Next: Working with cipher handles, Previous: Available ciphers, Up: Symmetric cryptography [Contents][Index]
GCRY_CIPHER_MODE_NONE
No mode specified. This should not be used. The only exception is that if Libgcrypt is not used in FIPS mode and if any debug flag has been set, this mode may be used to bypass the actual encryption.
GCRY_CIPHER_MODE_ECB
¶Electronic Codebook mode.
GCRY_CIPHER_MODE_CFB
GCRY_CIPHER_MODE_CFB8
¶Cipher Feedback mode. For GCRY_CIPHER_MODE_CFB
the shift size equals
the block size of the cipher (e.g. for AES it is CFB-128). For
GCRY_CIPHER_MODE_CFB8
the shift size is 8 bits but that variant is not
yet available.
GCRY_CIPHER_MODE_CBC
¶Cipher Block Chaining mode.
GCRY_CIPHER_MODE_STREAM
Stream mode, only to be used with stream cipher algorithms.
GCRY_CIPHER_MODE_OFB
¶Output Feedback mode.
GCRY_CIPHER_MODE_CTR
¶Counter mode.
GCRY_CIPHER_MODE_AESWRAP
¶This mode is used to implement the AES-Wrap algorithm according to
RFC-3394. It may be used with any 128 bit block length algorithm,
however the specs require one of the 3 AES algorithms. These special
conditions apply: If gcry_cipher_setiv
has not been used, the
standard IV is used; if it has been used, the lower 64 bits of the IV
are used as the Alternative Initial Value. On encryption the provided
output buffer must be 64 bits (8 bytes) larger than the input buffer;
in-place encryption is still allowed. On decryption the output buffer
may be specified 64 bits (8 bytes) shorter than then input buffer. As
per specs the input length must be at least 128 bits and the length
must be a multiple of 64 bits.
GCRY_CIPHER_MODE_CCM
¶Counter with CBC-MAC mode is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in ’NIST Special Publication 800-38C’ and RFC 3610.
GCRY_CIPHER_MODE_GCM
¶Galois/Counter Mode (GCM) is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in ’NIST Special Publication 800-38D’.
GCRY_CIPHER_MODE_POLY1305
¶This mode implements the Poly1305 Authenticated Encryption with Associated Data (AEAD) mode according to RFC-8439. This mode can be used with ChaCha20 stream cipher.
GCRY_CIPHER_MODE_OCB
¶OCB is an Authenticated Encryption with Associated Data (AEAD) block
cipher mode, which is specified in RFC-7253. Supported tag lengths
are 128, 96, and 64 bits with the default being 128 bits. To switch to
a different tag length, gcry_cipher_ctl
using the command
GCRYCTL_SET_TAGLEN
and the address of an int
variable
set to 12 (for 96 bits) or 8 (for 64 bits) provided for the
buffer
argument and sizeof(int)
for buflen
.
Note that the use of gcry_cipher_final
is required.
GCRY_CIPHER_MODE_XTS
¶XEX-based tweaked-codebook mode with ciphertext stealing (XTS) mode is used to implement the AES-XTS as specified in IEEE 1619 Standard Architecture for Encrypted Shared Storage Media and NIST SP800-38E.
The XTS mode requires doubling key-length, for example, using 512-bit
key with AES-256 (GCRY_CIPHER_AES256
). The 128-bit tweak value
is feed to XTS mode as little-endian byte array using
gcry_cipher_setiv
function. When encrypting or decrypting,
full-sized data unit buffers needs to be passed to
gcry_cipher_encrypt
or gcry_cipher_decrypt
. The tweak
value is automatically incremented after each call of
gcry_cipher_encrypt
and gcry_cipher_decrypt
.
Auto-increment allows avoiding need of setting IV between processing
of sequential data units.
GCRY_CIPHER_MODE_EAX
¶EAX is an Authenticated Encryption with Associated Data (AEAD) block cipher mode by Bellare, Rogaway, and Wagner (see http://web.cs.ucdavis.edu/~rogaway/papers/eax.html).
GCRY_CIPHER_MODE_SIV
¶Synthetic Initialization Vector (SIV) is an Authenticated Encryption with Associated Data (AEAD) block cipher mode, which is specified in RFC-5297. This mode works with block ciphers with block size of 128 bits and uses tag length of 128 bits. Depending on how it is used, SIV achieves either the goal of deterministic authenticated encryption or the goal of nonce-based, misuse-resistant authenticated encryption.
The SIV mode requires doubling key-length, for example, using 512-bit
key with AES-256 (GCRY_CIPHER_AES256
). Multiple AD instances can
be passed to SIV mode with separate calls to
gcry_cipher_authenticate
. Nonce may be passed either through
gcry_cipher_setiv
or in the last call to
gcry_cipher_authenticate
. Note that use of gcry_cipher_setiv
blocks any further calls to gcry_cipher_authenticate
as nonce needs
to be the last AD element with the SIV mode. When encrypting or decrypting,
full-sized plaintext or ciphertext needs to be passed to
gcry_cipher_encrypt
or gcry_cipher_decrypt
. Decryption tag
needs to be given to SIV mode before decryption using
gcry_cipher_set_decryption_tag
.
GCRY_CIPHER_MODE_GCM_SIV
¶This mode implements is GCM-SIV Authenticated Encryption with Associated Data (AEAD) block cipher mode specified in RFC-5297 (AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption). This implementations works with block ciphers with block size of 128 bits and uses tag length of 128 bits. Supported key lengths by the mode are 128 bits and 256 bits. GCM-SIV is specified as nonce misuse resistant, so that it does not fail catastrophically if a nonce is repeated.
When encrypting or decrypting, full-sized plaintext or ciphertext
needs to be passed to gcry_cipher_encrypt
or
gcry_cipher_decrypt
. Decryption tag needs to be given to
GCM-SIV mode before decryption using gcry_cipher_set_decryption_tag
.
Next: Working with cipher handles, Previous: Available ciphers, Up: Symmetric cryptography [Contents][Index]