AES Modes

John Kelsey kelsey.j at
Tue Oct 12 09:57:15 EDT 2004

>From: Ian Grigg <iang at>
>Sent: Oct 10, 2004 11:11 AM
>To: Metzdowd Crypto <cryptography at>
>Subject: AES Modes

>I'm looking for basic mode to encrypt blocks (using AES)
>of about 1k in length, +/- an order of magnitude.  Looking
>at the above table (2nd link) there are oodles of proposed

>It would be nice to have a mode that didn't also require
>a separate MAC operation - I get the impression that
>this is behind some of the proposals?

I think CCM is just about perfect for this goal.  The MAC isn't free, but it's integrated into the chaining mode.  There are also some patented modes that provide a MAC for almost no extra computation(OCB, IACBC), and some proposed modes that combine an efficient, parallelizeable MAC with encryption in a secure way (CWC,GCM), though none of these are standards yet.



The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list