
4377:2018
4314:ISBN
4282:ISBN
4263:2018
4233:2015
4192:ISBN
4165:ISBN
4138:ISBN
4117:2017
4081:2020
4054:2019
4047:8452
4030:IETF
4009:2020
3987:3610
3970:IETF
3939:NIST
3879:ISBN
3842:2020
3814:2020
3767:2015
3741:2013
3699:ISBN
3631:ISBN
3604:2013
3567:ISBN
3545:2013
3482:PMAC
3480:and
3478:OMAC
3421:and
3396:NIST
3247:Mode
3126:and
2705:The
2006:The
1948:and
1623:The
1588:PCBC
759:Mode
516:AEAD
440:and
426:bits
392:and
382:size
291:IETF
287:ANSI
283:IEEE
271:NIST
260:IAPM
216:GMAC
204:CMAC
192:HMAC
115:and
67:bits
6457:OCB
6447:GCM
6442:EAX
6437:CWC
6427:CCM
6357:DAA
6235:VSH
6205:SM3
6175:MD6
6170:MD4
6165:MD2
6145:LSH
6115:FSB
6023:MD5
5643:RC4
5488:Tau
5448:XSL
5252:SPN
5196:xmx
5191:UES
5126:S-1
5111:RC2
5056:MMB
4935:ICE
4890:DFC
4747:TEA
4732:RC6
4727:RC5
4722:LEA
4674:SM4
4655:DES
4645:AES
4356:doi
4044:RFC
4034:doi
3984:RFC
3974:doi
3943:doi
3909:doi
3869:doi
3691:doi
3429:).
3423:EME
3419:CMC
3415:XTS
3411:XEX
3407:LRW
3346:CTR
3334:, P
3321:OFB
3307:i+1
3297:CFB
3285:i+1
3275:CBC
3261:ECB
3087:Yes
3079:Yes
3071:Yes
3058:CTR
2670:OFB
2552:MSB
2446:MSB
2396:mod
2000:Yes
1992:Yes
1971:CFB
1627:or
1559:can
1204:Yes
1196:Yes
1175:CBC
1031:Yes
1023:Yes
1015:Yes
1002:ECB
706:not
689:).
564:Yes
556:Yes
548:Yes
535:GCM
505:GCM
501:CCM
497:CWC
493:EAX
489:OCB
432:or
422:bit
418:DES
394:CBC
390:ECB
320:or
279:IEC
275:ISO
264:OCB
256:EAX
252:CWC
250:),
244:GCM
242:),
236:CCM
176:XTS
159:in
145:AES
90:key
61:or
7026::
6073:JH
5912:IV
5780:Py
5638:E0
5016:M8
5011:M6
4998:,
4996:97
4895:E2
4661:,
4540:.
4536:.
4510:.
4506:.
4470:.
4455:^
4389::
4387:}}
4383:{{
4364:.
4354:.
4350:.
4335:^
4308:.
4253:.
4249:.
4100:.
4071:.
4042:.
4032:.
4028:.
3982:.
3972:.
3968:.
3941:.
3877:.
3831:.
3805:.
3786:,
3727:.
3697:,
3685:,
3662:.
3645:^
3629:.
3590:.
3553:^
3531:.
3476:,
3409:,
3402:.
3270:—
2978:IV
2699:No
2691:No
2683:No
2301:IV
2055:IV
1984:No
1617:No
1609:No
1601:No
1570:.
1188:No
991:.
926:−1
896:−1
865:−1
858:−1
822:−1
746:.
681:).
507:.
499:,
495:,
491:,
452:.
376:A
331:.
293:.
285:,
273:,
266:.
258:,
254:,
226:.
222:,
210:,
202:,
198:,
163:,
151:,
135:,
104:.
6666:e
6659:t
6652:v
6379:/
5974:e
5967:t
5960:v
5596:e
5589:t
5582:v
5395:n
5379:)
5375:(
5342:)
5338:(
5315:)
5311:(
5302:)
5298:(
5288:)
5284:(
5106:Q
5002:)
4665:)
4657:(
4630:)
4626:(
4616:e
4609:t
4602:v
4578:.
4552:.
4522:.
4449:.
4424:.
4399:)
4379:.
4358::
4290:.
4265:.
4235:.
4200:.
4173:.
4146:.
4119:.
4083:.
4056:.
4036::
4011:.
3989:.
3976::
3945::
3917:.
3911::
3887:.
3871::
3844:.
3816:.
3769:.
3743:.
3693::
3658:n
3639:.
3606:.
3575:.
3547:.
3361:i
3357:i
3351:i
3340:n
3336:2
3332:1
3326:i
3314:1
3302:i
3291:1
3280:i
3266:i
3252:i
2982:.
2974:=
2969:0
2965:I
2943:,
2938:1
2932:j
2928:O
2924:=
2919:j
2915:I
2893:,
2890:)
2885:j
2881:I
2877:(
2872:K
2868:E
2864:=
2859:j
2855:O
2833:,
2828:j
2824:O
2815:j
2811:C
2807:=
2802:j
2798:P
2776:,
2771:j
2767:O
2758:j
2754:P
2750:=
2745:j
2741:C
2623:,
2618:i
2614:C
2605:)
2600:)
2595:1
2589:i
2585:I
2581:(
2576:K
2572:E
2566:(
2556:s
2548:=
2543:i
2539:P
2517:,
2512:i
2508:P
2499:)
2494:)
2489:1
2483:i
2479:I
2475:(
2470:K
2466:E
2460:(
2450:s
2442:=
2437:i
2433:C
2411:,
2406:b
2400:2
2389:)
2382:i
2378:C
2374:+
2371:)
2368:s
2360:1
2354:i
2350:I
2346:(
2341:(
2336:=
2331:i
2327:I
2305:.
2297:=
2292:0
2288:I
2205:,
2200:i
2196:C
2189:)
2184:1
2178:i
2174:C
2170:(
2165:K
2161:E
2157:=
2148:i
2144:P
2122:,
2117:i
2113:P
2106:)
2101:1
2095:i
2091:C
2087:(
2082:K
2078:E
2070:0
2067:=
2064:i
2059:,
2048:{
2043:=
2034:i
2030:C
1929:.
1926:V
1923:I
1920:=
1915:0
1911:C
1902:0
1898:P
1894:,
1889:1
1883:i
1879:C
1870:1
1864:i
1860:P
1853:)
1848:i
1844:C
1840:(
1835:K
1831:D
1827:=
1822:i
1818:P
1796:,
1793:V
1790:I
1787:=
1782:0
1778:C
1769:0
1765:P
1761:,
1758:)
1753:1
1747:i
1743:C
1734:1
1728:i
1724:P
1715:i
1711:P
1707:(
1702:K
1698:E
1694:=
1689:i
1685:C
1491:.
1488:V
1485:I
1482:=
1477:0
1473:C
1451:,
1446:1
1440:i
1436:C
1429:)
1424:i
1420:C
1416:(
1411:K
1407:D
1403:=
1398:i
1394:P
1367:,
1364:V
1361:I
1358:=
1353:0
1349:C
1327:,
1324:)
1319:1
1313:i
1309:C
1300:i
1296:P
1292:(
1287:K
1283:E
1279:=
1274:i
1270:C
985:i
983:(
981:g
971:i
963:i
961:(
959:g
954:i
951:Y
938:i
930:0
924:i
918:i
915:Y
902:0
894:i
888:i
885:Y
872:0
867:)
863:i
856:i
850:i
844:i
841:Y
828:0
820:i
814:i
808:i
805:Y
793:i
791:Y
785:i
779:i
776:Y
702:2
698:1
687:2
679:1
625:H
588:E
450:n
446:n
410:C
246:(
238:(
34:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.