Submissions should specify a mode of operation for a symmetric (secret) key block cipher algorithm. At a minimum, the mode should support underlying block ciphers with key-block combinations of 128-128, 192-128, and 256-128 bits. However, the specification should be generic – i.e., written to handle other key-block combinations, if they can be supported. Example modes include, but are not limited to, techniques for performing encryption, message authentication, hashing, and random bit generation. It will be helpful to receive variations of Counter mode arising from alternative methods/guidelines for prescribing the generation of counters.

NIST requests that submissions of modes of operation include the following six items:

The cover sheet shall contain the following information:

- name of submitted mode of operation;
- principal submitter’s name, telephone, fax, organization, postal address, e-mail address;
- name(s) of auxiliary submitter(s);
- name of mode’s inventor(s)/developer(s);
- name of owner, if any, of the mode (typically, the owner will be the same as the submitter).

A complete written specification of the mode of operation should be provided, including all mathematical equations, tables, diagrams, and parameters that are needed to implement the mode. NIST encourages submitters to elaborate on the intended use(s) of the mode, the design rationale, the relevant properties, proofs (if any), the comparison with other modes, and the mode’s overall advantages/disadvantages.

To assist NIST and the public to draw comparisons and contrasts between the various candidate modes, the submissions should include a table or outline that identifies the following characteristics:

- Security Function (encryption, authentication, authenticated encryption, hashing, pseudorandom bit generation, etc.)
- Error Propagation (e.g., none, m bits, n blocks, infinite)
- Synchronization
- Parallelizability (e.g., sequential, interleaved, fully parallelizable)
- Keying Material Requirements (e.g., 1 key, 2 keys)
- Counter/IV/Nonce Requirements
- Memory Requirements
- Pre-processing Capability
- Message Length Requirements (e.g., arbitrary length, padding necessary)
- Ciphertext Expansion (e.g., none, m bits, n blocks)
- Other Characteristics

Test vectors should be included in submissions to provide outside implementers with some indication that their implementations of the mode are valid; however, the test vectors need not systematically exercise every element of the mode. The test vectors should meet the following requirements:

- At a minimum, test vectors should be given for implementations in which the underlying block cipher is the AES algorithm, for 128, 192, and 256 bit keys. A specification of AES is available.
- All input values that are necessary to implement the mode, such as plaintext, keys, initialization vectors, random values, or counters, should be specified.
- Each test should be submitted electronically in a separate file; the files may be compressed using PKZIP or GNUZIP to conserve disk space.
- Each test file should be clearly labeled with header information that lists the algorithm name and a description of the test, including the sizes of keys and messages.
- Within each test file, each input and output value should be clearly labeled.

Where possible, performance should be estimated in terms of the number of invocations of the underlying block cipher.Â If the estimate depends on the underlying block cipher, then, at a minimum, estimates should be provided for the AES algorithm.

If actual performance data is given, the conditions of the implementation should be described in sufficient detail so that the estimates could be verified by the public.

**Security and Privacy:**
encryption, message authentication

Created January 04, 2017, Updated June 22, 2020