Basic comparison of Modes for Authenticated - Encryption ( IAPM , XCBC , OCB , CCM , EAX , CWC , GCM , PCFB , CS )

An authentication-encryption (AE) scheme is an encryption scheme with a pre-shared key providing both data privacy and authenticity. Basic AE scheme can be constructed by a naive (serial) combination of some existing encryption mode together with a message authentication code (MAC). The computation cost of such approach equals to cost of the encryption plus the cost of the MAC. There are several reasons why to design a dedicated mode. An improper combination of encryption and authentication mode can make whole scheme insecure. A random nonce (initialization vector) is often required, what is hard to achieve. Random and secret value of the nonce serves as “native” integrity protection of the nonce value and thus preventing predictable changes to a plaintext by attacker. A data encryption modes or MAC calculations are often not parallelizable and thus unsuitable for a high-speed environments.