October 3, 2023
John Preuß Mattsson - Ericsson
NIST’s standardized encryption modes have been extremely successful and important for securing data in transit and data at rest. NIST’s current selection is however starting to show its age. NIST lacks an approved wide block tweakable cipher such as Adiantum, appropriate for length-preserving encryption, AEAD modes hardened against nonce misuse such as AES-SIV and AES-GCM-SIV, AEAD modes suitable for use with random nonces such as AEGIS-256, high performance AEAD modes such as AEGIS, AEAD modes suitable for long plaintexts such as AEGIS, an alternative to AES to enable cryptographic agility, as well as one-pass AEAD modes suitable for short tags such as AES-GCM-SST. This paper suggests proposals for the upcoming work aiming to modernize the set of NIST standardized encryption modes.