170:
1685:
4688:
759:
1427:
1442:
430:
1100:
1047:
1680:{\displaystyle \mathrm {Counter0} ={\begin{cases}IV\parallel 0^{31}\parallel 1&{\text{for }}\operatorname {len} (IV)=96\\\operatorname {GHASH} \left(IV\parallel 0^{s}\parallel 0^{64}\parallel \operatorname {len} _{64}(IV)\right){\text{ with }}s=128-\operatorname {len} (IV)\mod 128&{\text{otherwise}}\end{cases}}}
754:{\displaystyle S_{i}={\begin{cases}A_{i}&{\text{for }}i=1,\ldots ,m-1\\A_{m}^{*}\parallel 0^{128-v}&{\text{for }}i=m\\C_{i-m}&{\text{for }}i=m+1,\ldots ,m+n-1\\C_{n}^{*}\parallel 0^{128-u}&{\text{for }}i=m+n\\\operatorname {len} (A)\parallel \operatorname {len} (C)&{\text{for }}i=m+n+1\end{cases}}}
1965:
Independent of this attack, an adversary may attempt to systematically guess many different tags for a given input to authenticated decryption and thereby increase the probability that one (or more) of them, eventually, will be considered valid. For this reason, the system or protocol that implements
1836:
by interleaving operations. This process is called function stitching, and while in principle it can be applied to any combination of cryptographic algorithms, GCM is especially suitable. Manley and Gregg show the ease of optimizing when using function stitching with GCM. They present a program
50:
methods. This means that as input it takes a key K, some plaintext P, and some associated data AD; it then encrypts the plaintext using the key to produce ciphertext C, and computes an authentication tag T from the ciphertext and the associated data (which remains unencrypted). A recipient with
1840:
GCM has been criticized in the embedded world (for example by
Silicon Labs) because the parallel processing is not suited for performant use of cryptographic hardware engines. As a result, GCM reduces the performance of encryption for some of the most performance-sensitive devices. Specialized
1422:{\displaystyle {\begin{aligned}X_{i}^{'}&={\begin{cases}0&{\text{for }}i\leq 0\\\left(X_{i-k}^{'}\oplus S_{i}\right)\cdot H^{k}&{\text{for }}i=1,\ldots ,m+n+1-k\\\end{cases}}\\X_{i}&=\sum _{j=1}^{k}\left(X_{i+j-2k}^{'}\oplus S_{i+j-k}\right)\cdot H^{k-j+1}\end{aligned}}}
1788:
per each block (128 bit) of encrypted and authenticated data. The block cipher operations are easily pipelined or parallelized; the multiplication operations are easily pipelined and can be parallelized with some modest effort (either by parallelizing the actual operation, by adapting
1804:. In 2015, SPARC added the XMPMUL instruction, which performs XOR multiplication of much larger values, up to 2048 × 2048 bit input values producing a 4096-bit result. These instructions enable fast multiplication over GF(2), and can be used with any field representation.
840:
2447:
Pfau, Johannes; Reuter, Maximilian; Harbaum, Tanja; Hofmann, Klaus; Becker, Jurgen (September 2019). "A Hardware
Perspective on the ChaCha Ciphers: Scalable Chacha8/12/20 Implementations Ranging from 476 Slices to Bitrates of 175 Gbit/s": 294–299.
1973:. This work gives some valuable insights into how polynomial hash-based authentication works. More precisely, this work describes a particular way of forging a GCM message, given a valid GCM message, that works with probability of about
1811:
Resistant AES-GCM" that achieves 10.68 cycles per byte AES-GCM authenticated encryption on 64-bit Intel processors. Dai et al. report 3.5 cycles per byte for the same algorithm when using Intel's AES-NI and PCLMULQDQ instructions.
1883:
The authentication strength depends on the length of the authentication tag, like with all symmetric message authentication codes. The use of shorter authentication tags with GCM is discouraged. The bit-length of the tag, denoted
175:
Encryption: A series of 128-bit counters is encrypted using the block cipher E with key K; this can occur in parallel. The results are combined using bitwise XOR with 128-bit plaintext blocks, producing a series of ciphertext
1896:
may be 64 or 32, but the use of these two tag lengths constrains the length of the input data and the lifetime of the key. Appendix C in NIST SP 800-38D provides guidance for these constraints (for example, if
1945:
denotes the total number of blocks in the encoding (the input to the GHASH function), then there is a method of constructing a targeted ciphertext forgery that is expected to succeed with a probability of approximately
1987:
bits long. However, this work does not show a more effective attack than was previously known; the success probability in observation 1 of this paper matches that of lemma 2 from the INDOCRYPT 2004 analysis (setting
1831:
When both authentication and encryption need to be performed on a message, a software implementation can achieve speed gains by overlapping the execution of those operations. Performance is increased by exploiting
1105:
51:
knowledge of K, upon reception of AD, C and T, can decrypt the ciphertext to recover the plaintext P and can check the tag T to ensure that neither ciphertext nor associated data were tampered with.
340:
87:
Different block cipher modes of operation can have significantly different performance and efficiency characteristics, even when used with the same block cipher. GCM can take full advantage of
178:
Authentication: The
Additional Data and these ciphertext blocks are combined using multiplication with a key-dependent constant H in the Galois field GF(2) to produce the authentication tag.
1954:
is shorter than 128, then each successful forgery in this attack increases the probability that subsequent targeted forgeries will succeed, and leaks information about the hash subkey,
1941:
Ferguson and
Saarinen independently described how an attacker can perform optimal attacks against GCM authentication, which meet the lower bound on its security. Ferguson showed that, if
1918:-bit tag at random, it is expected to be correct for given data with probability measure 2. With GCM, however, an adversary can increase their likelihood of success by choosing tags with
1042:{\displaystyle X_{i}=\sum _{j=1}^{i}S_{j}\cdot H^{i-j+1}={\begin{cases}0&{\text{for }}i=0\\\left(X_{i-1}\oplus S_{i}\right)\cdot H&{\text{for }}i=1,\ldots ,m+n+1\end{cases}}}
265:
43:
which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.
822:
4668:
4498:
173:
GCM operation. For simplicity, a case with only a single block of additional authenticated data (labeled Auth Data 1) and two blocks of plaintext is shown.
1865:. It is secure when it is used with a block cipher that is indistinguishable from a random permutation; however, security depends on choosing a unique
270:
The authentication tag is constructed by feeding blocks of data into the GHASH function and encrypting the result. This GHASH function is defined by
2631:
2426:
1817:
4351:
1813:
196:
4271:
3598:
2679:
1765:
3659:
417:
First, the authenticated text and the cipher text are separately zero-padded to multiples of 128 bits and combined into a single message
3688:
2295:
4731:
1922:
words – the total length of the ciphertext plus any additional authenticated data (AAD) – with probability measure 2 by a factor of
1837:
generator that takes an annotated C version of a cryptographic algorithm and generates code that runs well on the target processor.
4716:
1800:
instruction, highlighting its use for GCM. In 2011, SPARC added the XMULX and XMULXHI instructions, which also perform 64 × 64 bit
166:
that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.
3425:
2781:
2266:
188:
4726:
4287:
3415:
2909:
2533:
2410:
2335:
2151:
2081:
276:
112:
2393:
Manley, Raymond; Gregg, David (2010). "A Program
Generator for Intel AES-NI Instructions". In Gong, G.; Gupta, K.C. (eds.).
1880:
bits of plain text (64 GiB). NIST Special
Publication 800-38D includes guidelines for initialization vector selection.
3578:
3552:
3420:
3316:
2489:
1904:
and the maximal packet size is 2 bytes, the authentication decryption function should be invoked no more than 2 times; if
1807:
Impressive performance results are published for GCM on a number of platforms. Käsper and
Schwabe described a "Faster and
1911:
and the maximal packet size is 2 bytes, the authentication decryption function should be invoked no more than 2 times).
4048:
3393:
4215:
2549:
2102:
4344:
191:
of encryption with the new Galois mode of authentication. The key feature is the ease of parallel computation of the
2506:
McGrew, David A.; Viega, John (2004). "The
Security and Performance of the Galois/counter mode (GCM) of Operation".
3562:
2672:
1926:. Although, one must bear in mind that these optimal tags are still dominated by the algorithm's survival measure
3652:
3441:
1746:
88:
1820:
achieved 2.47 cycles per byte on the 3rd generation Intel processors. Appropriate patches were prepared for the
195:
multiplication used for authentication. This feature permits higher throughput than encryption algorithms, like
4547:
4256:
3741:
3693:
3619:
2028:
32:
2318:
Käsper, E.; Schwabe, P. (2009). "Faster and Timing-Attack
Resistant AES-GCM". In Clavier, C.; Gaj, K. (eds.).
46:
The GCM algorithm provides both data authenticity (integrity) and confidentiality and belongs to the class of
4043:
2644:
1833:
205:
4337:
4261:
2709:
1966:
GCM should monitor and, if necessary, limit the number of unsuccessful verification attempts for each key.
126:
4663:
4618:
4431:
4030:
3672:
3668:
3505:
2665:
2064:
Lemsitzer, S.; Wolkerstorfer, J.; Felber, N.; Braendli, M. (2007). Paillier, P.; Verbauwhede, I. (eds.).
2007:
77:
2379:
Gopal, V., Feghali, W., Guilford, J., Ozturk, E., Wolrich, G., Dixon, M., Locktyukhin, M., Perminov, M.
4542:
3645:
3522:
3432:
3410:
2723:
2296:"Intel Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode (Revision 2.02)"
4658:
3926:
3527:
3383:
3336:
2811:
2138:. Lecture Notes in Computer Science. Vol. 3017. Berlin, Heidelberg: Springer. pp. 408–426.
1825:
3731:
2474:
2171:
1480:
1139:
921:
452:
4648:
4638:
4493:
4266:
4102:
3801:
3796:
3593:
3475:
3350:
2719:
2066:
Cryptographic
Hardware and Embedded Systems - CHES 2007 . GCM-AES Architecture Optimized for FPGAs
2023:
1938:. Moreover, GCM is neither well-suited for use with very short tag-lengths nor very long messages.
1761:
1757:
47:
2516:
1892:
may be any one of the following five values: 128, 120, 112, 104, or 96. For certain applications,
4643:
4633:
4436:
4396:
4389:
4379:
4374:
4189:
4009:
3532:
3321:
2692:
2131:
159:
36:
2352:
807:
4721:
4384:
4297:
3683:
3624:
3500:
3495:
3447:
2511:
1722:
4691:
4537:
4483:
4312:
3962:
3916:
3806:
3764:
3749:
3614:
3437:
3296:
2874:
2461:
2380:
1866:
1797:
116:
96:
81:
2637:
4653:
4577:
3982:
3886:
3836:
3811:
3517:
3400:
3326:
3009:
2989:
2196:
RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
2011:
1873:
92:
8:
4416:
4307:
4184:
4072:
3972:
3891:
3851:
3831:
3480:
3457:
2776:
1090:
If it is necessary to parallelize the hash computation, this can be done by interleaving
145:, and so it is essential that a different IV is used for each stream that is encrypted.
4522:
4506:
4453:
4241:
4225:
4174:
3759:
3465:
3373:
3085:
3014:
2984:
2929:
1801:
1790:
1070:
163:
2453:
2173:
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
1707:
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
4582:
4572:
4443:
4118:
3185:
2884:
2844:
2839:
2806:
2766:
2714:
2529:
2406:
2331:
2267:"Algorithm Registration - Computer Security Objects Register | CSRC | CSRC"
2147:
2077:
1862:
1842:
2592:: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
4517:
4205:
4159:
3921:
3557:
3452:
3331:
3190:
3070:
3039:
2733:
2521:
2449:
2398:
2323:
2139:
2069:
115:, blocks are numbered sequentially, and then this block number is combined with an
2353:"AES-GCM for Efficient Authenticated Encryption – Ending the Reign of HMAC-SHA-1?"
169:
4220:
4169:
4164:
3952:
3667:
3404:
3388:
3377:
3311:
3270:
3235:
3165:
3145:
3019:
2899:
2894:
2849:
2525:
2402:
2397:. Lecture Notes in Computer Science. Vol. 6498. Springer. pp. 311–327.
2143:
2073:
2068:. Lecture Notes in Computer Science. Vol. 4727. Springer. pp. 227–238.
1962:
may be compromised entirely and the authentication assurance is completely lost.
2610:
2603:
2596:
2589:
2327:
4592:
4512:
4473:
4421:
4406:
4210:
3938:
3542:
3490:
3301:
3286:
3225:
3220:
3105:
2854:
100:
2616:
2322:. Lecture Notes in Computer Science. Vol. 5747. Springer. pp. 1–17.
1784:
GCM requires one block cipher operation and one 128-bit multiplication in the
199:, which use chaining modes. The GF(2) field used is defined by the polynomial
4710:
4673:
4628:
4587:
4567:
4463:
4426:
4401:
4302:
4179:
3537:
3485:
3364:
3346:
3135:
3110:
3100:
2924:
2914:
2761:
2583:
2381:"Fast Cryptographic Computation on Intel Architecture via Function Stitching"
1808:
1769:
1738:
142:
76:) is an authentication-only variant of the GCM which can form an incremental
3881:
2490:"The Galois/Counter Mode of Operation (GCM) Intellectual Property Statement"
4623:
4468:
4458:
4448:
4411:
4360:
3470:
3291:
3255:
3120:
2999:
2954:
2786:
2738:
2688:
1785:
1753:
1718:
1432:
If the length of the IV is not 96, the GHASH function is used to calculate
361:
192:
63:
59:
40:
20:
2613:: Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
2599:: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
4602:
4292:
4138:
4067:
4063:
3080:
3075:
2959:
2033:
130:
2243:
Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
2207:
The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
4562:
4532:
4527:
4488:
3512:
3230:
3170:
3054:
3049:
2994:
2864:
2727:
2280:
2098:
1742:
1691:
373:
149:
138:
1914:
Like with any message authentication code, if the adversary chooses a
4552:
3967:
3846:
3245:
3240:
3130:
3044:
2939:
2919:
2219:
AES Galois Counter Mode for the Secure Shell Transport Layer Protocol
1853:
According to the authors' statement, GCM is unencumbered by patents.
134:
3754:
2564:"Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes"
2132:"CWC: A High-Performance Conventional Authenticated Encryption Mode"
2063:
4597:
4557:
4246:
4143:
4128:
4123:
4113:
4077:
3997:
3911:
3791:
3583:
3547:
3341:
3004:
2879:
2859:
2771:
1970:
1726:
1695:
2563:
4082:
4038:
3816:
3250:
3200:
3160:
3150:
3095:
3090:
2934:
2743:
2638:
AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP)
1821:
1773:
55:
4478:
4251:
3992:
3987:
3957:
3947:
3906:
3901:
3896:
3876:
3871:
3841:
3826:
3786:
3588:
3210:
3205:
3140:
3125:
3115:
3060:
3034:
3029:
3024:
2904:
2889:
2627:
2510:. Lecture Notes in Computer Science. Vol. 3348. Springer.
1734:
3977:
3866:
3821:
3769:
3726:
3721:
3715:
3306:
3265:
3215:
3195:
3180:
2969:
2949:
2869:
2834:
1749:
1730:
800:) mod 128 is the bit length of the final block of
788:) mod 128 is the bit length of the final block of
4092:
4087:
4058:
4053:
4017:
3155:
3064:
2979:
2974:
2964:
2944:
2816:
2801:
1702:
1673:
1275:
1035:
747:
54:
GCM uses a block cipher with block size 128 bits (commonly
1705:
announced the release of NIST Special Publication 800-38D
1052:
The second form is an efficient iterative algorithm (each
3861:
3856:
3709:
3260:
3175:
2796:
2791:
2561:
2119:
Note that there is a typo in the formulas in the article.
66:
GF(2) to compute the authentication tag; hence the name.
2584:
NIST Special Publication SP800-38D defining GCM and GMAC
2446:
2320:
Cryptographic Hardware and Embedded Systems - CHES 2009
772:) are the 64-bit representations of the bit lengths of
335:{\displaystyle \operatorname {GHASH} (H,A,C)=X_{m+n+1}}
148:
The ciphertext blocks are considered coefficients of a
4499:
Cryptographically secure pseudorandom number generator
2606:: AES Galois Counter Mode (GCM) Cipher Suites for TLS
2130:
Kohno, Tadayoshi; Viega, John; Whiting, Doug (2004).
1445:
1103:
843:
810:
433:
368:
is data which is only authenticated (not encrypted),
279:
208:
2687:
2649:
2621:
48:
authenticated encryption with associated data (AEAD)
2555:
2231:
AES Galois Counter Mode (GCM) Cipher Suites for TLS
2053:
AES Galois Counter Mode (GCM) Cipher Suites for TLS
1876:). For any given key, GCM is limited to encrypting
2617:IEEE 802.1AE – Media Access Control (MAC) Security
1869:for every encryption performed with the same key (
1679:
1421:
1041:
816:
753:
334:
259:
91:and implementing GCM can make efficient use of an
2255:The Transport Layer Security protocol version 1.3
2165:
2163:
2129:
152:which is then evaluated at a key-dependent point
4708:
360:, a string of 128 zero bits encrypted using the
141:. Like all counter modes, this is essentially a
1845:are less complex compared to AES accelerators.
16:Authenticated encryption mode for block ciphers
2294:Gueron, Shay; Kounavis, Michael (April 2014).
2293:
2160:
4345:
3653:
2673:
2317:
1766:Commercial National Security Algorithm (CNSA)
162:. The result is then encrypted, producing an
2169:
2103:"The Galois/Counter Mode of Operation (GCM)"
1793:per the original NIST submission, or both).
1760:1.2 and TLS 1.3. AES-GCM is included in the
1694:and David A. McGrew to be an improvement to
103:that hamper its efficiency and performance.
2505:
2392:
2281:"Why SoftEther VPN – SoftEther VPN Project"
2096:
62:for encryption, and uses arithmetic in the
4352:
4338:
3660:
3646:
2680:
2666:
2645:The Galois/Counter Mode of Operation (GCM)
2495:. Computer Security Resource Center, NIST.
2427:"IoT Security Part 6: Galois Counter Mode"
2515:
2006:). Saarinen also described a GCM variant
1659:
1658:
95:or a hardware pipeline. By contrast, the
2562:Markku-Juhani O. Saarinen (2011-04-20).
1709:making GCM and GMAC official standards.
168:
129:. The result of this encryption is then
2487:
2395:Progress in Cryptology - INDOCRYPT 2010
1888:, is a security parameter. In general,
260:{\displaystyle x^{128}+x^{7}+x^{2}+x+1}
119:(IV) and encrypted with a block cipher
4709:
2622:IEEE Security in Storage Working Group
2134:. In Roy, Bimal; Meier, Willi (eds.).
824:denotes concatenation of bit strings.
4333:
3641:
2661:
182:
2360:Workshop on Real-World Cryptography
1764:and its latest replacement in 2018
1654:
388:is the number of 128-bit blocks in
380:is the number of 128-bit blocks in
13:
2632:Fibre Channel – Security Protocols
2350:
1465:
1462:
1459:
1456:
1453:
1450:
1447:
106:
70:Galois Message Authentication Code
14:
4743:
2577:
2454:10.1109/SOCC46988.2019.1570548289
2179:(Technical report). NIST. 800-38D
4732:Authenticated-encryption schemes
4687:
4686:
4359:
2550:Authentication Weaknesses in GCM
4717:Block cipher modes of operation
2542:
2499:
2488:McGrew, David A.; Viega, John.
2481:
2440:
2419:
2386:
2373:
2344:
2311:
2287:
2273:
2259:
2247:
2235:
1768:suite. GCM mode is used in the
392:(rounded up), and the variable
99:(CBC) mode of operation incurs
80:. Both GCM and GMAC can accept
4548:Information-theoretic security
4257:NIST hash function competition
2628:INCITS T11 Technical Committee
2624:developed the P1619.1 standard
2223:
2211:
2199:
2190:
2123:
2090:
2057:
2045:
2029:Block cipher mode of operation
1779:
1772:server and client, as well as
1651:
1642:
1611:
1602:
1530:
1521:
713:
707:
695:
689:
304:
286:
1:
2508:Proceedings of INDOCRYPT 2004
2170:Dworkin, Morris (2007–2011).
2039:
1834:instruction-level parallelism
1073:to the first. Only the final
4727:Message authentication codes
4262:Password Hashing Competition
3673:message authentication codes
3669:Cryptographic hash functions
2526:10.1007/978-3-540-30556-9_27
2403:10.1007/978-3-642-17401-8_22
2144:10.1007/978-3-540-25937-4_26
2074:10.1007/978-3-540-74735-2_16
1861:GCM is proven secure in the
1741:Security Protocols (FC-SP),
1721:(MACsec) Ethernet security,
187:GCM combines the well-known
7:
4664:Message authentication code
4619:Cryptographic hash function
4432:Cryptographic hash function
4216:Merkle–Damgård construction
2328:10.1007/978-3-642-04138-9_1
2017:
2008:Sophie Germain Counter Mode
1856:
78:message authentication code
10:
4748:
4543:Harvest now, decrypt later
1848:
1841:hardware accelerators for
1696:Carter–Wegman counter mode
817:{\displaystyle \parallel }
4682:
4659:Post-quantum cryptography
4611:
4367:
4329:
4280:
4234:
4198:
4152:
4101:
4029:
4006:
3935:
3779:
3740:
3702:
3679:
3637:
3607:
3571:
3563:Time/memory/data tradeoff
3360:
3279:
2825:
2752:
2700:
2657:
2653:
2568:Cryptology ePrint Archive
1802:carry-less multiplication
4649:Quantum key distribution
4639:Authenticated encryption
4494:Random number generation
4010:key derivation functions
3351:Whitening transformation
2136:Fast Software Encryption
2024:Authenticated encryption
1762:NSA Suite B Cryptography
1725:Wifi security protocol,
1717:GCM mode is used in the
4644:Public-key cryptography
4634:Symmetric-key algorithm
4437:Key derivation function
4397:Cryptographic primitive
4390:Authentication protocol
4380:Outline of cryptography
4375:History of cryptography
4288:Hash-based cryptography
4190:Length extension attack
3322:Confusion and diffusion
1969:Saarinen described GCM
1863:concrete security model
1069:) produced by applying
160:finite field arithmetic
4385:Cryptographic protocol
4298:Message authentication
2469:Cite journal requires
1980:for messages that are
1950:⋅2. If the tag length
1934:for arbitrarily large
1712:
1681:
1423:
1320:
1043:
877:
818:
755:
336:
261:
179:
82:initialization vectors
4538:End-to-end encryption
4484:Cryptojacking malware
3615:Initialization vector
2012:Sophie Germain primes
1867:initialization vector
1682:
1424:
1300:
1044:
857:
819:
756:
337:
262:
172:
117:initialization vector
97:cipher block chaining
84:of arbitrary length.
4654:Quantum cryptography
4578:Trusted timestamping
3394:3-subset MITM attack
3010:Intel Cascade Cipher
2990:Hasty Pudding cipher
1874:stream cipher attack
1796:Intel has added the
1690:GCM was designed by
1443:
1101:
841:
808:
431:
277:
206:
93:instruction pipeline
4417:Cryptographic nonce
4185:Side-channel attack
3433:Differential-linear
1776:since version 2.4.
1359:
1194:
1126:
1087:remains an output.
637:
517:
89:parallel processing
25:Galois/Counter Mode
4523:Subliminal channel
4507:Pseudorandom noise
4454:Key (cryptography)
4242:CAESAR Competition
4226:HAIFA construction
4175:Brute-force attack
3506:Differential-fault
2724:internal mechanics
2383:Intel Corp. (2010)
2097:McGrew, David A.;
1701:In November 2007,
1677:
1672:
1419:
1417:
1326:
1274:
1170:
1108:
1039:
1034:
814:
751:
746:
623:
503:
414:is defined below.
332:
257:
183:Mathematical basis
180:
164:authentication tag
4704:
4703:
4700:
4699:
4583:Key-based routing
4573:Trapdoor function
4444:Digital signature
4325:
4324:
4321:
4320:
4119:ChaCha20-Poly1305
3936:Password hashing/
3633:
3632:
3620:Mode of operation
3297:Lai–Massey scheme
2535:978-3-540-30556-9
2412:978-3-642-17400-1
2337:978-3-642-04138-9
2153:978-3-540-25937-4
2083:978-3-540-74734-5
1843:ChaCha20-Poly1305
1745:.1 tape storage,
1668:
1622:
1513:
1231:
1150:
997:
932:
796: = len(
784: = len(
721:
662:
578:
542:
470:
33:mode of operation
4739:
4690:
4689:
4518:Insecure channel
4354:
4347:
4340:
4331:
4330:
4206:Avalanche effect
4160:Collision attack
3703:Common functions
3662:
3655:
3648:
3639:
3638:
3491:Power-monitoring
3332:Avalanche effect
3040:Khufu and Khafre
2693:security summary
2682:
2675:
2668:
2659:
2658:
2655:
2654:
2651:
2650:
2572:
2571:
2559:
2553:
2548:Niels Ferguson,
2546:
2540:
2539:
2519:
2503:
2497:
2496:
2494:
2485:
2479:
2478:
2472:
2467:
2465:
2457:
2444:
2438:
2437:
2435:
2434:
2423:
2417:
2416:
2390:
2384:
2377:
2371:
2370:
2368:
2366:
2357:
2348:
2342:
2341:
2315:
2309:
2308:
2306:
2305:
2300:
2291:
2285:
2284:
2277:
2271:
2270:
2263:
2257:
2251:
2245:
2239:
2233:
2227:
2221:
2215:
2209:
2203:
2197:
2194:
2188:
2187:
2185:
2184:
2178:
2167:
2158:
2157:
2127:
2121:
2117:
2115:
2113:
2107:
2094:
2088:
2087:
2061:
2055:
2049:
2010:(SGCM) based on
2005:
1994:
1986:
1979:
1933:
1910:
1903:
1879:
1686:
1684:
1683:
1678:
1676:
1675:
1669:
1666:
1623:
1621: with
1620:
1618:
1614:
1598:
1597:
1585:
1584:
1572:
1571:
1514:
1511:
1501:
1500:
1471:
1428:
1426:
1425:
1420:
1418:
1414:
1413:
1389:
1385:
1384:
1383:
1358:
1357:
1349:
1319:
1314:
1292:
1291:
1278:
1277:
1232:
1229:
1225:
1224:
1212:
1208:
1207:
1206:
1193:
1192:
1184:
1151:
1148:
1125:
1124:
1116:
1048:
1046:
1045:
1040:
1038:
1037:
998:
995:
985:
981:
980:
979:
967:
966:
933:
930:
912:
911:
887:
886:
876:
871:
853:
852:
823:
821:
820:
815:
780:, respectively,
760:
758:
757:
752:
750:
749:
722:
719:
663:
660:
656:
655:
636:
631:
579:
576:
572:
571:
543:
540:
536:
535:
516:
511:
471:
468:
464:
463:
443:
442:
413:
341:
339:
338:
333:
331:
330:
266:
264:
263:
258:
244:
243:
231:
230:
218:
217:
157:
124:
4747:
4746:
4742:
4741:
4740:
4738:
4737:
4736:
4707:
4706:
4705:
4696:
4678:
4607:
4363:
4358:
4317:
4276:
4235:Standardization
4230:
4221:Sponge function
4194:
4170:Birthday attack
4165:Preimage attack
4148:
4104:
4097:
4025:
4008:
4007:General purpose
4002:
3937:
3931:
3780:Other functions
3775:
3742:SHA-3 finalists
3736:
3698:
3675:
3666:
3629:
3603:
3572:Standardization
3567:
3496:Electromagnetic
3448:Integral/Square
3405:Piling-up lemma
3389:Biclique attack
3378:EFF DES cracker
3362:
3356:
3287:Feistel network
3275:
2900:CIPHERUNICORN-E
2895:CIPHERUNICORN-A
2827:
2821:
2754:
2748:
2702:
2696:
2686:
2580:
2575:
2560:
2556:
2547:
2543:
2536:
2504:
2500:
2492:
2486:
2482:
2470:
2468:
2459:
2458:
2445:
2441:
2432:
2430:
2425:
2424:
2420:
2413:
2391:
2387:
2378:
2374:
2364:
2362:
2355:
2349:
2345:
2338:
2316:
2312:
2303:
2301:
2298:
2292:
2288:
2279:
2278:
2274:
2265:
2264:
2260:
2252:
2248:
2240:
2236:
2228:
2224:
2216:
2212:
2204:
2200:
2195:
2191:
2182:
2180:
2176:
2168:
2161:
2154:
2128:
2124:
2111:
2109:
2105:
2095:
2091:
2084:
2062:
2058:
2050:
2046:
2042:
2020:
1996:
1989:
1981:
1974:
1927:
1905:
1898:
1877:
1859:
1851:
1791:Horner's method
1782:
1723:WPA3-Enterprise
1715:
1671:
1670:
1665:
1663:
1619:
1593:
1589:
1580:
1576:
1567:
1563:
1553:
1549:
1540:
1539:
1510:
1508:
1496:
1492:
1476:
1475:
1446:
1444:
1441:
1440:
1416:
1415:
1397:
1393:
1367:
1363:
1351:
1350:
1330:
1325:
1321:
1315:
1304:
1293:
1287:
1283:
1280:
1279:
1273:
1272:
1228:
1226:
1220:
1216:
1202:
1198:
1186:
1185:
1174:
1169:
1165:
1162:
1161:
1147:
1145:
1135:
1134:
1127:
1118:
1117:
1112:
1104:
1102:
1099:
1098:
1086:
1071:Horner's method
1068:
1057:
1033:
1032:
994:
992:
975:
971:
956:
952:
951:
947:
944:
943:
929:
927:
917:
916:
895:
891:
882:
878:
872:
861:
848:
844:
842:
839:
838:
834:is defined as:
832:
809:
806:
805:
745:
744:
718:
716:
680:
679:
659:
657:
645:
641:
632:
627:
620:
619:
575:
573:
561:
557:
554:
553:
539:
537:
525:
521:
512:
507:
500:
499:
467:
465:
459:
455:
448:
447:
438:
434:
432:
429:
428:
422:
400:
397:
354:
314:
310:
278:
275:
274:
239:
235:
226:
222:
213:
209:
207:
204:
203:
185:
177:
174:
153:
137:to produce the
120:
111:Like in normal
109:
107:Basic operation
101:pipeline stalls
17:
12:
11:
5:
4745:
4735:
4734:
4729:
4724:
4719:
4702:
4701:
4698:
4697:
4695:
4694:
4683:
4680:
4679:
4677:
4676:
4671:
4669:Random numbers
4666:
4661:
4656:
4651:
4646:
4641:
4636:
4631:
4626:
4621:
4615:
4613:
4609:
4608:
4606:
4605:
4600:
4595:
4593:Garlic routing
4590:
4585:
4580:
4575:
4570:
4565:
4560:
4555:
4550:
4545:
4540:
4535:
4530:
4525:
4520:
4515:
4513:Secure channel
4510:
4504:
4503:
4502:
4491:
4486:
4481:
4476:
4474:Key stretching
4471:
4466:
4461:
4456:
4451:
4446:
4441:
4440:
4439:
4434:
4424:
4422:Cryptovirology
4419:
4414:
4409:
4407:Cryptocurrency
4404:
4399:
4394:
4393:
4392:
4382:
4377:
4371:
4369:
4365:
4364:
4357:
4356:
4349:
4342:
4334:
4327:
4326:
4323:
4322:
4319:
4318:
4316:
4315:
4310:
4305:
4300:
4295:
4290:
4284:
4282:
4278:
4277:
4275:
4274:
4269:
4264:
4259:
4254:
4249:
4244:
4238:
4236:
4232:
4231:
4229:
4228:
4223:
4218:
4213:
4211:Hash collision
4208:
4202:
4200:
4196:
4195:
4193:
4192:
4187:
4182:
4177:
4172:
4167:
4162:
4156:
4154:
4150:
4149:
4147:
4146:
4141:
4136:
4131:
4126:
4121:
4116:
4110:
4108:
4099:
4098:
4096:
4095:
4090:
4085:
4080:
4075:
4070:
4061:
4056:
4051:
4046:
4041:
4035:
4033:
4027:
4026:
4024:
4023:
4020:
4014:
4012:
4004:
4003:
4001:
4000:
3995:
3990:
3985:
3980:
3975:
3970:
3965:
3960:
3955:
3950:
3944:
3942:
3939:key stretching
3933:
3932:
3930:
3929:
3924:
3919:
3914:
3909:
3904:
3899:
3894:
3889:
3884:
3879:
3874:
3869:
3864:
3859:
3854:
3849:
3844:
3839:
3834:
3829:
3824:
3819:
3814:
3809:
3804:
3799:
3794:
3789:
3783:
3781:
3777:
3776:
3774:
3773:
3767:
3762:
3757:
3752:
3746:
3744:
3738:
3737:
3735:
3734:
3729:
3724:
3719:
3713:
3706:
3704:
3700:
3699:
3697:
3696:
3691:
3686:
3680:
3677:
3676:
3665:
3664:
3657:
3650:
3642:
3635:
3634:
3631:
3630:
3628:
3627:
3622:
3617:
3611:
3609:
3605:
3604:
3602:
3601:
3596:
3591:
3586:
3581:
3575:
3573:
3569:
3568:
3566:
3565:
3560:
3555:
3550:
3545:
3540:
3535:
3530:
3525:
3520:
3515:
3510:
3509:
3508:
3503:
3498:
3493:
3488:
3478:
3473:
3468:
3463:
3455:
3450:
3445:
3438:Distinguishing
3435:
3430:
3429:
3428:
3423:
3418:
3408:
3398:
3397:
3396:
3391:
3381:
3370:
3368:
3358:
3357:
3355:
3354:
3344:
3339:
3334:
3329:
3324:
3319:
3314:
3309:
3304:
3302:Product cipher
3299:
3294:
3289:
3283:
3281:
3277:
3276:
3274:
3273:
3268:
3263:
3258:
3253:
3248:
3243:
3238:
3233:
3228:
3223:
3218:
3213:
3208:
3203:
3198:
3193:
3188:
3183:
3178:
3173:
3168:
3163:
3158:
3153:
3148:
3143:
3138:
3133:
3128:
3123:
3118:
3113:
3108:
3103:
3098:
3093:
3088:
3083:
3078:
3073:
3068:
3057:
3052:
3047:
3042:
3037:
3032:
3027:
3022:
3017:
3012:
3007:
3002:
2997:
2992:
2987:
2982:
2977:
2972:
2967:
2962:
2957:
2952:
2947:
2942:
2937:
2932:
2930:Cryptomeria/C2
2927:
2922:
2917:
2912:
2907:
2902:
2897:
2892:
2887:
2882:
2877:
2872:
2867:
2862:
2857:
2852:
2847:
2842:
2837:
2831:
2829:
2823:
2822:
2820:
2819:
2814:
2809:
2804:
2799:
2794:
2789:
2784:
2779:
2774:
2769:
2764:
2758:
2756:
2750:
2749:
2747:
2746:
2741:
2736:
2731:
2717:
2712:
2706:
2704:
2698:
2697:
2685:
2684:
2677:
2670:
2662:
2648:
2647:
2641:
2640:
2635:
2625:
2619:
2614:
2607:
2600:
2593:
2586:
2579:
2578:External links
2576:
2574:
2573:
2554:
2541:
2534:
2498:
2480:
2471:|journal=
2439:
2418:
2411:
2385:
2372:
2351:Gueron, Shay.
2343:
2336:
2310:
2286:
2272:
2269:. 24 May 2016.
2258:
2246:
2234:
2222:
2210:
2198:
2189:
2159:
2152:
2122:
2089:
2082:
2056:
2043:
2041:
2038:
2037:
2036:
2031:
2026:
2019:
2016:
1958:. Eventually,
1858:
1855:
1850:
1847:
1781:
1778:
1714:
1711:
1688:
1687:
1674:
1664:
1662:
1657:
1653:
1650:
1647:
1644:
1641:
1638:
1635:
1632:
1629:
1626:
1617:
1613:
1610:
1607:
1604:
1601:
1596:
1592:
1588:
1583:
1579:
1575:
1570:
1566:
1562:
1559:
1556:
1552:
1548:
1545:
1542:
1541:
1538:
1535:
1532:
1529:
1526:
1523:
1520:
1517:
1509:
1507:
1504:
1499:
1495:
1491:
1488:
1485:
1482:
1481:
1479:
1474:
1470:
1467:
1464:
1461:
1458:
1455:
1452:
1449:
1430:
1429:
1412:
1409:
1406:
1403:
1400:
1396:
1392:
1388:
1382:
1379:
1376:
1373:
1370:
1366:
1362:
1356:
1353:
1348:
1345:
1342:
1339:
1336:
1333:
1329:
1324:
1318:
1313:
1310:
1307:
1303:
1299:
1296:
1294:
1290:
1286:
1282:
1281:
1276:
1271:
1268:
1265:
1262:
1259:
1256:
1253:
1250:
1247:
1244:
1241:
1238:
1235:
1227:
1223:
1219:
1215:
1211:
1205:
1201:
1197:
1191:
1188:
1183:
1180:
1177:
1173:
1168:
1164:
1163:
1160:
1157:
1154:
1146:
1144:
1141:
1140:
1138:
1133:
1130:
1128:
1123:
1120:
1115:
1111:
1107:
1106:
1077:
1063:
1055:
1050:
1049:
1036:
1031:
1028:
1025:
1022:
1019:
1016:
1013:
1010:
1007:
1004:
1001:
993:
991:
988:
984:
978:
974:
970:
965:
962:
959:
955:
950:
946:
945:
942:
939:
936:
928:
926:
923:
922:
920:
915:
910:
907:
904:
901:
898:
894:
890:
885:
881:
875:
870:
867:
864:
860:
856:
851:
847:
830:
813:
762:
761:
748:
743:
740:
737:
734:
731:
728:
725:
717:
715:
712:
709:
706:
703:
700:
697:
694:
691:
688:
685:
682:
681:
678:
675:
672:
669:
666:
658:
654:
651:
648:
644:
640:
635:
630:
626:
622:
621:
618:
615:
612:
609:
606:
603:
600:
597:
594:
591:
588:
585:
582:
574:
570:
567:
564:
560:
556:
555:
552:
549:
546:
538:
534:
531:
528:
524:
520:
515:
510:
506:
502:
501:
498:
495:
492:
489:
486:
483:
480:
477:
474:
466:
462:
458:
454:
453:
451:
446:
441:
437:
420:
395:
384:(rounded up),
352:
343:
342:
329:
326:
323:
320:
317:
313:
309:
306:
303:
300:
297:
294:
291:
288:
285:
282:
268:
267:
256:
253:
250:
247:
242:
238:
234:
229:
225:
221:
216:
212:
184:
181:
108:
105:
58:) operated in
39:cryptographic
15:
9:
6:
4:
3:
2:
4744:
4733:
4730:
4728:
4725:
4723:
4722:Finite fields
4720:
4718:
4715:
4714:
4712:
4693:
4685:
4684:
4681:
4675:
4674:Steganography
4672:
4670:
4667:
4665:
4662:
4660:
4657:
4655:
4652:
4650:
4647:
4645:
4642:
4640:
4637:
4635:
4632:
4630:
4629:Stream cipher
4627:
4625:
4622:
4620:
4617:
4616:
4614:
4610:
4604:
4601:
4599:
4596:
4594:
4591:
4589:
4588:Onion routing
4586:
4584:
4581:
4579:
4576:
4574:
4571:
4569:
4568:Shared secret
4566:
4564:
4561:
4559:
4556:
4554:
4551:
4549:
4546:
4544:
4541:
4539:
4536:
4534:
4531:
4529:
4526:
4524:
4521:
4519:
4516:
4514:
4511:
4508:
4505:
4500:
4497:
4496:
4495:
4492:
4490:
4487:
4485:
4482:
4480:
4477:
4475:
4472:
4470:
4467:
4465:
4464:Key generator
4462:
4460:
4457:
4455:
4452:
4450:
4447:
4445:
4442:
4438:
4435:
4433:
4430:
4429:
4428:
4427:Hash function
4425:
4423:
4420:
4418:
4415:
4413:
4410:
4408:
4405:
4403:
4402:Cryptanalysis
4400:
4398:
4395:
4391:
4388:
4387:
4386:
4383:
4381:
4378:
4376:
4373:
4372:
4370:
4366:
4362:
4355:
4350:
4348:
4343:
4341:
4336:
4335:
4332:
4328:
4314:
4311:
4309:
4306:
4304:
4303:Proof of work
4301:
4299:
4296:
4294:
4291:
4289:
4286:
4285:
4283:
4279:
4273:
4270:
4268:
4265:
4263:
4260:
4258:
4255:
4253:
4250:
4248:
4245:
4243:
4240:
4239:
4237:
4233:
4227:
4224:
4222:
4219:
4217:
4214:
4212:
4209:
4207:
4204:
4203:
4201:
4197:
4191:
4188:
4186:
4183:
4181:
4180:Rainbow table
4178:
4176:
4173:
4171:
4168:
4166:
4163:
4161:
4158:
4157:
4155:
4151:
4145:
4142:
4140:
4137:
4135:
4132:
4130:
4127:
4125:
4122:
4120:
4117:
4115:
4112:
4111:
4109:
4106:
4103:Authenticated
4100:
4094:
4091:
4089:
4086:
4084:
4081:
4079:
4076:
4074:
4071:
4069:
4065:
4062:
4060:
4057:
4055:
4052:
4050:
4047:
4045:
4042:
4040:
4037:
4036:
4034:
4032:
4031:MAC functions
4028:
4021:
4019:
4016:
4015:
4013:
4011:
4005:
3999:
3996:
3994:
3991:
3989:
3986:
3984:
3981:
3979:
3976:
3974:
3971:
3969:
3966:
3964:
3961:
3959:
3956:
3954:
3951:
3949:
3946:
3945:
3943:
3940:
3934:
3928:
3925:
3923:
3920:
3918:
3915:
3913:
3910:
3908:
3905:
3903:
3900:
3898:
3895:
3893:
3890:
3888:
3885:
3883:
3880:
3878:
3875:
3873:
3870:
3868:
3865:
3863:
3860:
3858:
3855:
3853:
3850:
3848:
3845:
3843:
3840:
3838:
3835:
3833:
3830:
3828:
3825:
3823:
3820:
3818:
3815:
3813:
3810:
3808:
3805:
3803:
3800:
3798:
3795:
3793:
3790:
3788:
3785:
3784:
3782:
3778:
3771:
3768:
3766:
3763:
3761:
3758:
3756:
3753:
3751:
3748:
3747:
3745:
3743:
3739:
3733:
3730:
3728:
3725:
3723:
3720:
3718:(compromised)
3717:
3714:
3712:(compromised)
3711:
3708:
3707:
3705:
3701:
3695:
3694:Known attacks
3692:
3690:
3687:
3685:
3682:
3681:
3678:
3674:
3670:
3663:
3658:
3656:
3651:
3649:
3644:
3643:
3640:
3636:
3626:
3623:
3621:
3618:
3616:
3613:
3612:
3610:
3606:
3600:
3597:
3595:
3592:
3590:
3587:
3585:
3582:
3580:
3577:
3576:
3574:
3570:
3564:
3561:
3559:
3556:
3554:
3551:
3549:
3546:
3544:
3541:
3539:
3536:
3534:
3531:
3529:
3526:
3524:
3521:
3519:
3518:Interpolation
3516:
3514:
3511:
3507:
3504:
3502:
3499:
3497:
3494:
3492:
3489:
3487:
3484:
3483:
3482:
3479:
3477:
3474:
3472:
3469:
3467:
3464:
3462:
3461:
3456:
3454:
3451:
3449:
3446:
3443:
3439:
3436:
3434:
3431:
3427:
3424:
3422:
3419:
3417:
3414:
3413:
3412:
3409:
3406:
3402:
3399:
3395:
3392:
3390:
3387:
3386:
3385:
3382:
3379:
3375:
3372:
3371:
3369:
3366:
3365:cryptanalysis
3359:
3352:
3348:
3347:Key whitening
3345:
3343:
3340:
3338:
3335:
3333:
3330:
3328:
3325:
3323:
3320:
3318:
3315:
3313:
3310:
3308:
3305:
3303:
3300:
3298:
3295:
3293:
3290:
3288:
3285:
3284:
3282:
3278:
3272:
3269:
3267:
3264:
3262:
3259:
3257:
3254:
3252:
3249:
3247:
3244:
3242:
3239:
3237:
3234:
3232:
3229:
3227:
3224:
3222:
3219:
3217:
3214:
3212:
3209:
3207:
3204:
3202:
3199:
3197:
3194:
3192:
3189:
3187:
3184:
3182:
3179:
3177:
3174:
3172:
3169:
3167:
3164:
3162:
3159:
3157:
3154:
3152:
3149:
3147:
3144:
3142:
3139:
3137:
3136:New Data Seal
3134:
3132:
3129:
3127:
3124:
3122:
3119:
3117:
3114:
3112:
3109:
3107:
3104:
3102:
3099:
3097:
3094:
3092:
3089:
3087:
3084:
3082:
3079:
3077:
3074:
3072:
3069:
3066:
3062:
3058:
3056:
3053:
3051:
3048:
3046:
3043:
3041:
3038:
3036:
3033:
3031:
3028:
3026:
3023:
3021:
3018:
3016:
3013:
3011:
3008:
3006:
3003:
3001:
2998:
2996:
2993:
2991:
2988:
2986:
2983:
2981:
2978:
2976:
2973:
2971:
2968:
2966:
2963:
2961:
2958:
2956:
2953:
2951:
2948:
2946:
2943:
2941:
2938:
2936:
2933:
2931:
2928:
2926:
2923:
2921:
2918:
2916:
2913:
2911:
2908:
2906:
2903:
2901:
2898:
2896:
2893:
2891:
2888:
2886:
2883:
2881:
2878:
2876:
2875:BEAR and LION
2873:
2871:
2868:
2866:
2863:
2861:
2858:
2856:
2853:
2851:
2848:
2846:
2843:
2841:
2838:
2836:
2833:
2832:
2830:
2824:
2818:
2815:
2813:
2810:
2808:
2805:
2803:
2800:
2798:
2795:
2793:
2790:
2788:
2785:
2783:
2780:
2778:
2775:
2773:
2770:
2768:
2765:
2763:
2760:
2759:
2757:
2751:
2745:
2742:
2740:
2737:
2735:
2732:
2729:
2725:
2721:
2718:
2716:
2713:
2711:
2708:
2707:
2705:
2699:
2694:
2690:
2689:Block ciphers
2683:
2678:
2676:
2671:
2669:
2664:
2663:
2660:
2656:
2652:
2646:
2643:
2642:
2639:
2636:
2633:
2629:
2626:
2623:
2620:
2618:
2615:
2612:
2608:
2605:
2601:
2598:
2594:
2591:
2587:
2585:
2582:
2581:
2569:
2565:
2558:
2551:
2545:
2537:
2531:
2527:
2523:
2518:
2517:10.1.1.1.4591
2513:
2509:
2502:
2491:
2484:
2476:
2463:
2455:
2451:
2443:
2428:
2422:
2414:
2408:
2404:
2400:
2396:
2389:
2382:
2376:
2361:
2354:
2347:
2339:
2333:
2329:
2325:
2321:
2314:
2297:
2290:
2282:
2276:
2268:
2262:
2256:
2250:
2244:
2238:
2232:
2226:
2220:
2214:
2208:
2202:
2193:
2175:
2174:
2166:
2164:
2155:
2149:
2145:
2141:
2137:
2133:
2126:
2120:
2104:
2100:
2093:
2085:
2079:
2075:
2071:
2067:
2060:
2054:
2048:
2044:
2035:
2032:
2030:
2027:
2025:
2022:
2021:
2015:
2013:
2009:
2003:
1999:
1992:
1984:
1977:
1972:
1967:
1963:
1961:
1957:
1953:
1949:
1944:
1939:
1937:
1931:
1925:
1921:
1917:
1912:
1908:
1901:
1895:
1891:
1887:
1881:
1875:
1872:
1868:
1864:
1854:
1846:
1844:
1838:
1835:
1829:
1827:
1823:
1819:
1815:
1810:
1809:Timing-Attack
1805:
1803:
1799:
1794:
1792:
1787:
1777:
1775:
1771:
1770:SoftEther VPN
1767:
1763:
1759:
1755:
1751:
1748:
1744:
1740:
1739:Fibre Channel
1736:
1732:
1729:(also dubbed
1728:
1727:IEEE 802.11ad
1724:
1720:
1710:
1708:
1704:
1699:
1697:
1693:
1660:
1655:
1648:
1645:
1639:
1636:
1633:
1630:
1627:
1624:
1615:
1608:
1605:
1599:
1594:
1590:
1586:
1581:
1577:
1573:
1568:
1564:
1560:
1557:
1554:
1550:
1546:
1543:
1536:
1533:
1527:
1524:
1518:
1515:
1505:
1502:
1497:
1493:
1489:
1486:
1483:
1477:
1472:
1468:
1439:
1438:
1437:
1435:
1410:
1407:
1404:
1401:
1398:
1394:
1390:
1386:
1380:
1377:
1374:
1371:
1368:
1364:
1360:
1354:
1352:
1346:
1343:
1340:
1337:
1334:
1331:
1327:
1322:
1316:
1311:
1308:
1305:
1301:
1297:
1295:
1288:
1284:
1269:
1266:
1263:
1260:
1257:
1254:
1251:
1248:
1245:
1242:
1239:
1236:
1233:
1221:
1217:
1213:
1209:
1203:
1199:
1195:
1189:
1187:
1181:
1178:
1175:
1171:
1166:
1158:
1155:
1152:
1142:
1136:
1131:
1129:
1121:
1119:
1113:
1109:
1097:
1096:
1095:
1093:
1088:
1084:
1080:
1076:
1072:
1066:
1062:
1058:
1029:
1026:
1023:
1020:
1017:
1014:
1011:
1008:
1005:
1002:
999:
989:
986:
982:
976:
972:
968:
963:
960:
957:
953:
948:
940:
937:
934:
924:
918:
913:
908:
905:
902:
899:
896:
892:
888:
883:
879:
873:
868:
865:
862:
858:
854:
849:
845:
837:
836:
835:
833:
825:
811:
803:
799:
795:
791:
787:
783:
779:
775:
771:
767:
741:
738:
735:
732:
729:
726:
723:
710:
704:
701:
698:
692:
686:
683:
676:
673:
670:
667:
664:
652:
649:
646:
642:
638:
633:
628:
624:
616:
613:
610:
607:
604:
601:
598:
595:
592:
589:
586:
583:
580:
568:
565:
562:
558:
550:
547:
544:
532:
529:
526:
522:
518:
513:
508:
504:
496:
493:
490:
487:
484:
481:
478:
475:
472:
460:
456:
449:
444:
439:
435:
427:
426:
425:
423:
415:
411:
407:
403:
398:
391:
387:
383:
379:
375:
371:
367:
363:
359:
355:
348:
327:
324:
321:
318:
315:
311:
307:
301:
298:
295:
292:
289:
283:
280:
273:
272:
271:
254:
251:
248:
245:
240:
236:
232:
227:
223:
219:
214:
210:
202:
201:
200:
198:
194:
190:
171:
167:
165:
161:
156:
151:
146:
144:
143:stream cipher
140:
136:
132:
128:
123:
118:
114:
104:
102:
98:
94:
90:
85:
83:
79:
75:
71:
67:
65:
61:
57:
52:
49:
44:
42:
41:block ciphers
38:
37:symmetric-key
34:
30:
26:
22:
4624:Block cipher
4469:Key schedule
4459:Key exchange
4449:Kleptography
4412:Cryptosystem
4361:Cryptography
4133:
3523:Partitioning
3481:Side-channel
3459:
3426:Higher-order
3411:Differential
3292:Key schedule
2567:
2557:
2552:, 2005-05-20
2544:
2507:
2501:
2483:
2462:cite journal
2442:
2431:. Retrieved
2429:. 2016-05-06
2421:
2394:
2388:
2375:
2363:. Retrieved
2359:
2346:
2319:
2313:
2302:. Retrieved
2289:
2275:
2261:
2254:
2249:
2242:
2237:
2230:
2225:
2218:
2213:
2206:
2201:
2192:
2181:. Retrieved
2172:
2135:
2125:
2118:
2110:. Retrieved
2092:
2065:
2059:
2052:
2047:
2001:
1997:
1990:
1982:
1975:
1968:
1964:
1959:
1955:
1951:
1947:
1942:
1940:
1935:
1929:
1923:
1919:
1915:
1913:
1906:
1899:
1893:
1889:
1885:
1882:
1870:
1860:
1852:
1839:
1830:
1818:Vlad Krasnov
1806:
1795:
1786:Galois field
1783:
1719:IEEE 802.1AE
1716:
1706:
1700:
1698:(CWC mode).
1689:
1433:
1431:
1091:
1089:
1082:
1078:
1074:
1064:
1060:
1053:
1051:
828:
826:
801:
797:
793:
789:
785:
781:
777:
773:
769:
765:
763:
418:
416:
409:
405:
401:
393:
389:
385:
381:
377:
369:
365:
362:block cipher
357:
350:
346:
344:
269:
193:Galois field
189:counter mode
186:
154:
147:
121:
113:counter mode
110:
86:
73:
69:
68:
64:Galois field
60:counter mode
53:
45:
28:
24:
21:cryptography
18:
4612:Mathematics
4603:Mix network
4293:Merkle tree
4281:Utilization
4267:NSA Suite B
3608:Utilization
3594:NSA Suite B
3579:AES process
3528:Rubber-hose
3466:Related-key
3374:Brute-force
2753:Less common
2570:. FSE 2012.
2108:. p. 5
2099:Viega, John
2034:AES-GCM-SIV
1828:libraries.
1814:Shay Gueron
1780:Performance
1752:standards,
1059:depends on
356:(0) is the
4711:Categories
4563:Ciphertext
4533:Decryption
4528:Encryption
4489:Ransomware
4105:encryption
3882:RadioGatún
3689:Comparison
3558:Chi-square
3476:Rotational
3416:Impossible
3337:Block size
3231:Spectr-H64
3055:Ladder-DES
3050:Kuznyechik
2995:Hierocrypt
2865:BassOmatic
2828:algorithms
2755:algorithms
2728:Triple DES
2703:algorithms
2433:2023-10-17
2365:8 February
2304:2023-09-01
2183:2015-08-18
2040:References
1743:IEEE P1619
1692:John Viega
768:) and len(
764:where len(
404:= 0, ...,
374:ciphertext
150:polynomial
139:ciphertext
125:, usually
4553:Plaintext
4022:KDF1/KDF2
3941:functions
3927:Whirlpool
3533:Black-bag
3453:Boomerang
3442:Known-key
3421:Truncated
3246:Threefish
3241:SXAL/MBAL
3131:MultiSwap
3086:MacGuffin
3045:KN-Cipher
2985:Grand Cru
2940:CS-Cipher
2920:COCONUT98
2630:works on
2609:RFC
2602:RFC
2595:RFC
2588:RFC
2512:CiteSeerX
2253:RFC 8446
2241:RFC 6367
2229:RFC 5288
2217:RFC 5647
2205:RFC 4543
2051:RFC 5288
1971:weak keys
1798:PCLMULQDQ
1733:), ANSI (
1667:otherwise
1640:
1634:−
1600:
1587:∥
1574:∥
1561:∥
1547:
1519:
1512:for
1503:∥
1490:∥
1434:Counter 0
1402:−
1391:⋅
1378:−
1361:⊕
1341:−
1302:∑
1267:−
1246:…
1230:for
1214:⋅
1196:⊕
1179:−
1156:≤
1149:for
1012:…
996:for
987:⋅
969:⊕
961:−
931:for
900:−
889:⋅
859:∑
812:∥
720:for
705:
699:∥
687:
661:for
650:−
639:∥
634:∗
614:−
599:…
577:for
566:−
541:for
530:−
519:∥
514:∗
494:−
485:…
469:for
284:
135:plaintext
133:with the
4692:Category
4598:Kademlia
4558:Codetext
4501:(CSPRNG)
4247:CRYPTREC
4078:Poly1305
3998:yescrypt
3912:Streebog
3792:CubeHash
3772:(winner)
3584:CRYPTREC
3548:Weak key
3501:Acoustic
3342:Key size
3186:Red Pike
3005:IDEA NXT
2885:Chiasmus
2880:CAST-256
2860:BaseKing
2845:Akelarre
2840:Adiantum
2807:Skipjack
2772:CAST-128
2767:Camellia
2715:Blowfish
2634:project.
2101:(2005).
2018:See also
1857:Security
1355:′
1190:′
1122:′
358:hash key
158:, using
4368:General
4153:Attacks
4083:SipHash
4039:CBC-MAC
3973:LM hash
3953:Balloon
3817:HAS-160
3625:Padding
3543:Rebound
3251:Treyfer
3201:SAVILLE
3161:PRESENT
3151:NOEKEON
3096:MAGENTA
3091:Madryga
3071:Lucifer
2935:CRYPTON
2744:Twofish
2734:Serpent
2112:20 July
1878:2 − 256
1849:Patents
1822:OpenSSL
1774:OpenVPN
1094:times:
372:is the
176:blocks.
56:AES-128
31:) is a
4479:Keygen
4313:Pepper
4252:NESSIE
4199:Design
3993:scrypt
3988:PBKDF2
3963:Catena
3958:bcrypt
3948:Argon2
3907:Snefru
3902:Shabal
3897:SWIFFT
3877:RIPEMD
3872:N-hash
3847:MASH-2
3842:MASH-1
3827:Kupyna
3787:BLAKE3
3770:Keccak
3755:Grøstl
3732:BLAKE2
3589:NESSIE
3538:Davies
3486:Timing
3401:Linear
3361:Attack
3280:Design
3271:Zodiac
3236:Square
3211:SHACAL
3206:SC2000
3166:Prince
3146:Nimbus
3141:NewDES
3126:MULTI2
3116:MISTY1
3059:LOKI (
3035:KHAZAD
3030:KeeLoq
3025:KASUMI
3020:Kalyna
2905:CLEFIA
2890:CIKS-1
2850:Anubis
2701:Common
2532:
2514:
2409:
2334:
2150:
2080:
1735:INCITS
804:, and
345:where
4509:(PRN)
4107:modes
3983:Makwa
3978:Lyra2
3968:crypt
3917:Tiger
3867:MDC-2
3822:HAVAL
3807:Fugue
3765:Skein
3750:BLAKE
3727:SHA-3
3722:SHA-2
3716:SHA-1
3471:Slide
3327:Round
3312:P-box
3307:S-box
3266:XXTEA
3226:Speck
3221:Simon
3216:SHARK
3196:SAFER
3181:REDOC
3106:Mercy
3065:89/91
3015:Iraqi
2980:G-DES
2970:FEA-M
2950:DES-X
2915:Cobra
2870:BATON
2855:Ascon
2835:3-Way
2826:Other
2493:(PDF)
2356:(PDF)
2299:(PDF)
2177:(PDF)
2106:(PDF)
2004:× 128
1993:= 128
1985:× 128
1750:IPsec
1731:WiGig
1544:GHASH
827:Then
281:GHASH
131:XORed
4308:Salt
4272:CNSA
4139:IAPM
4093:VMAC
4088:UMAC
4073:PMAC
4068:CMAC
4064:OMAC
4059:NMAC
4054:HMAC
4049:GMAC
4018:HKDF
3887:SIMD
3837:Lane
3812:GOST
3797:ECOH
3684:List
3671:and
3599:CNSA
3458:Mod
3384:MITM
3156:NUSH
3111:MESH
3101:MARS
2975:FROG
2965:FEAL
2945:DEAL
2925:Crab
2910:CMEA
2817:XTEA
2802:SEED
2782:IDEA
2777:GOST
2762:ARIA
2611:6367
2604:5288
2597:4543
2590:4106
2530:ISBN
2475:help
2407:ISBN
2367:2013
2332:ISBN
2148:ISBN
2114:2013
2078:ISBN
1995:and
1928:1 −
1909:= 64
1902:= 32
1824:and
1816:and
1747:IETF
1703:NIST
776:and
399:for
74:GMAC
35:for
4144:OCB
4134:GCM
4129:EAX
4124:CWC
4114:CCM
4044:DAA
3922:VSH
3892:SM3
3862:MD6
3857:MD4
3852:MD2
3832:LSH
3802:FSB
3710:MD5
3553:Tau
3513:XSL
3317:SPN
3261:xmx
3256:UES
3191:S-1
3176:RC2
3121:MMB
3000:ICE
2955:DFC
2812:TEA
2797:RC6
2792:RC5
2787:LEA
2739:SM4
2720:DES
2710:AES
2522:doi
2450:doi
2399:doi
2324:doi
2140:doi
2070:doi
1871:see
1826:NSS
1758:TLS
1754:SSH
1713:Use
1661:128
1656:mod
1637:len
1631:128
1591:len
1516:len
702:len
684:len
647:128
527:128
412:+ 1
215:128
197:CBC
127:AES
29:GCM
19:In
4713::
3760:JH
3081:M8
3076:M6
3063:,
3061:97
2960:E2
2726:,
2566:.
2528:.
2520:.
2466::
2464:}}
2460:{{
2405:.
2358:.
2330:.
2162:^
2146:.
2076:.
2014:.
2000:=
1978:⋅2
1932:⋅2
1756:,
1737:)
1595:64
1582:64
1537:96
1498:31
1436::
1085:+1
1067:−1
792:,
424::
408:+
376:,
364:,
349:=
23:,
4353:e
4346:t
4339:v
4066:/
3661:e
3654:t
3647:v
3460:n
3444:)
3440:(
3407:)
3403:(
3380:)
3376:(
3367:)
3363:(
3353:)
3349:(
3171:Q
3067:)
2730:)
2722:(
2695:)
2691:(
2681:e
2674:t
2667:v
2538:.
2524::
2477:)
2473:(
2456:.
2452::
2436:.
2415:.
2401::
2369:.
2340:.
2326::
2307:.
2283:.
2186:.
2156:.
2142::
2116:.
2086:.
2072::
2002:n
1998:l
1991:w
1983:n
1976:n
1960:H
1956:H
1952:t
1948:n
1943:n
1936:t
1930:n
1924:n
1920:n
1916:t
1907:t
1900:t
1894:t
1890:t
1886:t
1652:)
1649:V
1646:I
1643:(
1628:=
1625:s
1616:)
1612:)
1609:V
1606:I
1603:(
1578:0
1569:s
1565:0
1558:V
1555:I
1551:(
1534:=
1531:)
1528:V
1525:I
1522:(
1506:1
1494:0
1487:V
1484:I
1478:{
1473:=
1469:0
1466:r
1463:e
1460:t
1457:n
1454:u
1451:o
1448:C
1411:1
1408:+
1405:j
1399:k
1395:H
1387:)
1381:k
1375:j
1372:+
1369:i
1365:S
1347:k
1344:2
1338:j
1335:+
1332:i
1328:X
1323:(
1317:k
1312:1
1309:=
1306:j
1298:=
1289:i
1285:X
1270:k
1264:1
1261:+
1258:n
1255:+
1252:m
1249:,
1243:,
1240:1
1237:=
1234:i
1222:k
1218:H
1210:)
1204:i
1200:S
1182:k
1176:i
1172:X
1167:(
1159:0
1153:i
1143:0
1137:{
1132:=
1114:i
1110:X
1092:k
1083:n
1081:+
1079:m
1075:X
1065:i
1061:X
1056:i
1054:X
1030:1
1027:+
1024:n
1021:+
1018:m
1015:,
1009:,
1006:1
1003:=
1000:i
990:H
983:)
977:i
973:S
964:1
958:i
954:X
949:(
941:0
938:=
935:i
925:0
919:{
914:=
909:1
906:+
903:j
897:i
893:H
884:j
880:S
874:i
869:1
866:=
863:j
855:=
850:i
846:X
831:i
829:X
802:C
798:C
794:u
790:A
786:A
782:v
778:C
774:A
770:C
766:A
742:1
739:+
736:n
733:+
730:m
727:=
724:i
714:)
711:C
708:(
696:)
693:A
690:(
677:n
674:+
671:m
668:=
665:i
653:u
643:0
629:n
625:C
617:1
611:n
608:+
605:m
602:,
596:,
593:1
590:+
587:m
584:=
581:i
569:m
563:i
559:C
551:m
548:=
545:i
533:v
523:0
509:m
505:A
497:1
491:m
488:,
482:,
479:1
476:=
473:i
461:i
457:A
450:{
445:=
440:i
436:S
421:i
419:S
410:n
406:m
402:i
396:i
394:X
390:C
386:n
382:A
378:m
370:C
366:A
353:k
351:E
347:H
328:1
325:+
322:n
319:+
316:m
312:X
308:=
305:)
302:C
299:,
296:A
293:,
290:H
287:(
255:1
252:+
249:x
246:+
241:2
237:x
233:+
228:7
224:x
220:+
211:x
155:H
122:E
72:(
27:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
