Next: , Previous: , Up: Symmetric cryptography   [Contents][Index]


5.2 Available cipher modes

GCRY_CIPHER_MODE_NONE

No mode specified. This should not be used. The only exception is that if Libgcrypt is not used in FIPS mode and if any debug flag has been set, this mode may be used to bypass the actual encryption.

GCRY_CIPHER_MODE_ECB

Electronic Codebook mode.

GCRY_CIPHER_MODE_CFB
GCRY_CIPHER_MODE_CFB8

Cipher Feedback mode. For GCRY_CIPHER_MODE_CFB the shift size equals the block size of the cipher (e.g. for AES it is CFB-128). For GCRY_CIPHER_MODE_CFB8 the shift size is 8 bits but that variant is not yet available.

GCRY_CIPHER_MODE_CBC

Cipher Block Chaining mode.

GCRY_CIPHER_MODE_STREAM

Stream mode, only to be used with stream cipher algorithms.

GCRY_CIPHER_MODE_OFB

Output Feedback mode.

GCRY_CIPHER_MODE_CTR

Counter mode.

GCRY_CIPHER_MODE_AESWRAP

This mode is used to implement the AES-Wrap algorithm according to RFC-3394. It may be used with any 128 bit block length algorithm, however the specs require one of the 3 AES algorithms. These special conditions apply: If gcry_cipher_setiv has not been used, the standard IV is used; if it has been used, the lower 64 bits of the IV are used as the Alternative Initial Value. On encryption the provided output buffer must be 64 bits (8 bytes) larger than the input buffer; in-place encryption is still allowed. On decryption the output buffer may be specified 64 bits (8 bytes) shorter than then input buffer. As per specs the input length must be at least 128 bits and the length must be a multiple of 64 bits.

GCRY_CIPHER_MODE_CCM

Counter with CBC-MAC mode is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in ’NIST Special Publication 800-38C’ and RFC 3610.

GCRY_CIPHER_MODE_GCM

Galois/Counter Mode (GCM) is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in ’NIST Special Publication 800-38D’.

GCRY_CIPHER_MODE_POLY1305

This mode implements the Poly1305 Authenticated Encryption with Associated Data (AEAD) mode according to RFC-8439. This mode can be used with ChaCha20 stream cipher.

GCRY_CIPHER_MODE_OCB

OCB is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in RFC-7253. Supported tag lengths are 128, 96, and 64 bits with the default being 128 bits. To switch to a different tag length, gcry_cipher_ctl using the command GCRYCTL_SET_TAGLEN and the address of an int variable set to 12 (for 96 bits) or 8 (for 64 bits) provided for the buffer argument and sizeof(int) for buflen.

Note that the use of gcry_cipher_final is required.

GCRY_CIPHER_MODE_XTS

XEX-based tweaked-codebook mode with ciphertext stealing (XTS) mode is used to implement the AES-XTS as specified in IEEE 1619 Standard Architecture for Encrypted Shared Storage Media and NIST SP800-38E.

The XTS mode requires doubling key-length, for example, using 512-bit key with AES-256 (GCRY_CIPHER_AES256). The 128-bit tweak value is feed to XTS mode as little-endian byte array using gcry_cipher_setiv function. When encrypting or decrypting, full-sized data unit buffers needs to be passed to gcry_cipher_encrypt or gcry_cipher_decrypt. The tweak value is automatically incremented after each call of gcry_cipher_encrypt and gcry_cipher_decrypt. Auto-increment allows avoiding need of setting IV between processing of sequential data units.

GCRY_CIPHER_MODE_EAX

EAX is an Authenticated Encryption with Associated Data (AEAD) block cipher mode by Bellare, Rogaway, and Wagner (see http://web.cs.ucdavis.edu/~rogaway/papers/eax.html).

GCRY_CIPHER_MODE_SIV

Synthetic Initialization Vector (SIV) is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in RFC-5297. This mode works with block ciphers with block size of 128 bits and uses tag length of 128 bits. Depending on how it is used, SIV achieves either the goal of deterministic authenticated encryption or the goal of nonce-based, misuse-resistant authenticated encryption.

The SIV mode requires doubling key-length, for example, using 512-bit key with AES-256 (GCRY_CIPHER_AES256). Multiple AD instances can be passed to SIV mode with separate calls to gcry_cipher_authenticate. Nonce may be passed either through gcry_cipher_setiv or in the last call to gcry_cipher_authenticate. Note that use of gcry_cipher_setiv blocks any further calls to gcry_cipher_authenticate as nonce needs to be the last AD element with the SIV mode. When encrypting or decrypting, full-sized plaintext or ciphertext needs to be passed to gcry_cipher_encrypt or gcry_cipher_decrypt. Decryption tag needs to be given to SIV mode before decryption using gcry_cipher_set_decryption_tag.

GCRY_CIPHER_MODE_GCM_SIV

This mode implements is GCM-SIV Authenticated Encryption with Associated Data (AEAD) block cipher mode specified in RFC-5297 (AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption). This implementations works with block ciphers with block size of 128 bits and uses tag length of 128 bits. Supported key lengths by the mode are 128 bits and 256 bits. GCM-SIV is specified as nonce misuse resistant, so that it does not fail catastrophically if a nonce is repeated.

When encrypting or decrypting, full-sized plaintext or ciphertext needs to be passed to gcry_cipher_encrypt or gcry_cipher_decrypt. Decryption tag needs to be given to GCM-SIV mode before decryption using gcry_cipher_set_decryption_tag.


Next: , Previous: , Up: Symmetric cryptography   [Contents][Index]