EAX’ Cipher Mode (May 2011) Authors Avygdor Moise, Edward Beroset, Tom Phinney, Martin Burns, Members, ANSI C12 SC17 Committee Abstract— We propose a block-cipher mode of operation that description of EAX’. The description of EAX’ was extracted optimizes protection in small embedded automation devices that from ANSI C12.22 [1]. have both extremely large and extremely small messages, in which the canonical form of message addressing information, Note that EAX’ is described herein with references to using needed in forming nonces, has almost unbounded length. AES-128 as the block cipher. However, the EAX’ mode could be utilized with other underlying block ciphers. The term I. INTRODUCTION EAX’ implies that it is a derivative of EAX, utilizing a common mathematical notion of the suffix “’”. The ANSI C12.22 Protocol Specification for Interfacing to Data Communication Networks [1] utilizes the EAX’ (EAX- II. EAX’ PROPERTIES RELATIVE TO CCM PROPERTIES prime) Cipher Mode. The motivation for this work was the somewhat unique requirements of supervisory control and data The NIST version of CCM has four functional restrictions acquisition (SCADA) messaging associated with Automated (which EAX lacks) and one common implementation Meter Reading (AMR) that operate in the context of an restriction that make it less appropriate for use in ANSI Advanced Metering Infrastructure (AMI), the principle use of C12.22: this standard. However, these unique requirements may be Nonce length: CCM has a fixed maximum nonce input size applicable to many small embedded devices communicating in of 13 bytes. The ANSI C12.22 Message format requires use SCADA environments. of ApTitles [9] [10] and other information that may exceed 50 The developers of the standard were aware of several bytes, all of which must be included in the nonce in a manner challenges for the protection of very large and very small and unpredictable to an attacker. EAX directly processes nonces repetitive messages that conform to the ANSI C12.22 of arbitrary and variable size. standard, due largely to the almost unbounded length of the Nonce unpredictability: CCM generates nonces that are message addressing information specified by the associated predictable to an attacker, making it trivial for an attacker to protocol, which must be used in nonce formation when determine that two distinct messages under the same key are applying this proposed mode to that messaging. This paper using the same nonce value. This makes it imperative that the introduces this Cipher Mode and its capabilities and nonce construction never duplicate a nonce value, even after advantages. the compression step that would be required to reduce the CCM is a NIST-standardized Authenticated Encryption with large ANSI C12.22 nonce inputs to the required CCM 13-byte Associated Data (AEAD) cryptographic mode developed for nonce. EAX computes a nonce value that is unpredictable to IEEE 802.11, now also used by IEEE 802.15.4 [7]. This mode an attacker, in a range of 2128 nonce values, so no special has been suggested for similar applications to ANSI C12.22. protection need be taken against duplicate nonce values However, several obstacles to the use of this mode have been (provided that the inputs to the nonce computation do not identified with respect to messaging specific to ANSI C12.22. duplicate). These shortcomings have been addressed in part by the EAX “Online” capability: “CCM requires that the entire message mode description [3], and further by the present EAX’ mode. be available before authentication and plaintext encryption can Additionally, CCM is constrained by its definition to begin, requiring that an entire message be buffered before applicability only with the AES-128 block cipher, a constraint CCM can be applied. ANSI C12.22 can have message sizes of relaxed in EAX and EAX’. many thousand bytes, with maximum sizes exceeding 60,000 GCM is a second NIST-standardized parallelizable Authenti- bytes. Together these features make it difficult to use add-on cated Encryption with Associated Data (AEAD) cryptographic hardware or software for existing ANSI C12.22 mode developed for applications requiring high-speed crypto- implementations, to minimize time to initial deployment of the graphy [8]. This mode also has been suggested for similar new standard. EAX has "online" capability, which makes it applications to ANSI C12.22. However, significant obstacles suitable for use in add-on hardware or software serial link to the use of this mode also have been identified with respect encryptors. to messaging specific to C12.22. These shortcomings have Authenticate-before-decrypt: CCM requires that the entire been addressed in part by the EAX mode description [3], and, received message be decrypted before it can be authenticated. further by the present EAX’ mode. Thus the extra processing required to decrypt Ciphertext must This paper introduces these issues, their resolutions, and the be applied whether the received message authenticates or not. EAX authenticates the Ciphertext rather than the plaintext, so this extra processing is required only for messages that have EAX’ Cipher Mode (May 2011) 2 been authenticated. This reduces the ability of an attacker to 1. ISSUE: Reduction of EAX' to two input strings – mount a DoS (denial of service) attack on the receiving Non-inclusion of CMACk(0n-11 || pad(nullString) ) when device, causing it to consume significant resources before the EAX input H is null. determining that the received message is invalid. n-1 Hardware non-support of canonicalized messages: Some JUSTIFICATION: CMACk(0 1 || pad(nullString) ) is modem chips such as many of those for IEEE 802.15.4 precisely CBCk(01271 || (10127 XOR dbl(dbl(ECBk(0)) )), provide hardware support for CCM-mode transmission and which is a key-dependent constant. A predictable-to-an- reception when the message to be CCM-authenticated consists attacker XOR of a key-dependent constant that is the exactly of the message Cleartext and plaintext, in that order, output of a keyed PRP, into a key-dependent variable that that is to be sent or that was received. However, ANSI C12.22 is itself a combination of keyed PRP outputs, does not requires that the authenticated message use canonical forms of strengthen the cryptanalytic resistance of the computation, ApTitles, and exclude the <calling-AP-title-element> (the because the dimensionality of the resultant composite ApTitle of the message originator) when it was added by a PRP is identical to that without the inclusion. Therefore proxy C12.22 Relay. The resultant software-based sequencing its exclusion does not weaken the cryptanalytic resistance of invocations of the underlying hardware block cipher (e.g. of the computation. AES-128) implementation is equivalent to that required for 2. ISSUE: Exclusion of the ciphertext tag input from a EAX. null plainext string – Conditional non-inclusion of CMAC (0n-210 || CTR (N, nullString)) when the EAX III. JUSTIFICATIONS FOR THE EAX' OPTIMIZATIONS k k input M is null. This section provides justifications for the simplifications of EAX’ over the basic EAX mode specified by [3]. These JUSTIFICATION: CTRk(N, nullString) is the null simplifications are motivated by a desire to reduce the number string. Thus CMAC (0n-210 || pad(CTR (N, nullString)) of AES block encryptions required by EAX, and to reduce the k k n-2 n-1 amount of per-key-related storage needed by a time-optimized ) is precisely CBCk(0 10 || (10 XOR implementation, without significantly weakening the dbl(dbl(ECBk(0))))), which is a key-dependent constant. cryptographic strength and resistance to attack that EAX A predictable-to-an-attacker conditional XOR of a key- offers. The EAX' optimizations reduce the required per-key dependent constant that is the output of a keyed PRP, into storage for a time-optimized implementation from those of a key-dependent variable that is itself a combination of unmodified EAX by K+4B+2T bytes per key (88 bytes when keyed PRP outputs, does not strengthen the cryptanalytic AES-128 is the block cipher) to K+2B bytes per key (48 bytes resistance of the computation, because the dimensionality when AES-128 is the block cipher), where K is the key size of of the resultant composite PRP is identical to that without the underlying block cipher, B is the block size of that block the inclusion. Therefore the conditional exclusion of this XOR does not weaken the cryptanalytic resistance of the cipher, and T is the desired authentication tag size, all in bytes. computation. For space-optimized implementations, where only K bytes of storage per key are required, these optimizations eliminate 3. ISSUE: Simplified nonce incrementation in CTR- either three extra invocations of AES per message when mode processing – Forcing two bits of the initial nonce <epsem-data> secrecy is used [1], or five extra invocations input to a CTR-mode keyed encryption to zero, to when it is not used. eliminate inter-word carries, reduces the average number BACKGROUND: Block ciphers such as AES-128 are of messages that can be encrypted before nonce reuse keyed pseudo-random permutations (PRPs), which map a without reducing the maximum message length that can block-size input (e.g., 16 bytes = 128 bits) to a block-size be protected. output. The strength and ability to resist cryptanalysis of JUSTIFICATION: Rogaway [6] introduced a similar composite cryptographic modes which use this block cipher optimization in his SIV combined authentication and are directly related to the strength and ability to resist encryption mode, which was developed after EAX and cryptanalysis of the underlying PRP. Analysis of a new mode which has also been submitted to NIST. The resulting must examine its impact on increasing or decreasing this reduction in the average number of messages is at most a strength, as well as any avenues of cryptanalytic attack that factor of four.