What is the EAX operating mode

EAX mode - EB-3

The EAX mode (encrypt, then authenticate, then translate) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm that simultaneously provides authentication and privacy of the message (authenticated encryption) with a two-pass scheme, a pass to achieve privacy and a pass to authenticate for each block. The

EAX mode was brought to the notice of NIST on October 3, 2003 to replace CCM as the default AEAD mode of operation because CCM mode lacks some desirable attributes of EAX and is more complex.

Encryption and authentication

EAX is a flexible, nonce-using, two-pass AEAD scheme with no restrictions on the block encryption primitive to be used and the block size, and supports messages of any length. The length of the authentication tag can be adjusted as required up to the block size of the encryption used.

The block encryption primitive is used in the CTR mode for encryption and as OMAC for authentication over each block by the EAX composition method, which can be viewed as the particular case of a more general algorithm called EAX2, described in The EAX Mode of Operation

The reference implementation in the above document uses AES in CTR mode for encryption in combination with AES OMAC for authentication.


Because it is a two-pass scheme, the EAX mode is slower than a well-designed one-pass scheme based on the same basic elements. The

EAX mode has several desirable attributes, in particular:

  • demonstrable security (depending on the security of the underlying primitive encryption);
  • Message expansion is minimal and limited to tag length overhead;
  • in CTR mode means that encryption only needs to be implemented for encryption in order to simplify the implementation of some ciphers (particularly desirable attribute for hardware implementation).
  • The algorithm is "on-line" "means that a data stream can be processed using a constant memory without knowing the total data length in advance.
  • The algorithm can preprocess static associated data (AD) useful for encryption / decryption of the communication session parameters (where session parameters can represent the associated data).

In particular, the last two attributes are missing in CCM mode (CCM can process assigned data, they cannot preprocess them).

Patent status

EAX mode authors Mihir Bellare, Phillip Rogaway and David Wagner placed the work in the public domain and stated that they were not aware of any patents for this technology. Therefore, it is assumed that the EAX mode of operation is free and unloaded for any use.


A modification of the EAX mode, so called EAX 'or EAXprime, is used in the ANSI C12.22 standard for the transport of meter-based data over a network. In 2012 Kazuhiko Minematsu, Stefan Lucks, Hiraku Morita and Tetsu Iwata published a paper proving the security of the mode with messages longer than the key but demonstrating a trivial attack on short messages in this mode. It is not possible to create vulnerable short messages that conform to the ANSI C12.22 standard. However, EAXprime cannot be used safely in other contexts where such short messages are possible.

See also


External links

Software implementations

Hardware implementations