diff --git a/ChangeLog b/ChangeLog
index a97556e87e204522e37f14887d0c832de111a241..30771788464c4a0bfaa0f57a0f2f34f05aca16d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 	* nettle.texinfo (GCM): Document GCM_DIGEST_SIZE.
 	(UMAC): Document new UMAC constants.
 	(Keyed hash functions): Make HMAC and UMAC their own info nodes.
+	(EAX): Document EAX.
 
 	* umac.h (UMAC_MIN_NONCE_SIZE, UMAC_MAX_NONCE_SIZE): New
 	constants.
diff --git a/nettle.texinfo b/nettle.texinfo
index 3601cd5941fea6e811266c5680f77012af3fbbba..287b3a38a98453ba8302085d81d66ae17b5a427e 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -1827,6 +1827,7 @@ signature to authenticate the message.
 @menu
 * CBC::                         
 * CTR::                         
+* EAX::                         
 * GCM::                         
 * CCM::                         
 @end menu
@@ -1925,7 +1926,7 @@ These macros use some tricks to make the compiler display a warning if
 the types of @var{f} and @var{ctx} don't match, e.g. if you try to use
 an @code{struct aes_ctx} context with the @code{des_encrypt} function.
 
-@node CTR, GCM, CBC, Cipher modes
+@node CTR, EAX, CBC, Cipher modes
 @comment  node-name,  next,  previous,  up
 @subsection Counter mode
 
@@ -2001,7 +2002,190 @@ last three arguments define the source and destination area for the
 operation.
 @end deffn
 
-@node GCM, CCM, CTR, Cipher modes
+@node EAX, GCM, CTR, Cipher modes
+@comment  node-name,  next,  previous,  up
+@subsection EAX
+
+The @acronym{EAX} mode combines @acronym{CTR} mode encryption,
+@xref{CTR}, with a message authentication based on @acronym{CBC},
+@xref{CBC}. It is defined on top of a block cipher, and only the
+encryption function of this cipher is used. The implementation in Nettle
+is restricted to ciphers with a block size of 128 bits (16 octets).
+@acronym{EAX} was defined as a reaction to the @acronym{CCM} mode,
+@xref{CCM}, which uses the same primitives but has some undesirable and
+inelegant properties.
+
+The @acronym{EAX} mode provides both encryption and authentication. For
+@acronym{EAX} encryption, the inputs are:
+
+@itemize
+@item
+The key, which can be used for many messages.
+@item 
+A nonce, of arbitrary size, which must be unique for each message using
+the same key.
+@item
+Additional associated data to be authenticated, but not included in the
+message.
+@item
+The cleartext message to be encrypted.
+@end itemize
+
+The outputs are:
+
+@itemize
+@item
+A ciphertext, of the same size as the cleartext.
+@item
+An authentication tag, or digest, of size up to one block of the
+underlying cipher.
+@end itemize
+
+Usually, the authentication tag should be appended at the end of the
+ciphertext, producing an encrypted message which is slightly longer than
+the cleartext.
+
+Nettle's support for @acronym{EAX} consists of a low-level general
+interface, some convenience macros, and specific functions for
+@acronym{EAX} using @acronym{AES}128 as the underlying cipher. These
+interfaces are defined in @file{<nettle/eax.h>}
+
+@subsubsection General @acronym{EAX} interface
+
+@deftp {Context struct} {struct eax_key}
+@acronym{EAX} state which depends only on the key, but not on the nonce
+or the message.
+@end deftp
+
+@deftp {Context struct} {struct eax_ctx}
+Holds state corresponding to a particular message.
+@end deftp
+
+@defvr Constant EAX_BLOCK_SIZE
+@acronym{EAX}'s block size, 16.
+@end defvr
+
+@defvr Constant EAX_DIGEST_SIZE
+Size of the @acronym{EAX} digest, also 16.
+@end defvr
+
+@deftypefun void eax_set_key (struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f})
+Initializes @var{key}. @var{cipher} gives a context struct for the
+underlying cipher, which must have been previously initialized for
+encryption, and @var{f} is the encryption function.
+@end deftypefun
+
+@deftypefun void eax_set_nonce (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nonce_length}, const uint8_t *@var{nonce})
+Initializes @var{ctx} for processing a new message, using the given
+nonce.
+@end deftypefun
+
+@deftypefun void eax_update (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{data_length}, const uint8_t *@var{data})
+Process associated data for authentication. All but the last call for
+each message @emph{must} use a length that is a multiple of the block
+size. Unlike many other AEAD constructions, for @acronym{EAX} it's not
+necessary to complete the processing of all associated data before
+encrypting or decrypting the message data.
+@end deftypefun
+
+@deftypefun void eax_encrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src})
+@deftypefunx void eax_decrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src})
+Encrypts or decrypts the data of a message. @var{cipher} is the context
+struct for the underlying cipher and @var{f} is the encryption function.
+All but the last call for each message @emph{must} use a length that is
+a multiple of the block size.
+@end deftypefun
+
+@deftypefun void eax_digest (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest});
+Extracts the message digest (also known ``authentication tag''). This is
+the final operation when processing a message. If @var{length} is
+smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets
+of the digest are written.
+@end deftypefun
+
+
+@subsubsection @acronym{EAX} helper macros
+
+The following macros are defined.
+
+@deffn Macro EAX_CTX (@var{context_type})
+This defines an all-in-one context struct, including the context of the
+underlying cipher and all @acronym{EAX} state. It expands
+to
+@example
+@{
+   struct eax_key key;
+   struct eax_ctx eax;
+   context_type cipher;
+@}
+@end example
+@end deffn
+
+For all these macros, @var{ctx}, is a context struct as defined by
+@code{EAX_CTX}, and @var{encrypt} is the encryption function of the
+underlying cipher.
+
+@deffn Macro EAX_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key})
+@var{set_key} is the function for setting the encryption key for the
+underlying cipher, and @var{key} is the key.
+@end deffn
+
+@deffn Macro EAX_SET_NONCE (@var{ctx}, @var{encrypt}, @var{length}, @var{nonce})
+Sets the nonce to be used for the message.
+@end deffn
+
+@deffn Macro EAX_UPDATE (@var{ctx}, @var{encrypt}, @var{length}, @var{data})
+Process associated data for authentication.
+@end deffn
+
+@deffn Macro EAX_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src})
+@deffnx Macro EAX_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src})
+Process message data for encryption or decryption.
+@end deffn
+
+@deffn Macro EAX_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest})
+Extract te authentication tag for the message.
+@end deffn
+
+
+@subsubsection @acronym{EAX}-@acronym{AES}128 interface
+
+The following functions implement @acronym{EAX} using @acronym{AES}-128
+as the underlying cipher.
+
+@deftp {Context struct} {struct eax_aes128_ctx}
+The context struct, defined using @code{EAX_CTX}.
+@end deftp
+
+@deftypefun void eax_aes128_set_key (struct eax_aes128_ctx *@var{ctx}, const uint8_t *@var{key})
+Initializes @var{ctx} using the given key.
+@end deftypefun
+
+@deftypefun void eax_aes128_set_nonce (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv})
+Initializes the per-message state, using the given nonce.
+@end deftypefun
+
+@deftypefun void eax_aes128_update (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
+Process associated data for authentication. All but the last call for
+each message @emph{must} use a length that is a multiple of the block
+size.
+@end deftypefun
+
+@deftypefun void eax_aes128_encrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src})
+@deftypefunx void eax_aes128_decrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src})
+Encrypts or decrypts the data of a message. All but the last call for
+each message @emph{must} use a length that is a multiple of the block
+size.
+@end deftypefun
+
+@deftypefun void eax_aes128_digest (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest});
+Extracts the message digest (also known ``authentication tag''). This is
+the final operation when processing a message. If @var{length} is
+smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets
+of the digest are written.
+@end deftypefun
+
+@node GCM, CCM, EAX, Cipher modes
 @comment  node-name,  next,  previous,  up
 @subsection Galois counter mode