Parameter 1: modes #39
Description
Modes
Here is an initial analysis of modes we can consider as parameter for the algorithms on the list
1. Confidentiality-only modes
Used to encrypt data, without built-in integrity or authentication.
| Mode | Full Name | Notes |
|---|---|---|
| ECB | Electronic Codebook | Simplest mode; not semantically secure; rarely recommended. |
| CBC | Cipher Block Chaining | Common; requires IV; vulnerable to padding oracle unless combined with authentication. |
| PCBC | Propagating Cipher Block Chaining | Variant of CBC; propagates single-bit errors; used in older Kerberos versions. |
| CFB | Cipher Feedback | Stream-like mode; allows partial block processing. |
| OFB | Output Feedback | Converts block cipher to synchronous stream cipher. |
| CTR | Counter | Widely used; parallelizable; foundation for many AEAD modes. |
| XTS | XEX-based Tweaked CodeBook mode with ciphertext Stealing | Disk encryption (IEEE 1619). |
2. Authenticated Encryption (AEAD) modes
Provide both confidentiality and integrity/authentication.
| Mode | Full Name | Notes |
|---|---|---|
| CCM | Counter with CBC-MAC | NIST SP 800-38C; used in IEEE 802.11i (Wi-Fi). |
| GCM | Galois/Counter Mode | NIST SP 800-38D; very common (TLS, IPsec). |
| EAX | Encrypt-then-Authenticate-then-Translate | Combines CTR + OMAC; not in NIST SP 800-38 series but widely supported (OpenPGP, PyCrypto). |
| CWC | Carter–Wegman + CTR | Predecessor of GCM; same AEAD purpose. |
| OCB | Offset Codebook | Efficient AEAD mode (RFC 7253). |
| SIV | Synthetic IV | Nonce-misuse-resistant AEAD (RFC 5297). |
| GCM-SIV | Galois/Counter Mode – SIV variant | RFC 8452; nonce-misuse-resistant alternative to GCM. |
| IAPM | Integrity-Aware Parallelizable Mode | Academic AEAD predecessor of OCB. |
3. Key Wrapping modes
Designed to encrypt cryptographic keys securely, not arbitrary data.
| Mode | Full Name | Notes |
|---|---|---|
| KW | Key Wrap | NIST SP 800-38F; AES-KW (RFC 3394). |
| KWP | Key Wrap with Padding | NIST SP 800-38F; AES-KWP (RFC 5649). |
| TKW | Tweakable Key Wrap | NIST proposal; variation of KW that adds a tweak for domain separation. |
4. Format-Preserving Encryption (FPE) modes
Allow ciphertext to retain the same format as plaintext (e.g., same length, character set).
| Mode | Full Name | Notes |
|---|---|---|
| FF1 | Format-Preserving Encryption mode 1 | NIST SP 800-38G. |
| FF3 | Format-Preserving Encryption mode 3 | NIST SP 800-38G. |
| FF3-1 | Format-Preserving Encryption mode 3 | NIST SP 800-38G Rev 1 (revised due to security issue). |
5. Other / Hybrid / Special-purpose modes
| Mode | Full Name | Notes |
|---|---|---|
| CMAC | Cipher-based Message Authentication Code | Authentication only, but often mentioned alongside block cipher modes. |
6. Tweakable/Wide-Block Modes (Specialized)
These modes are typically used for disk or storage encryption, where parallelization, random access, and resistance to block reordering are key.
| Mode | Full Name | Notes |
|---|---|---|
| XTS | XEX-based Tweakable Block Cipher with Ciphertext Stealing | Standard mode for disk encryption (e.g., IEEE 1619 standard). |
| LRW | Liskov, Rivest, Wagner | Historical tweakable narrow-block mode. |
| XEX | Xor-Encrypt-Xor | Building block mode used by XTS and others. |
| EME | ECB-Mask-ECB | Another tweakable encryption mode for disk encryption. Wide-block encryption mode. |
| EME2 / EME* / HCTR | Variants used in disk encryption or AEAD research. | |
| CMC | CBC-MAC and Ciphertext Stealing | Wide-block encryption mode. |
7. Suggestions
Additional modes to consider:
- CTS (Ciphertext Stealing): Handles variable-length data without padding; not NIST-approved but available in libraries.
- HCTR / HCTR2 Hash-Counter: Used in some cryptographic libraries; parallelizable AEAD variants.
- HAE (HCTR2, HCH, HMC): Variants of AEAD built from hash-and-counter constructions.
- PMA Parallelizable MAC: Authentication-only variant.
Additional considerations
- Focus on NIST-standardized modes first. They are most common.
- Consider adding AEAD modes separately. They combine encryption and authentication.
- Some modes are deprecated (like ECB). You might want to mark them.
- Stream cipher modes work differently than block cipher modes.
8. References for SPDX Documentation
You can cite the following as authoritative sources for your definitions:
- NIST SP 800-38A: Recommendation for Block Cipher Modes of Operation (ECB, CBC, CFB, OFB, CTR)
- NIST SP 800-38C–38G: CCM, GCM, KW, KWP, FF1, FF3
- RFC 5297, RFC 5649, RFC 8452, RFC 7253 — for SIV, KWP, GCM-SIV, OCB
- IEEE 1619 — for XTS
- Wikipedia: “Block cipher mode of operation” (excellent overview with tables)