Date Published: June 6, 2025
Comments Due:
Email Comments to:
Author(s)
National Institute of Standards and Technology
Announcement
Summary
A cryptographic accordion is a tweakable block cipher mode that is itself a cipher on variable-length input. NIST proposes to develop three general-purpose accordions:
- Acc128 to support typical usage (birthday bounds) with the Advanced Encryption Standard (AES)
- Acc256 to support typical usage with a 256-bit block cipher (possibly Rijndael-256)
- BBBAcc to support extended usage (beyond-birthday-bound) with AES
In particular, NIST proposes to develop variants of the HCTR2 technique for these accordions.
Public comments are requested at the end of this announcement.
Background
NIST standardized a series of block cipher modes of operation (“modes”) in the SP 800-38 series, and NIST Internal Report 8459 documents the limitations of this portfolio of modes. NIST hosted the Third Workshop on Block Cipher Modes of Operation 2023 to publicly discuss potential improvements and the NIST Workshop on the Requirements for an Accordion Cipher Mode 2024 to build consensus for the development of one or more cryptographic accordions.
A cryptographic accordion is a tweakable, variable-input-length strong pseudorandom permutation (VIL-SPRP) constructed from an underlying block cipher. Thus, an accordion serves simultaneously as 1) a mode of the underlying block cipher and 2) a tweakable block cipher on a range of input lengths.
A derived function is an input encoding that enables a specific functionality from an accordion, such as authenticated encryption with associated data (AEAD), tweakable encryption (e.g., for storage applications), or deterministic authenticated encryption (e.g., for key wrapping). The derived functions of efficient accordions can support enhanced security over currently approved modes.
Based on feedback from the public workshops, NIST proposed technical requirements for approved accordions and derived functions in NIST Interagency Report 8552, including a formal security goal based on the strength of the underlying block cipher, support for variable-length tweaks, and support for key commitment. The publication also suggested the development of three accordions:
- Acc128 would support an underlying block cipher with 128-bit blocks (i.e., AES). Due to the birthday bound, NIST expects to limit the total data processed under a single key to 248 bits.
- Acc256 would support very high usage bounds for an underlying block cipher with 256-bit blocks.
- BBBAcc would support extended usage beyond the birthday bound with AES. NIST expects the analogous limit on the total data processed under a single key to be at least 264 bits.
NIST is simultaneously considering the approval of Rijndael-256 — a variant of AES with 256-bit blocks (see the December 2024 announcement) — to serve as the underlying block cipher for Acc256 and other cryptographic techniques.
Proposal of HCTR2
The Hash-Encrypt-Hash paradigm is an effective approach for designing efficient accordions. Several existing designs in this paradigm offer similar performance characteristics. Among those, NIST proposes the HCTR2 technique as the basis for approved accordions because it is mature and widely deployed. It can be developed and standardized relatively quickly as Acc128, possibly with modifications. An analogous design for Acc256 could also be developed quickly, although conformance would depend on the approval of an underlying block cipher with 256-bit blocks.
Submit Comments
NIST requests public comments on this proposal by August 6, 2025, especially regarding any alternative, well-established design that is preferable to HCTR2. Comments may be submitted to [email protected] with the subject line “Comments on Accordion Development.” Comments received in response to this request will be posted in the Supplemental Material section of this page, after the comment period closes. Submitters’ names and affiliations (when provided) will be included, though contact information will be removed.
Control Families
Identification and Authentication; System and Communications Protection
