ISO/IEC 19772:2009

INTERNATIONAL ISO/IEC
STANDARD 19772
First edition
2009-02-15
Information technology — Security
techniques — Authenticated encryption
Technologies de l'information — Techniques de sécurité — Chiffrage
authentifié
Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved

Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols (and abbreviated terms) . 3
5 Requirements . 4
6 Authenticated encryption mechanism 1 (OCB 2.0) . 4
6.1 Introduction . 4
6.2 Specific notation . 4
6.3 Specific requirements . 5
6.4 Definition of function M . 5
6.5 Definition of function M . 5
6.6 Definition of function J . 6
6.7 Encryption procedure . 6
6.8 Decryption procedure . 7
7 Authenticated encryption mechanism 2 (Key Wrap) . 7
7.1 Introduction . 7
7.2 Specific notation . 8
7.3 Specific requirements . 8
7.4 Encryption procedure . 8
7.5 Decryption procedure . 9
8 Authenticated encryption mechanism 3 (CCM) . 9
8.1 Introduction . 9
8.2 Specific notation . 9
8.3 Specific requirements . 10
8.4 Encryption procedure . 10
8.5 Decryption procedure . 12
9 Authenticated encryption mechanism 4 (EAX) . 13
9.1 Introduction . 13
9.2 Specific notation . 13
9.3 Specific requirements . 13
9.4 Definition of function M . 13
9.5 Encryption procedure . 14
9.6 Decryption procedure . 14
10 Authenticated encryption mechanism 5 (Encrypt-then-MAC) . 15
10.1 Introduction . 15
10.2 Specific notation . 15
10.3 Specific requirements . 15
10.4 Encryption procedure . 16
10.5 Decryption procedure . 16
11 Authenticated encryption mechanism 6 (GCM) . 16
11.1 Introduction . 16
11.2 Specific notation . 17
11.3 Specific requirements . 17
11.4 Definition of multiplication operation . 18
© ISO/IEC 2009 – All rights reserved iii

11.5 Definition of function G . 18

11.6 Encryption procedure . 18
11.7 Decryption procedure . 19
Annex A (informative) Guidance on use of the mechanisms . 20
A.1 Introduction . 20
A.2 Selection of mechanism . 20
A.3 Mechanism 1 (OCB 2.0) . 21
A.4 Mechanism 2 (Key Wrap) . 21
A.5 Mechanism 3 (CCM) . 21
A.6 Mechanism 4 (EAX). 21
A.7 Mechanism 5 (Encrypt-then-MAC) . 22
A.8 Mechanism 6 (GCM). 22
Annex B (informative) Examples . 23
B.1 Introduction . 23
B.2 Mechanism 1 (OCB 2.0) . 23
B.3 Mechanism 2 (Key Wrap) . 24
B.4 Mechanism 3 (CCM) . 24
B.5 Mechanism 4 (EAX). 25
B.6 Mechanism 5 (Encrypt-then-MAC) . 26
B.7 Mechanism 6 (GCM). 26
Annex C (normative) ASN.1 module . 28
C.1 Formal definition . 28
C.2 Use of subsequent object identifiers . 28
Bibliography . 29

iv © ISO/IEC 2009 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 19772 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2009 – All rights reserved v

Introduction
When data is sent from one place to another, it is often necessary to protect it in some way whilst it is in transit,

e.g. against eavesdropping or unauthorised modification. Similarly, when data is stored in an environment to
which unauthorized parties may have access, it may be necessary to protect it.
If the confidentiality of the data needs to be protected, e.g. against eavesdropping, then one solution is to use
encryption, as specified in ISO/IEC 18033 and ISO/IEC 10116. Alternatively, if it is necessary to protect the
data against modification, i.e. integrity protection, then Message Authentication Codes (MACs), as specified in
ISO/IEC 9797, or digital signatures, as specified in ISO/IEC 9796 and ISO/IEC 14888, can be used. If both
confidentiality and integrity protection are required, then one possibility is to use both encryption and a MAC or
signature. Whilst these operations can be combined in many ways, not all combinations of such mechanisms
provide the same security guarantees. As a result it is desirable to define in detail exactly how integrity and
confidentiality mechanisms should be combined to provide the optimum level of security. Moreover, in some
cases significant efficiency gains can be obtained by defining a single method of processing the data with the
objective of providing both confidentiality and integrity protection.
In this standard, authenticated encryption mechanisms are defined. These are methods for processing data
to provide both integrity and confidentiality protection. They typically involve either a specified combination of
a MAC computation and data encryption, or the use of an encryption algorithm in a special way such that both
integrity and confidentiality protection are provided.
The methods specified in this standard have been designed to maximise the level of security and provide
efficient processing of data. Some of the techniques defined here have mathematical 'proofs of security', i.e.
rigorous arguments supporting their soundness.
vi © ISO/IEC 2009 – All rights reserved

INTERNATIONAL STANDARD
Information technology — Security techniques — Authenticated
encryption
1 Scope
This International Standard specifies six methods for authenticated encryption, i.e. defined ways of processing

a data string with the following security objectives:
 data confidentiality, i.e. protection against unauthorized disclosure of data,
 data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified,
 data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data
originator.
All six methods specified in this International Standard are based on a block cipher algorithm, and require the
originator and the recipient of the protected data to share a secret key for this block cipher. Key management
is outside the scope of this standard; key management techniques are defined in ISO/IEC 11770.
Four of the mechanisms in this standard, namely mechanisms 1, 3, 4 and 6, allow data to be authenticated
which is not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into
two parts, D, the data string that is to be encrypted and integrity-protected, and A (the additional authenticated
data) that is integrity-protected but not encrypted. In all cases, the string A may be empty.
NOTE Examples of types of data that may need to be sent in unencrypted form, but whose integrity should be
protected, include addresses, port numbers, sequence numbers, protocol version numbers, and other network protocol fields
that indicate how the plaintext should be handled, forwarded, or processed.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
1)
ISO/IEC 9797-1:— , Information technology — Security techniques — Message Authentication Codes
(MACs) — Part 1: Mechanisms using a block cipher
ISO/IEC 10116, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3: Block
ciphers
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
1) To be published. (Revision of ISO/IEC 9797-1:1999)
© ISO/IEC 2009 – All rights reserved 1

3.1
authenticated encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext that cannot be altered by
an unauthorized entity without detection, i.e. it provides data confidentiality, data integrity, and data origin
authentication
3.2
authenticated encryption mechanism
cryptographic technique used to protect the confidentiality and guarantee the origin and integrity of data, and
which consists of two component processes: an encryption algorithm and a decryption algorithm
3.3
block cipher
symmetric encryption system with the property that the encryption algorithm operates on a block of plaintext,
i.e. a string of bits of a defined length, to yield a block of ciphertext [ISO/IEC 18033-1]
3.4
ciphertext
data which has been transformed to hide its information content [ISO/IEC 10116]
3.5
data integrity
the property that data has not been altered or destroyed in an unauthorized manner [ISO/IEC 9797-1]
3.6
decryption
reversal of a corresponding encryption [ISO/IEC 18033-1]
3.7
encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the
information content of the data [ISO/IEC 18033-1]
3.8
encryption system
cryptographic technique used to protect the confidentiality of data, and which consists of three component
processes: an encryption algorithm, a decryption algorithm, and a method for generating keys [ISO/IEC
18033-1]
3.9
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,
decipherment) [ISO/IEC 18033-1]
3.10
message authentication code (MAC)
string of bits which is the output of a MAC algorithm [ISO/IEC 9797-1]
3.11
partition
process of dividing a string of bits of arbitrary length into a sequence of blocks, where the length of each block
shall be n bits, except for the final block which shall contain r bits, 0 < r  n
3.12
plaintext
unencrypted information [ISO/IEC 10116]
2 © ISO/IEC 2009 – All rights reserved

3.13
secret key
key used with symmetric cryptographic techniques by a specified set of entities [ISO/IEC 18033-1]
3.14
symmetric encryption system
encryption system based on symmetric cryptographic techniques that uses the same secret key for both the
encryption and decryption algorithms [ISO/IEC 18033-1]
4 Symbols (and abbreviated terms)
For the purposes of this document, the following symbols and notation apply:
A Additional authenticated data.
C Authenticated-encrypted data string.
D Data string to which an authenticated encryption mechanism is to be applied.
d Block cipher decryption algorithm; d (Y) denotes the result of block cipher decrypting the n-bit block
K
Y using the secret key K.
e Block cipher encryption algorithm; e (X) denotes the result of block cipher encrypting the n-bit block
K
X using the secret key K.
K Secret block cipher key shared by the originator and recipient of the data to which the authenticated
encryption mechanism is to be applied.
m Number of blocks in the partitioned version of D.
n Block length (in bits) for a block cipher.
t Tag length (in bits).
i
0 Block of i zero bits.
i
1 Block of i one bits.
 Bit-wise exclusive-or of strings of bits (of the same bit-length).
|| Concatenation of bit strings, i.e. if A and B are blocks of bits, then A||B is the block of bits obtained by
concatenating A and B in the order specified.
a
# Function converting a number into an a-bit block of bits; if k is an integer (0  k < 2 ) then # (k) is the
a
a-bit block which, when regarded as the binary representation of a number with the most significant
bit on the left, equals k.
-1 -1
# Function converting a block of bits to a number; if A is a block of bits, then # (A) is the unique non-
-1
negative integer whose binary representation is A. Hence, if A has n bits, then # (# (A)) = A.
n
X| Left-truncation of the block of bits X: if X has bit-length greater than or equal to s, then X| is the s-bit
s s
block consisting of the left-most s bits of X.
s s
X| Right-truncation of the block of bits X: if X has bit-length greater than or equal to s, then X| is the s-
bit block consisting of the right-most s bits of X.
X<<1 Left shift of a block of bits X by one position: the rightmost bit of Y = X<<1 will always be set to zero.
© ISO/IEC 2009 – All rights reserved 3

X>>1 Right shift of a block of bits X by one position: the leftmost bit of Y = X>>1 will always be set to zero.
len Function taking a bit-string X as input, and which gives as output the number of bits in X.
mod If a and b > 0 are integers, then a mod b denotes the unique integer c such that:
i) 0  c < b, and
ii) a-c is an integer multiple of b.
5 Requirements
The authenticated encryption mechanisms specified in this document have the following requirements.
The originator and recipient of the data to which the authenticated encryption mechanism is to be applied,
must:
a) agree on the use of a particular mechanism from those specified in this document;
b) agree on the use of a particular block cipher to be used with the mechanism (one of the block ciphers
standardised in ISO/IEC 18033-3 shall be used);
c) share a secret key K: in all mechanisms except for authenticated encryption mechanism 5, this shall be a
key for the selected block cipher, and in mechanism 5 it shall be a key used as input to a key derivation
procedure.
In addition, each mechanism has specific requirements listed immediately prior to the mechanism description.
6 Authenticated encryption mechanism 1 (OCB 2.0)
6.1 Introduction
In this clause an authenticated encryption mechanism commonly known as OCB 2.0 (for Offset Codebook
version 2) is defined.
NOTE OCB 2.0 is due to Krovetz and Rogaway [7]. OCB 2.0 possesses a proof of security on the assumption that
the block cipher used possesses certain 'ideal properties'.
6.2 Specific notation
For the purposes of the specification of this mechanism, the following symbols and notation apply:
B Block of bits used in the definition of function J.
B , B , …, B Sequence of blocks of bits (each of n bits, with the possible exception of B ) used in the
1 2 w w
definition of function J.
C , C , …, C Sequence of blocks of bits (each of n bits, with the possible exception of C ) obtained as
1 2 m m
part of the output of the authenticated encryption process.
D , D , …, D Sequence of blocks of bits (each of n bits, with the possible exception of D ) obtained by
1 2 m m
partitioning D.
F  n-bit block used in the encryption and decryption processes.
H  n-bit block used in the encryption and decryption processes.
4 © ISO/IEC 2009 – All rights reserved

J  Function used in the encryption and decryption processes.
k Variable used in the definition of function J.
m The number of n-bit blocks in the message to be encrypted (where the final block may
contain less than n bits), i.e. the message contains (m-1)n+r bits.
M  Function used in the encryption and decryption processes.
M  Function used in the encryption and decryption processes.
P  n-bit block used in the definition of M .
r The number (0 < r  n) of bits in the final block of the message to be encrypted, after it has
been divided into n-bit blocks, i.e. len(D) = (m-1)n+r.
S  Starting Variable (n bits).
T  Tag (t bits), adjoined to an encrypted message to provide integrity protection.
T Recomputed tag value, generated during the decryption process.
w Variable used in the definition of function J.
Z  n-bit block used in the encryption and decryption processes.
6.3 Specific requirements
In advance of any use of the mechanism, the originator and recipient of the data to which the authenticated
encryption mechanism is to be applied must agree on the tag length t in bits, where 0 < t  n.
6.4 Definition of function M
Definition of the encryption and decryption procedures requires the definition of a function M that takes an n-
bit block as input and gives an n-bit block as output. The definition of this function depends on an n-bit block
P. Since n must correspond to the bit length of a block cipher chosen from amongst those specified in
ISO/IEC 18033-3, we only define P for n=64 and n=128.
a) If n=64, then P = 0 ||11011.
b) If n=128, then P = 0 ||10000111.
The function M is defined as follows. If X is an n-bit block, then:
a) If the left-most (most significant) bit of X is zero, then M (X) = X<<1;
b) If the left-most (most significant) bit of X is one, then M (X) = [X<<1]P.
6.5 Definition of function M
Definition of the procedure for handling additional authenticated data requires the definition of a function M
that takes an n-bit block as input and gives an n-bit block as output. If X is an n-bit block, then:
M (X) = M (X)  X.
3 2
© ISO/IEC 2009 – All rights reserved 5

6.6 Definition of function J
This function takes a block of bits B as input (where len(B) > 0), and gives an n-bit block J(B) as output. The
value J(B) is computed as follows.
a) Partition B into a sequence of blocks: B , B , …, B , as follows. Let B contain the first n bits of B, B the
1 2 w 1 2
next n bits, and so on, until B contains the final k bits, where 0 < k  n. Thus, len(B) = (w-1)n+k.
w
n
b) Let F = M (M (e (0 ))).
3 3 K
n
c) Let C = 0 .
d) For i = 1, 2, ., w-1, perform the following two steps:
1) Let F = M (F);
2) Let C = C  e (B  F).
i i-1 K i
e) Let F = M (M (F)).
3 2
f) If k 1) Let F = M (F);
n-k-1
2) Let B = B || 1 || 0 .
w w
g) J(B) = e (C  B  F).
K w-1 w
6.7 Encryption procedure
The originator shall perform the following steps to protect a data string D.
a) An n-bit Starting Variable S shall be selected. This variable shall be distinct for every message to be
protected, and must be made available to the recipient of the message. However, it is not necessary that
this value be unpredictable or secret.
NOTE The value S could, for example, be generated using a counter maintained by the originator, and sent
in cleartext along with the protected message.
b) Partition D into a sequence of blocks: D , D , …, D , as follows. Let D contain the first n bits of D, D the
1 2 m 1 2
next n bits, and so on, until D contains the final r bits, where 0 < r  n. Thus, len(D) = (m-1)n+r.
m
n
c) Let F = e (S) and let H = 0 .
K
d) For i = 1, 2, ., m-1, perform the following three steps:
1) Let F = M (F);
2) Let H = H  D ;
i
3) Let C = F  e (D  F).
i K i
e) Let F = M (F).
f) Let Z = e (# (r)  F).
K n
g) Let C = D  Z| .
m m r
6 © ISO/IEC 2009 – All rights reserved

n-r
h) Let H = H  [D || (Z| )].
m
i) Let T = [e (H  M (F))]| .
K 3 t
j) If len(A) > 0, then let T = T  J(A)| .
t
The output of the above process, i.e. the authenticated-encrypted version of D, shall be the bit-string:
C = C || C || … || C || T
1 2 m
i.e. a string of (m-1)n+r+t bits, that is C contains precisely t bits more than D (although it is also necessary to
convey the n-bit Starting Variable S and the variable length additional authenticated data bit string A to the
recipient).
6.8 Decryption procedure
The recipient shall perform the following steps to decrypt and verify an authenticated-encrypted string C.
a) If the length of C is less than t then halt and output INVALID.
b) Let m and r be the unique integers defined so that C contains a total of (m-1)n + r + t bits, where 0 < r  n.
Partition C into a sequence of blocks: C , C , …, C , T as follows. Let C contain the first n bits of C, C
1 2 m 1 2
the next n bits of C, and so on, until C contains the next r bits of C. Finally, let T be the final t bits of C.
m
n
c) Let F = e (S) and let H = 0 .
K
d) For i = 1, 2, ., m-1, perform the following three steps:
1) Let F = M (F);
2) Let D = F  d (C  F);
i K i
3) Let H = H  D .
i
e) Let F = M (F).
f) Let Z = e (# (r)  F).
K n
g) Let D = C  Z| .
m m r
n-r
h) Let H = H  [D || (Z| )].
m
i) Let T = [e (H  M (F))]| .
K 3 t
j) If len(A) > 0, then let T = T  J(A)| .
t
k) If T = T, then output D and the additional authenticated data A. Otherwise output INVALID.
7 Authenticated encryption mechanism 2 (Key Wrap)
7.1 Introduction
In this clause an authenticated encryption mechanism commonly known as Key Wrap is defined.
© ISO/IEC 2009 – All rights reserved 7

NOTE 1 This scheme was originally designed for authenticated-encryption of keys and associated information. That is,
it is designed for use with short data strings. However, the scheme can be used with arbitrary length data strings (up to a
maximum of around 2 bits), although it is not efficient for protecting long messages.
NOTE 2 This mode is known as AES Key Wrap when the AES block cipher is used, where AES stands for Advanced
Encryption Standard, a block cipher algorithm specified in ISO/IEC 18033-3. AES Key Wrap is also specified in [9] and
[11].
7.2 Specific notation
For the purposes of the specification of this mechanism, the following symbols and notation apply:
C , C , …, C Sequence of (m+1) 64-bit blocks obtained as the output of the authenticated encryption
0 1 m
process.
D , D , …, D Sequence of m 64-bit blocks obtained by partitioning D, i.e. 64m = len(D).
1 2 m
R , R , …, R Sequence of m 64-bit blocks computed during the encryption and decryption processes.
1 2 m
Y 64-bit block used during the encryption and decryption processes.
Z 128-bit block computed during the encryption and decryption processes.
7.3 Specific requirements
The block cipher to be used with this mechanism must be a 128-bit block cipher, i.e. it must have n=128.
The data string D to be protected using this mechanism must contain at least 128 bits and must contain a
multiple of 64 bits (i.e. the bit-length of D must be 64m for some integer m > 1).
7.4 Encryption procedure
The originator shall perform the following steps to protect a data string D.
a) Partition D into a sequence of m 64-bit blocks D , D , …, D , so that D contains the first 64 bits of D, D
1 2 m 1 2
the next 64 bits, and so on.
b) Let Y be the 64-bit block having hexadecimal representation A6A6A6A6A6A6A6A6, i.e. in binary it equals
(10100110 10100110 … 10100110).
c) For i = 1, 2, …, m:
let R = D .
i i
d) For i = 1, 2, ., 6m, perform the following four steps:
1) Let Z = e ( Y || R );
K 1
2) Let Y = Z|  # (i);
64 64
3) For j = 1, 2, …, m-1:
let R = R ;
j j+1
4) Let R = Z| .
m
e) Let C = Y.
8 © ISO/IEC 2009 – All rights reserved

f) For i = 1, 2, …, m:
let C = R .
i i
The output of the above process, i.e. the authenticated-encrypted version of D, shall be the bit-string:
C = C || C || … || C
0 1 m
i.e. a string of 64(m+1) bits, that is C contains precisely 64 bits more than D.
7.5 Decryption procedure
The recipient shall perform the following steps to decrypt and verify an authenticated-encrypted string C.
a) If len(C) is not a multiple of 64 or is less than 192, then halt and output INVALID.
b) Partition C into a sequence of m+1 64-bit blocks C , C , …, C , so that C contains the first 64 bits of C,
0 1 m 0
C the next 64 bits, and so on.
c) Let Y = C .
d) For i = 1, 2, …, m:
let R = C .
i i
e) For i = 6m, 6m-1, down to 1, perform the following four steps:
1) Let Z = d ( [Y  # (i)] || R );
K 64 m
2) Let Y = Z| ;
3) For j = m, m-1, …, 2:
let R = R ;
j j-1
4) Let R = Z| .
f) If Y = (10100110 10100110 … 10100110), then output D = R || R || … || R . Otherwise output INVALID.
1 2 m
8 Authenticated encryption mechanism 3 (CCM)
8.1 Introduction
In this clause an authenticated encryption mechanism commonly known as CCM (for Counter with CBC-MAC)
is defined.
NOTE CCM is due to Whiting, Housley and Ferguson [12]. The version of CCM defined here is a special case of
CCM as defined in [10] and [12].
8.2 Specific notation
For the purposes of the specification of this mechanism, the following symbols and notation apply:
B Block of bits used in computing the tag value.
B , B , …, B Sequence of blocks of bits (each of n bits) used in computing the tag value.
1 2 v
© ISO/IEC 2009 – All rights reserved 9

C , C , …, C Sequence of m 128-bit blocks obtained as part of the output of the authenticated encryption
1 2 m
process.
D , D , …, D Sequence of m 128-bit blocks obtained by partitioning a padded version of D.
1 2 m
F Flag octet.
L Length of D (in octets), excluding padding and the length block D .
r The number of octets of D in the block D .
m
S Starting Variable (of 120-8w bits).
T Plaintext tag value (of t bits).
T Recomputed tag value, generated during the decryption process.
U Encrypted tag value (of t bits).
v Variable used in computing the tag value.
w Length of message length field in octets.
X 128-bit block computed during the encryption and decryption processes.
Y 128-bit block computed during the encryption and decryption processes.
8.3 Specific requirements
In advance of any use of the mechanism, the originator and recipient of the data to which the authenticated
encryption mechanism is to be applied, must agree on:
a) t, the bit-length of the tag; t must be chosen from the set {32, 48, 64, 80, 96, 112, 128}, and
b) w, the octet-length of the message length field; w must be chosen from the set {2, 3, 4, 5, 6, 7, 8}.
NOTE The choice of w affects the maximum message length which can be protected. The maximum message
8w+3 8w
length is 2 bits, i.e. 2 octets.
The block cipher to be used with this mechanism must be a 128-bit block cipher, i.e. it must have n=128.
The data string D to be protected using this mechanism, and the additional authenticated data string A, must
contain a whole number of octets, i.e. their lengths must be a multiple of 8 bits (i.e. len(D) and len(A) must
both be an integer multiple of 8).
8.4 Encryption procedure
The originator shall perform the following steps to protect a data string D. Let L =len(D)/8, i.e. L is the number
of octets in D.
a) A Starting Variable S containing 15-w octets (i.e. 120-8w bits) shall be selected. This variable shall be
distinct for every message to be protected, and must be made available to the recipient of the message.
However, it is not necessary that this value is unpredictable or secret.
NOTE The value S could, for example, be generated using a counter maintained by the originator, and sent
in cleartext along with the protected message.
10 © ISO/IEC 2009 – All rights reserved

b) Right pad the data string D with 16-r zero octets (i.e. between 0 and 120 zero bits) so that the padded
version of D contains a multiple of 128 bits. Then partition the padded version of D into a sequence of m
128-bit blocks D , D , …, D , so that D contains the first 128 bits of D, D the next 128 bits, and so on.
1 2 m 1 2
NOTE The value m must satisfy 16(m-1) < L  16m.
c) If len(A) = 0 then let the flag octet F = 0 || # ((t-16)/16) || # (w-1).
3 3
d) If len(A) > 0 then let the flag octet F = 0 || 1 || # ((t-16)/16) || # (w-1).
3 3
NOTE The most significant (left-most) bit of F is a 'reserved' bit, i.e. it is set to zero for the version of the
mechanism specified here, but may be used in the future in other (as yet unspecified) versions of the
mechanism. The next to the most significant bit of F is set to zero to indicate that all the data being protected by
the mechanism is encrypted.
e) Let X = e (F || S || # (L)).
K 8w
f) If len(A) > 0, then perform the following six steps:
1) If 0 < len(A) < 65280 then let B = # (len(A)/8) || A;
32 15
2) If 65280  len(A) < 2 then let B = 1 || 0 || # (len(A)/8) || A;
32 64 16
3) If 2  len(A) < 2 then let B = 1 || # (len(A)/8) || A;
4) Partition B into a sequence of blocks: B , B , …, B , as follows: let B contain the first n bits of B,
1 2 v 1
B the next n bits, and so on, until B contains the final k bits, where 0 < k  n; thus, len(B) = (v-1)n+k;
2 v
n-k
5) Right pad B with n-k zeros, i.e. let B = B || 0 ;
v v v
6) For i = 1, 2, …, v:
let X = e ( X  B ).
K i
g) For i = 1, 2, …, m:
let X = e ( X  D ).
K i
h) Let T = X| .
t
NOTE The plaintext tag T is equal to a MAC computed on the data string B , B , ., B , D , D , …, D using a
1 2 v 1 2 m
slight modification of MAC algorithm 1 specified in ISO/IEC 9797-1.
5 8w
i) Let the flag octet F = ( 0 || # (w-1) ), and let Y = ( F || S || 0 ).
NOTE The two most significant (left-most) bits of F are 'reserved' bits, i.e. they are set to zero for the version
of the mechanism specified here, but may be used in the future in other (as yet unspecified) versions of the
mechanism. The next three most significant bits of F are set to zero to ensure that this octet is distinct from the
flag octet used in step c above.
j) Let U = T  [e (Y)]| .
K t
k) For i = 1, 2, …, m-1, perform the following two steps:
1) Let Y = ( F || S || # (i) );
8w
2) Let C = D  e (Y).
i i K
l) Let Y = ( F || S || # (m) ), and let C = [D  e (Y) ]| .
8w m m K 8r
© ISO/IEC 2009 – All rights reserved 11

The output of the above process, i.e. the authenticated-encrypted version of D, shall be the bit-string:
C = C || C || … || C || C || U
1 2 m-1 m
i.e. a string of 8L+t bits, that is C contains precisely t bits more than the original data string D (although it is
also necessary to convey the (120-8w)-bit Starting Variable S and the variable length additional authenticated
data A to the recipient).
8.5 Decryption procedure
The recipient shall perform the following steps to decrypt and verify an authenticated-encrypted string C.
a) If C does not contain a whole number of octets, then halt and output INVALID.
b) If the length of C is less than (t+8) bits, then halt and output INVALID.
c) Let m and r be the unique integers such that C contains a total of 128(m-1) + 8r + t bits, where 0 < r  16.
Partition C into a sequence of blocks: C , C , …C , U as follows. Let C contain the first 128 bits of C, C
1 2 m 1 2
the next 128 bits of C, and so on, until C contains the next 8r bits of C. Finally, let U be the final t bits of
m
C.
5 8w
d) Let the flag octet F = ( 0 || # (w-1) ), and let Y = ( F || S || 0 ).
e) Let T = U  [e (Y)]| .
K t
f) For i = 1, 2, …, m-1, perform the following two steps:
1) Let Y = ( F || S || # (i) );
8w
2) Let D = C  e (Y).
i i K
g) Let Y = ( F || S || # (m) ), and let D = C  [e (Y)]| .
8w m m K 8r
h) Let D = D || D || … || D , and let L = 16m – 16 + r.
1 2 m
128-8r
i) Right pad D with 128-8r zeros, i.e. let D = D || 0 .
m m m
j) If len(A) = 0 then let the flag octet F = 0 || # ((t-16)/16) || # (w-1).
3 3
k) If len(A) > 0 then let the flag octet F = 0 || 1 || # ((t-16)/16) || # (w-1).
3 3
l) Let X = e (F || S || # (L)).
K 8w
m) If len(A) > 0, then perform the following six steps:
1) If 0 < len(A) < 65280 then let B = # (len(A)/8) || A;
32 15
2) If 65280  len(A) < 2 then let B = 1 || 0 || # (len(A)/8) || A;
32 64 16
3) If 2  len(A) < 2 then let B = 1 || # (len(A)/8) || A;
4) Partition B into a sequence of blocks: B , B , …, B , as follows: let B contain the first n bits of B,
1 2 v 1
B the next n bits, and so on, until B contains the final k bits, where 0 < k  n; thus, len(B) = (v-1)n+k;
2 v
n-k
5) Right pad B with n-k zeros, i.e. let B = B || 0 ;
v v v
6) For i = 1, 2, …, v:
12 © ISO/IEC 2009 – All rights reserved

let X = e ( X  B ).
K i
n) For i = 1, 2, …, m:
let X = e ( X  D ).
K i
o) Let T = X| .
t
p) If T = T, then output D as computed in step h) and A. Otherwise output INVALID.
9 Authenticated encryption mechanism 4 (EAX)
9.1 Introduction
In this clause an authenticated encryption mechanism commonly known as EAX is defined.
NOTE EAX is due to Bellare, Rogaway and Wagner [2]. The letters EAX do not appear to stand for anything in
particular.
9.2 Specific notation
For the purposes of the specification of this mechanism, the following symbols and notation apply:
C , C , …, C Sequence of blocks of bits (each of n bits, with the possible exception of C ) obtained as
1 2 m m
part of the output of the authenticated encryption process.
D , D , …, D Sequence of blocks of bits (each of n bits, with the possible exception of D ) obtained by
1 2 m m
partitioning D.
E , E , E n-bit blocks computed during the encryption and decryption processes.
0 1 2
M  Function used in the encryption and decryption processes.
S  Starting Variable (n bits).
T  Tag (t bits), adjoined to an encrypted message to provide integrity protection.
T Recomputed tag value, generated during the decryption process.
W  n-bit block computed during the encryption and decryption processes.
9.3 Specific requirements
In advance of any use of the mechanism, the originator and recipient of the data to which the authenticated
encryption mechanism is to be applied, must agree on:
a) t, the length of the
...