In the previous chapter, we presented the modes of operation of block ciphers to provide confidentiality guarantees. Another security property of prime importance is integrity. Indeed, in the event an adversary alters a message or a storage device content, the decryption operation cannot detect any alteration. Therefore, message authentication codes or other techniques are required to preserve data integrity. To provide confidentiality and integrity guarantees based on block ciphers, the NIST approved a set of modes of operation for block ciphers, which are discussed in this chapter. They include (see Figure 9.1):

• Five modes of operation for confidentiality and authenticity guarantees: CCM, GCM, KW, KWP, and TKW.
• Two modes of operation for authenticity guarantees only: CMAC and GMAC.

All these modes provide capabilities to generate and verify message tags. In addition to approved modes of operation of block ciphers, two other algorithms are useful to authenticate messages:

• AES-GCM-SIV [1] is an extension of GCM, which is resistant to IV misuse.
• ChaCha20-Poly1305 is a scheme recommended to build authenticated encryption for TLS implementation.

Notice that authentication, addressed in this chapter, means message authenticity ...