In September 2017, this (legacy) site will be replaced with the new site you can see at beta.csrc.nist.rip. At that time, links to this legacy site will be automatically redirected to apporpriate links on the new site.

Modes Development

Proposed Modes

This page contains links to the proposols for block cipher modes of operation (modes, for short) that have been submitted to NIST for consideration.

NIST maintains this page in order to facilitate public review of the modes; comments may be submitted to EncryptionModes@nist.gov.

Appearance of a mode in this list does not constitute endorsement or approval by NIST. See the Current Modes page for descriptions of the modes that are currently approved.

For each proposal below, links are given to the available documentation, as described in the following list of abbreviations:

Abbreviations for "Available Documentation"

SP - Mode Specification
AD - Additional Documentation
IP - Intellectual Property Statments

CD - Code (link to other site)
TV - Test Vectors
SU - Summary Table or Outline

(The links within the key table itself refer to the corresponding section of the submission guidelines)

All documentation is provided on a voluntary basis by the submitters. In particular, if there is no active link to an intellectual property statement, then the submitter has not provided one to NIST.

The modes proposals are organized into the four tables below:

Authenticated encryption modes
Authentication modes
Encryption modes
Other modes

Authenticated Encryption Modes

Mode	Full Mode Name	Available Documentation
CCM	Counter with CBC-MAC R. Housley, D. Whiting, N. Ferguson (Posted June 3, 2002)	SP \| AD1 \| AD2 IP \| TV \| SU
CS	Cipher-State R. Schroeppel (Posted May 7, 2004)	SP \| AD \| IP TV \| SU
CWC	Carter Wegman (authentication) with Counter (encryption) T. Kohno, J. Viega, D. Whiting (Posted June 9, 2003)	SP \| AD \| IP TV \| SU
EAX	A Conventional Authenticated-Encryption Mode M. Bellare, P. Rogaway, D. Wagner (Posted October 3, 2003)	SP \| AD \| IP TV \| SU
EAX'	EAX' (EAX-prime) Cipher Mode M. Burns, E. Beroset, A. Moise, T. Phinney	SP \| AD \| IP TV \| SU
GCM	Galois/Counter Mode D. McGrew, J. Viega (Revised specifcation posted June 2, 2005)	SP \| AD1 \| AD2 IP \| TV \| SU
IACBC	Integrity Aware Cipher Block Chaining C. Jutla	SP \| AD \| IP TV \| SU
IAPM	Integrity Aware Parallelizable Mode C. Jutla	SP \| AD1 \| AD2 AD3 \| IP \| TV \| SU
IOC	Input and Output Chaining F. Recacha (Posted January 16, 2014)	SP \| AD \| IP CD \| TV \| SU
OCB	Offset Codebook P. Rogaway	SP \| AD \| IP CD \| TV \| SU
PCFB	Propagating Cipher Feedback H. Hellström	SP \| AD \| IP TV \| SU
RKC	Random Key Chaining (RKC) P. Kaushal, R. Sobti, G. Geetha	SP \| AD \| IP TV \| SU
SIV	Synthetic IV P. Rogaway, T. Shrimpton (Posted September 11, 2007)	SP \| AD \| IP TV1 \| TV2 \| SU
XCBC	eXtended Cipher Block Chaining Encryption V. Gligor, P. Donescu	SP \| AD \| IP TV \| SU

Authentication Modes

Mode	Full Mode Name	Available Documentation
OMAC	OMAC: One-Key CBC T. Iwata, K. Kurosawa (Posted December 20, 2002)	SP \| AD \| IP TV \| SU
PMAC	Parallelizable Message Authentication Code P. Rogaway	SP \| AD \| IP CD \| TV \| SU
RMAC	Randomized MAC E. Jaulmes, A. Joux, F. Valette	SP \| AD \| IP TV \| SU
TMAC	Two-Key CBC MAC K. Kurosawa, T. Iwata (Posted July 9, 2002)	SP \| AD \| IP TV \| SU
XCBC (MAC)	Extended Cipher Block Chaining MAC J. Black, P. Rogaway	SP \| AD \| IP TV \| SU
XECB (MAC)	eXtended Electronic Code Book MAC V. Gligor, P. Donescu	SP \| AD \| IP TV \| SU

Encryption Modes

Mode	Full Mode Name	Available Documentation
2DEM	2D-Encryption Mode A. A. Belal, M. A. Abdel-Gawad	SP \| AD \| IP CD \| TV \| SU
ABC	Accumulated Block Chaining L. Knudsen	SP \| AD \| IP TV \| SU
BPS	Format Preserving Encryption Proposal E. Brier, T. Peyrin, J. Stern	SP \| AD \| IP TV \| SU
CSPEM	Character Set Preserving Encryption Mode Gary S. Sarasin	SP \| AD \| IP TV \| SU
CTR	Counter Mode Encryption H. Lipmaa, P. Rogaway, D. Wagner	SP \| AD \| IP TV \| SU
DFF	Delegatable Feistel-based Format-preserving Encryption Mode J. Vance, M. Bellare (Posted on Nov. 9, 2015 as replacement for VAES3 proposal)	SP \| AD \| IP1 IP2 \| TV \| SU
FCEM	Format Controlling Encryption Mode U. Mattsson (Posted Jun 30, 2009)	SP \| AD \| IP TV \| SU
FFX	Format-preserving Feistel-based Encryption Mode M. Bellare, P. Rogaway, T. Spies (April 12, 2010: Version 1.1 replacing Version 1.0)	SP \| SP2 \| AD IP \| TV \| SU
IGE	Infinite Garble Extension V. Gligor, P. Donescu	SP \| AD \| IP TV \| SU
RAC	Random Access Counter J. Anderson (Posted May 15, 2015)	SP \| AD \| IP CD \| TV \| SU
VFPE	VISA Format Preserving Encryption VISA USA Inc., Attention John Sheets or Kim R. Wagner	SP \| AD \| IP TV \| SU
XBC	Cross Block Chaining (XBC) Andre Watson (Posted Oct 16, 2014) (Added link to code Jan 18, 2017)	SP \| AD \| IP CD \| TV \| SU

Other Modes

Mode	Full Mode Name	Available Documentation
*AES- hash (Hash)	AES-hash B. Cohen	SP \| AD \| IP TV \| SU
KFB	Key Feedback Mode J. Håstad, M. Naslund	SP \| AD \| IP TV \| SU

* AES-hash as defined in the submission will not be adopted in the current development effort because it requires the Rijndael algorithm with a block size of 256 bits, not 128 bits (as specified in the AES). Rijndael has not been vetted with a block size other than 128 bits. Nevertheless, NIST will consider comments on this proposal and on the issues it raises: whether to develop a hash mode, and whether and how to develop/vet additional variants of the AES.

NIST, Computer Security Resource Center