Fact-checked by Grok 2 weeks ago

Authenticated encryption

Authenticated encryption (AE) is a cryptographic technique that provides both and for , ensuring that the encrypted cannot be tampered with or forged without detection. A common form is authenticated encryption with associated (AEAD), in which the encryption process generates a and an tag using a and a unique , while also allowing optional associated —such as headers or —to be authenticated without encryption. This dual protection addresses vulnerabilities in traditional encryption modes that only ensure but not , preventing attacks like chosen-ciphertext manipulations. The security of authenticated encryption is formally defined by combining indistinguishability under (IND-CPA) for —where an adversary learns nothing about the beyond its length—and of (INT-CTXT), where forging a valid ciphertext is computationally infeasible. AEAD modes typically operate on symmetric block ciphers like and require a that must be unique per encryption to avoid key reuse vulnerabilities. Prominent standardized AEAD algorithms include in Galois/ Mode (GCM), which uses counter mode for and a Galois multiplier for , producing tags of variable lengths from 32 to 128 bits; in with CBC-MAC (CCM); and ChaCha20 with Poly1305. These modes are designed for efficiency, supporting and online data handling without needing the full length in advance. Authenticated encryption is integral to modern secure protocols, including (TLS) via cipher suites like AES-GCM, where it protects and . In IPsec's Encapsulating Security Payload (ESP), AEAD modes such as AES-GCM provide end-to-end security for VPNs and network communications, often preferred for their performance and support. These applications highlight AE's role in mitigating real-world threats, with standards from NIST and the IETF ensuring and robustness across implementations.

Fundamentals

Definition and Motivation

Authenticated encryption (AE) is a symmetric-key designed to provide both of the and of the , ensuring that the remains private and untampered during transmission or storage. It operates as a mode of operation typically built upon block ciphers or other underlying primitives, transforming a message into a alongside an authentication tag that verifies the integrity and origin of the encrypted . This dual protection prevents adversaries from both on the content and forging or modifying messages without detection. The primary motivation for AE stems from the vulnerabilities inherent in using and message codes (MACs) separately, such as in modes like for combined with for , which can lead to security flaws if the composition is not performed correctly. For instance, improper ordering in generic compositions—like encrypt-then-MAC or MAC-then-encrypt—may fail to achieve strong security notions, exposing systems to attacks such as chosen-ciphertext attacks or oracle exploits where side-channel information from validation leaks details. By integrating and into a single, provably secure mechanism, AE simplifies implementation, reduces the risk of composition errors, and minimizes the , making it a preferred choice for secure protocol design. At a high level, AE schemes involve key components including a secret key for cryptographic operations, a nonce or initialization vector (IV) to ensure uniqueness across encryptions, the plaintext to be protected, and optionally associated data (AD) that is authenticated but not encrypted. The encryption process generates a ciphertext from the plaintext using the key and nonce, along with an authentication tag derived from the ciphertext, plaintext, and any AD. During decryption, the receiver first verifies the tag against the provided ciphertext and AD using the shared key; only if the tag is valid is the plaintext recovered and released, thereby enforcing both security properties.

Security Requirements

Authenticated encryption (AE) schemes must satisfy stringent privacy and authenticity requirements to protect against adversaries in realistic threat models. The privacy requirement is formalized as indistinguishability under chosen-plaintext attack (IND-CPA), ensuring that an adversary cannot distinguish between the ciphertexts of two chosen plaintexts of equal length, even after querying an encryption oracle. This builds the foundation for confidentiality, and when combined with authenticity, provides security against chosen-ciphertext attacks equivalent to indistinguishability under chosen-ciphertext attack (IND-CCA). Complementing privacy, the requirement is captured by against (INT-PTXT), which guarantees that an adversary cannot forge a valid (, ) pair that decrypts to a legitimate with more than negligible probability, even after adaptively querying an . Under this game-based definition, the adversary's success probability in producing such a —distinct from previously queried encryptions—must be bounded by a in the . A related but stronger notion, of ciphertexts (INT-CTXT), prevents of any that verifies under the , implying INT-PTXT; however, INT-PTXT is the minimal standard for as it directly ties to . AE is deemed secure when it simultaneously achieves IND-CPA for and INT-PTXT for , providing comprehensive protection against both passive and active tampering. This combination ensures resistance to chosen-ciphertext attacks, as invalid ciphertexts are rejected by the mechanism without revealing information. Such dual satisfaction ensures that AE schemes resist a broad class of adversaries modeled in the standard multi-user setting with left-or-right queries. For schemes supporting associated data (AD), such as authenticated encryption with associated data (AEAD), security notions extend to ensure both and for the AD alongside the . requires that the AD remains indistinguishable in influence on the , preventing leakage or manipulation that could reveal information about it, while mandates that any forgery attempt altering the AD results in invalidation upon decryption. Thus, the adversary cannot produce a valid (, header, ) for unqueried AD without negligible success, preserving the binding between AD and the encrypted . These security guarantees are typically proven via reductions to the underlying , such as pseudorandom permutations or strongly unforgeable MACs, with the adversary's in breaking bounded by terms like q / n, where q represents the number of queries and n the size of the or space, ensuring concrete security that degrades predictably with usage. For instance, in generic compositions like encrypt-then-MAC, the overall IND-CCA is at most twice the MAC's probability plus the encryption's IND-CPA loss, maintaining tightness without excessive security inflation. Such reductions confirm that inherits robustness from its components, with probabilities often further tightened to \sigma^2 / 2^\tau for \sigma messages and tag length \tau.

Historical Development

Origins

The concept of authenticated encryption emerged from foundational work in the on secure symmetric , including definitions of for schemes and for message authentication codes (MACs). Researchers established notions such as indistinguishability under chosen-plaintext attacks (IND-CPA) for and existential unforgeability under chosen-message attacks for , laying the groundwork for combining these properties. The formal notion of authenticated encryption, providing both privacy and integrity in a single symmetric scheme, was independently introduced in 2000. Mihir Bellare and Chanathip Namprempre defined multiple security models for authenticated encryption and analyzed generic composition methods to achieve them securely. Concurrently, and Moti Yung formalized "unforgeable encryption," proving that it implies chosen-ciphertext security while enabling efficient block-cipher-based constructions with minimal overhead, such as approximately 1.33 block encryptions per block of data plus two additional calls. A key contribution from Bellare and Namprempre was the introduction and of generic composition paradigms, including Encrypt-then-MAC (EtM), where a message is encrypted and then a is computed over the ciphertext to ensure both and . Katz and Yung further emphasized efficiency, showing how to build such schemes from standard without excessive computational cost, addressing the practical limitations of separate and . Initial motivations for authenticated encryption stemmed from the recognition that real-world protocols often required integrated and to avoid composition pitfalls, such as those seen in early unauthenticated ciphers, and to support emerging applications like secure wireless communications. Early concrete proposals for authenticated encryption include , proposed by Phillip Rogaway in 2001, which provides parallelizable authenticated encryption using a . Another early proposal was the CCM (Counter with ) mode in 2002, developed by Doug Whiting, Russell Housley, and Niels Ferguson, which combines counter-mode encryption for privacy with for authentication on associated data and payloads; its security was rigorously proven by Jakob Jonsson, establishing birthday-bound privacy and authenticity.

Standardization Efforts

Standardization efforts for authenticated encryption (AE) began in the early 2000s with initiatives aimed at evaluating and recommending secure modes of operation. Schemes for Signatures, Integrity, and Encryption (NESSIE) project, which ran from 2000 to 2003, issued a call for submissions of cryptographic algorithms, including those providing data confidentiality and authentication, leading to evaluations of early AE proposals alongside block ciphers and other primitives. The U.S. National Institute of Standards and Technology (NIST) played a pivotal role through its Special Publication (SP) 800-38 series, which provides recommendations for block cipher modes of operation suitable for federal use. Starting with SP 800-38A in 2001 for basic confidentiality modes, the series expanded to include AE modes, such as the Counter with CBC-MAC (CCM) mode in SP 800-38C published in 2004. NIST further approved the Galois/Counter Mode (GCM) in SP 800-38D in 2007, establishing it as a standard for authenticated encryption with associated data (AEAD) in government systems. The (IETF) advanced AE integration into network protocols, particularly through RFC 5116 in 2008, which defined a uniform interface and algorithms for AEAD to facilitate their use in protocols like and TLS. Building on this, TLS 1.3, specified in RFC 8446 in 2018, mandates the use of AEAD algorithms for record protection, deprecating legacy modes that lack such as CBC without explicit checks. Internationally, the ISO/IEC 19772 standard, first published in 2009, specifies methods for , outlining six mechanisms to achieve and objectives for data processing. More recent efforts include the Crypto Forum Research Group (CFRG) draft specification for the family of algorithms, with versions circulating since 2023, recommending AEGIS-128L, AEGIS-256, and variants for high-performance applications. In response to identified vulnerabilities like multi-key attacks, discussions in emphasized key-committing for AEAD schemes, prompting additions and recommendations to ensure that ciphertexts bind uniquely to keys, as explored in subsequent analyses of schemes like and others. These updates also consider adaptations for post-quantum contexts, with NIST workshops in proposing further of robust AE modes compatible with emerging quantum-resistant algorithms.

Security Properties

Confidentiality Assurance

Authenticated encryption (AE) ensures confidentiality by employing underlying symmetric encryption primitives that mask the , rendering it indistinguishable from random data to unauthorized parties. Typically, this is achieved through pseudorandom permutations, such as those in modes like , or pseudorandom streams generated in (CTR) mode, where the is XORed with a keystream derived from the applied to incremented blocks initialized with a secret . This mechanism provides , meaning that the reveals no about the beyond its length, even under chosen-plaintext attacks (IND-CPA), as the behaves like a probabilistic mapping to uniformly random strings. In the adversarial model, AE protects confidentiality against chosen-ciphertext attacks (CCA), where an active adversary can submit ciphertexts for decryption but receives no useful information from valid ones due to the scheme's authentication properties, which reject invalid inputs without leaking details. This IND-CCA security builds on the indistinguishability notion, ensuring that the adversary's advantage in distinguishing encryptions of two plaintexts remains negligible, even with adaptive queries. The role of the nonce (or initialization vector) is crucial for maintaining this security: it provides freshness by ensuring each encryption uses a unique value, preventing nonce reuse that could otherwise allow adversaries to XOR ciphertexts and recover plaintext differences through linear dependencies in the keystream. Formally, the confidentiality guarantee holds that the statistical distance between the distribution of ciphertexts encrypting a plaintext and random strings of the same length is negligible in the security parameter, typically bounded by the square of the total number of blocks encrypted divided by twice the block size (e.g., Adv ≤ σ²/2ⁿ for nonce-based schemes). This bound ensures that for practical key and nonce lengths, such as 128-bit blocks and 96-bit nonces, the probability of information leakage remains computationally infeasible.

Integrity and Authenticity

In authenticated encryption (AE), is ensured through the generation of an authentication tag, which is computed over the and any associated data using a (MAC)-like function. This tag detects unauthorized modifications to the encrypted message, as any alteration to the or associated data will result in a mismatch during . For instance, in the encrypt-then-MAC (EtM) , the is first encrypted to produce the C, and then the tag \tau is derived as \tau = T(K_m, C), where T is a strongly unforgeable MAC under chosen-message attacks (SUF-CMA) and K_m is the MAC key. A common implementation involves polynomial hash functions, such as the GHASH in Galois/Counter Mode (GCM), which iteratively multiplies input blocks by a hash subkey H in the finite field \mathrm{GF}(2^{128}) to produce a value sensitive to bit flips or rearrangements. Forgery resistance in AE schemes arises from the cryptographic strength of the underlying , which rejects invalid tags with overwhelming probability, typically $2^{-t} for a tag of length t bits under random guessing, or bounded by the number of processed blocks divided by $2^t for targeted attacks. In SUF-CMA-secure constructions like EtM, an adversary cannot produce a new valid (ciphertext, ) pair beyond those queried, limiting successful forgeries to negligible probabilities even after many interactions. This upholds of ciphertexts (INT-CTXT), ensuring that modified transmissions are detected and discarded during decryption. Authenticity in AE is implicitly provided by the shared symmetric key, which only legitimate parties possess, allowing verification that the message originated from an authorized sender. Without knowledge of the key, an attacker cannot generate a valid tag, thereby preventing impersonation or substitution attacks. If keys are securely distributed and nonces are properly managed to avoid reuse, AE resists man-in-the-middle attacks by binding the tag to the specific ciphertext and associated data, making undetected interceptions infeasible. Authentication tags are typically fixed-length outputs, such as 128 bits in full-strength schemes, to balance and ; truncation to shorter lengths (e.g., 96 or 64 bits) reduces overhead but increases probability, necessitating usage limits like a maximum of $2^{32-t} messages to maintain bounds. For example, in GCM, tags are derived by encrypting the GHASH output and truncating to the desired length, with shorter tags advised only for low-risk applications.

Variants

Authenticated Encryption with Associated Data (AEAD)

Authenticated encryption with associated data (AEAD) extends standard authenticated encryption by incorporating integrity protection for additional unencrypted , referred to as associated data. In an AEAD scheme, the encryption takes a secret key K, a N, P, and associated data A, outputting C and authentication tag T. The corresponding decryption inputs K, N, C, T, and A, verifying the tag and recovering P if valid, or rejecting otherwise. This allows protocols to authenticate , such as packet headers, alongside the encrypted without encrypting the metadata itself. The security of AEAD builds on authenticated encryption by extending confidentiality and integrity guarantees to the associated data. Specifically, it achieves indistinguishability under (IND-CPA) for the encrypted , ensuring adversaries cannot distinguish ciphertexts from random strings even after adaptive queries, while also providing integrity against attacks (INT-PTXT) that covers both the and associated . Any modification to A or P will cause the tag T to fail , preventing forgeries or tampering. These properties hold under nonce-respecting adversaries who do not repeat nonces. AEAD is particularly suited to network protocols where certain protocol fields require integrity protection but not confidentiality. For instance, in IPsec's Encapsulating Security Payload (ESP), AEAD encrypts the sensitive payload while treating packet headers as associated data to ensure their authenticity without encryption, thereby securing communications in VPNs and site-to-site tunnels. This approach reduces overhead compared to separate encryption and authentication mechanisms. A generic construction for AEAD combines a nonce-based scheme with a pseudorandom function (PRF) acting as a . One such method encrypts P to C using the scheme, then computes T as the PRF output on concatenated with C and A, yielding the full output (C, T). This construction provably achieves AEAD security if the underlying components are secure.

Key-Committing AEAD

Key-committing with associated data (AEAD) is a of standard AEAD that ensures a and its tag are uniquely bound to the , preventing the same from being valid under multiple distinct . This holds even if an adversary can manipulate nonces or messages, as the scheme incorporates a -dependent that makes recovery computationally infeasible from the alone. In essence, it transforms a non-committing AEAD into one where the is "committed" via a pseudorandom or similar , such as deriving a string from the to bind the outputs. The motivation for key-committing AEAD arises from vulnerabilities in non-committing schemes like AES-GCM, where partitioning oracle attacks can exploit the ability of a single ciphertext-tag pair to authenticate under multiple keys, enabling efficient key or password recovery in offline scenarios. For instance, in , researchers demonstrated adaptive chosen-ciphertext attacks against AES-GCM implementations, such as in proxies, recovering passwords with as few as 21,503 oracle queries for 70% success rate by partitioning the key space and testing multi-collisions. These attacks highlight the risks in multi-user or multi-key environments, where non-committing AEADs fail to provide robust binding, prompting the development of committing variants to enhance security against such offline key-extraction threats. The core security notion is key-indistinguishability under , formalized through games where an adversary attempts to find a ciphertext-tag valid under two distinct (e.g., both honest, one revealed, or both corrupted), with the scheme secure if the advantage remains negligible. This relies on the of the commitment mechanism, ensuring that key-dependent tags or derivations uniquely identify the key without revealing it, thus providing stronger misattribution resistance than standard AEAD privacy and authenticity. Fully committing schemes extend this to all inputs (, , associated data, message), but key specifically targets key . A prominent example is the family of AEAD modes, proposed in 2013 as part of the CAESAR competition and advanced in a 2023 CFRG draft for standardization, which achieves key commitment through its stream-cipher-like design using rounds to generate key-dependent states for both and . variants, such as AEGIS-256, serve as high-performance alternatives to non-committing schemes like GCM, offering resistance to the aforementioned attacks while maintaining efficiency on modern hardware.

Misuse-Resistant AEAD

Misuse-resistant authenticated encryption with associated data (AEAD) refers to variants of AEAD schemes that provide and even in the face of certain implementation errors, such as the reuse of nonces or brief . Unlike standard nonce-based AEAD, which can suffer catastrophic security degradation—including full recovery or efficient forgeries—when nonces repeat under the same , misuse-resistant schemes ensure that security bounds remain meaningful, albeit potentially degraded, under such misuse. These schemes are particularly valuable in scenarios where nonce management is error-prone, such as in distributed systems or long-lived sessions. The security of misuse-resistant AEAD is typically formalized through notions like indistinguishability under (IND-CCA) for and against plaintext attacks (INT-PTXT) for authenticity, extended to nonce-misusing adversaries. Under nonce , these schemes maintain non-zero security, often degrading to revealing only whether ciphertexts encrypt identical (for privacy) or preventing forgeries beyond a quadratic bound in the number of repeated nonces. For rate-1 constructions, which achieve near-optimal (one call per message block asymptotically), the security loss is bounded by terms like Q^2 / 2^{n/2}, where Q is the number of encryptions and n the block size, ensuring practical protection against accidental misuse. Key constructions include deterministic AEAD modes, which eliminate the nonce entirely by deriving a synthetic (SIV) from the header and full , as in the SIV mode introduced in 2007. SIV uses a pseudorandom function to compute the SIV over the inputs and then encrypts via counter mode, providing IND-CPA privacy and INT-PTXT with advantage σ^2 / 2^n, where σ is the total blocks processed. Another approach is nonce-misuse-resistant AEAD like COPA (2013), an online and parallelizable scheme that extends offset-based encryption with , achieving birthday-bound (n/2 bits) even under nonce repetition by incorporating message-dependent tweaks. More recent examples include AES-GCM-SIV (2017), which adapts GCM for misuse resistance through key-derived counters and multiplication-based , bounding losses to 3Q^2 / 2^{96} under up to 2^{64} unique . These schemes often trade efficiency for robustness, requiring full-message during or tweak computation, which can double the number of calls compared to standard AEAD like AES-GCM. For instance, processes the entire message twice (once for SIV generation, once for ), leading to roughly 2 cycles per byte overhead on modern hardware, while AES-GCM- incurs about 1.04 cycles per byte for versus 0.68 for non-misuse-resistant GCM. Despite this, their deployment in standards like 8452 justifies the cost for high-assurance applications.

Constructions

Encrypt-then-MAC (EtM)

Encrypt-then-MAC (EtM) is a generic construction for that combines a symmetric with a () by first encrypting the and then authenticating the resulting , optionally along with associated . Given a P, N, encryption key K, MAC key K', and associated A, the process computes the as C = \Enc(K, P, N) and the authentication tag as T = \MAC(K', C \parallel A), producing the final output (C, T). This approach ensures that any tampering with the invalidates the tag without requiring decryption of the full message. The security of EtM relies on the properties of its components: it achieves indistinguishability under (IND-CCA) and ciphertext integrity (INT-CTXT) provided the underlying scheme is IND-CPA secure and the is strongly existentially unforgeable under chosen-message attack (sEUF-CMA). Specifically, the advantage of an adversary breaking IND-CCA in EtM is at most the IND-CPA advantage of the plus the sEUF-CMA advantage of the , while the INT-CTXT advantage is at most the sEUF-CMA advantage of the . These bounds, established through hybrid arguments, demonstrate that EtM fully realizes the strongest privacy and integrity notions for generic compositions. EtM offers several practical benefits, including simplicity in design and implementation, as it separates and clearly while using independent keys for each. It is parallelizable in scenarios where the and MAC computations support concurrent processing, such as with ciphers or polynomial-based MACs. Due to its robust guarantees across all notions—unlike other compositions that may fail in certain cases—EtM is recommended for most authenticated encryption applications.

Encrypt-and-MAC (E&M)

In the Encrypt-and-MAC (E&M) paradigm, is applied to the prior to , integrating the () tag into the encrypted output. Specifically, given a P, associated data A, encryption key K, and MAC key K', the scheme first computes the tag T = \text{MAC}(K', P \| A), then forms the ciphertext C = \text{Enc}(K, P \| T), and outputs C with the tag either implicit within the ciphertext or provided separately for . Upon decryption, the recovers P' \| T' from C, recomputes the MAC on P' \| A, and accepts only if it matches T'; otherwise, it rejects the message. This approach aims to ensure both through and through the embedded . Security analysis shows that E&M achieves plaintext integrity (INT-PTXT), providing authenticity against forgeries of valid plaintexts, assuming the underlying MAC is strongly unforgeable under chosen-message attacks (SUF-CMA) and the encryption is indistinguishable under chosen-plaintext attack (IND-CPA). However, it only guarantees IND-CPA privacy, as the construction does not protect against chosen-ciphertext attacks (CCA); the embedded MAC computation on the plaintext can potentially leak information about P if the MAC is not perfectly hiding, though the encryption of the tag mitigates direct exposure. For full IND-CCA security or ciphertext integrity (INT-CTXT), E&M falls short, as adversaries can malleate the ciphertext to produce invalid but decryptable outputs without immediate detection during verification. A key drawback of E&M is its vulnerability to release-of-unverified plaintext (ROUP) attacks, where a decryption might return the recovered before verifying the MAC tag, allowing attackers to probe for information about manipulated ciphertexts. This design, which requires full decryption prior to , contrasts with paradigms that verify externally and thus exposes systems to padding or similar exploits if is not strictly enforced post-decryption. Overall, E&M is generally considered insecure for robust authenticated encryption due to these gaps and reliance on perfect to avoid partial disclosures. The flaws in E&M were rigorously analyzed in early work on composition paradigms for authenticated encryption, highlighting its limitations compared to more secure alternatives.

MAC-then-Encrypt (MtE)

In the MAC-then-Encrypt (MtE) composition, a message authentication code () is first computed on the P and associated data A, yielding a tag T = \text{MAC}(K', P \parallel A), where K' is the MAC key and \parallel denotes . This tag is then appended to the , and the combined value P \parallel T is encrypted using a symmetric encryption \text{Enc}(K, \cdot) with key K, producing the ciphertext C = \text{Enc}(K, P \parallel T), which serves as the sole output. The decryption process reverses this: it decrypts C to recover P'\parallel T', verifies the on P'\parallel A, and outputs P' only if the tag is valid; otherwise, it rejects the ciphertext. Security analysis of MtE shows that it achieves indistinguishability under (IND-CPA) for and of plaintexts (INT-PTXT) when composed from an IND-CPA-secure scheme and a strongly unforgeable under chosen-message attack (SUF-CMA) , with tight reduction bounds: the IND-CPA advantage is at most that of the underlying , and the INT-PTXT advantage is at most that of the . If the scheme is instead IND-CCA-secure (indistinguishability under ) and the is deterministic and SUF-CMA, MtE provides full IND-CCA security, as invalid MACs during decryption act as an additional check against malleability. However, standard MtE constructions using common IND-CPA modes (e.g., or CTR) typically only guarantee IND-CPA and INT-PTXT , without IND-CCA or (INT-CTXT), due to vulnerabilities in the base . A key advantage of MtE is its compact output format, where the authentication tag is integrated into the ciphertext without requiring a separate field, reducing overhead in protocols with length constraints. This composition has been employed in Encapsulating Security Payload () configurations, where (via Authentication Header or ESP integrity) precedes to protect packet payloads efficiently. Limitations of MtE include potential padding mismatches when using block cipher modes like , as the must accommodate the variable-length plus fixed-size tag, which can introduce alignment issues or expose if is not uniformly handled. Additionally, it is susceptible to chosen-ciphertext attacks that exploit decryption oracles, such as those leaking plaintext recovery through manipulated (e.g., in not covered by the ), enabling efficient breaches with as few as $2^{15} queries for 128-bit block sizes.

Common Schemes

AES-GCM

AES-GCM ( in Galois/Counter Mode) is an authenticated with associated data (AEAD) scheme that provides both and for messages. Originally proposed by McGrew and in 2004, it was standardized by the National Institute of Standards and Technology (NIST) in Special Publication 800-38D in November 2007 as a of for the . AES-GCM employs in counter (CTR) for and the GHASH hash function for authentication, enabling efficient processing of , , and associated data while producing a short authentication tag. This construction follows the encrypt-then- paradigm, where the MAC is computed over the and associated data. The encryption process in AES-GCM divides the plaintext P into 128-bit blocks P_i, generating the corresponding ciphertext blocks C_i via counter mode: C_i = \text{AES}_K(N \mathbin\Vert i) \oplus P_i, where K is the 128-, 192-, or 256-bit secret key, N is the nonce, \mathbin\Vert denotes bit-string concatenation, and i is the block counter starting from 1. The final ciphertext C is the concatenation of all C_i, with any partial final block handled by XORing with the truncated counter output. The authentication tag T is then derived from the associated data A, the ciphertext C, and their lengths: T = \text{GHASH}_{H}(A \mathbin\Vert 0^{t} \mathbin\Vert C \mathbin\Vert 0^{s} \mathbin\Vert \text{len}(A) \mathbin\Vert \text{len}(C)) \oplus \text{AES}_K(N \mathbin\Vert 0^{31} \mathbin\Vert 1), where H is the hash subkey, $0^{t} and $0^{s} are bit strings of zeros padding A and C to multiples of 128 bits (with t, s \leq 128), and \text{len}(\cdot) encodes the bit lengths of A and C as 64-bit values. The sender appends T (or a truncated version) to C for transmission, and the receiver recomputes and verifies the tag using the same inputs. The GHASH function operates as a Cartesian product hash in the finite field \mathbb{F}_{2^{128}}, defined by the irreducible polynomial X^{128} + X^7 + X^2 + 1. The hash subkey H is computed as the first output block of the cipher under the all-zero input: H = \text{AES}_K(0^{128}). GHASH processes an input bit string X (padded to a multiple of 128 bits into m blocks X_1, \dots, X_m) iteratively: \text{GHASH}_H(X) = \left( \bigoplus_{i=1}^m X_i H^{m+1-i} \right) \mod (X^{128} + X^7 + X^2 + 1), where multiplication and addition are in \mathbb{F}_{2^{128}}, represented as 128-bit strings with the least significant bit as the lowest-degree term. This polynomial-based hashing provides provable security against forgery under chosen-plaintext attacks when the key is secret. AES-GCM uses the 128-bit block cipher and supports nonce lengths up to 2^{64}-2 bits, with a recommended fixed length of 96 bits (12 bytes) for simplicity and ; other lengths require additional processing via GHASH on the . The authentication tag length can be 32, 64, 96, 104, 112, 120, or 128 bits, truncated from the full 128-bit computation by removing the most significant bits. Nonces must be unique per key usage to avoid degradation, and the limits messages to less than 2^{39}-256 blocks (approximately 2^{32} * 128 bits) under the recommended nonce length. AES-GCM is designed for high performance, with both the CTR encryption and GHASH authentication operations being parallelizable across multiple blocks, allowing efficient on multi-core systems. It benefits from via the New Instructions (AES-NI) set introduced in Intel processors starting from 2010, which includes dedicated instructions for AES rounds and carry-less (PCLMULQDQ) for GHASH, achieving throughputs exceeding several gigabytes per second on modern CPUs.

ChaCha20-Poly1305

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) scheme that combines the ChaCha20 stream cipher for confidentiality and the Poly1305 one-time authenticator for integrity and authenticity. Standardized by the Internet Engineering Task Force (IETF) in RFC 7539 in 2015, it is designed for efficient software implementation across diverse platforms. The ChaCha20 component is a 20-round stream cipher developed by Daniel J. Bernstein in 2008 as an evolution of the Salsa20 design, relying on addition, rotation, and XOR (ARX) operations for its core quarter-round function. It generates a keystream from a 256-bit key, a nonce, and a 32-bit block counter, producing 64-byte blocks that are XORed with the plaintext to yield the ciphertext. Poly1305, introduced by in 2005, serves as the in this construction. It operates as a hash function over the prime field defined by the modulus p = 2^{130} - 5, using a 256-bit one-time key split into a 128-bit multiplier r (with specific bits cleared for security) and a 128-bit additive constant s. The tag is computed conceptually as the 128 least significant bits of (r \cdot P + s) \mod p, where P represents the encoded input message interpreted in the prime field; its security relies on the assumption that the one-time key behaves as a pseudorandom function, providing resistance to with probability at most $2^{-106} for messages up to $2^{126} blocks under a single key. The scheme employs a 256-bit symmetric and a 96-bit (with support for 192-bit or 256-bit nonces in extended configurations via ), producing a 128-bit tag. To generate the Poly1305 one-time K', the first 32 bytes of the 64-byte output from ChaCha20 invoked with the K, N, and value 0 are used as K', while the remaining 32 bytes are discarded. Encryption proceeds by generating a keystream with ChaCha20 using the same K and N, but starting the block counter at 1, and XORing it with the P to produce the C, where the keystream length matches |P| without additional on the . Mathematically, C = \left( \bigoplus_{i=1}^{\lceil |P|/64 \rceil} \text{ChaCha20}(K, N, i) \right) \oplus P, truncated to |P| bytes, ensuring under the assumption of a unique per . Authentication is performed by applying Poly1305 to a concatenated message consisting of the associated data A padded with zeros to a multiple of 16 bytes, followed by the C similarly padded, and then the 64-bit little-endian encodings of |A| and |C| in bytes. The tag T is thus T = \text{Poly1305}(K', A \, || \, 0^{\text{pad}_{16}(|A|)} \, || \, C \, || \, 0^{\text{pad}_{16}(|C|)} \, || \, \text{len}(A) \, || \, \text{len}(C)), where \text{pad}_{16}(\cdot) adds the minimal number of zero bytes to reach the next 16-byte boundary, and \text{len}(\cdot) is a 8-byte little-endian ; the recipient recomputes and verifies T against the provided tag to ensure . This construction inherits AEAD properties, protecting both the and associated while allowing unauthenticated plaintext expansion if needed.

Other Notable Schemes

SIV (Synthetic Initialization Vector), specified in RFC 5297, is a deterministic authenticated encryption mode that uses in counter (CTR) mode for encryption combined with CMAC for authentication over the entire message and associated data, providing misuse resistance against nonce reuse. This construction generates a synthetic from the key, message, and associated data, ensuring that identical inputs produce identical ciphertexts while maintaining security even if nonces are repeated or predictable. AEGIS is a family of high-performance authenticated encryption algorithms based on a sponge construction that leverages AES round functions for state updates and diffusion, achieving key commitment and resistance to certain side-channel attacks. Introduced in 2013 and advanced as a finalist in the CAESAR competition, variants like and offer parallelizable processing with minimal overhead, making them suitable for software implementations requiring speeds exceeding those of AES-GCM on modern hardware. OCB (Offset Codebook Mode), first proposed in 2001, provides parallelizable authenticated encryption with rate-1 efficiency, where each block of plaintext is encrypted using a single invocation offset by a unique value derived from a . Standardized in RFC 7253, OCB ensures both confidentiality and authenticity for messages and associated data, though its implementation complexity and historical patent restrictions (expired in the early 2020s) limited early adoption. Ascon, standardized by NIST in SP 800-232 in August 2025, is a permutation-based authenticated scheme designed for resource-constrained devices, offering compact implementations with 128-bit while supporting authenticated with associated . Its family includes variants like Ascon-128, which use a lightweight sponge-like for both and authentication, prioritizing low gate count and energy efficiency over high-throughput performance.

Security Considerations

Known Attacks

One of the most critical vulnerabilities in authenticated encryption schemes like AES-GCM arises from nonce reuse, where the same key-nonce pair is used to encrypt multiple messages. In this scenario, the counter mode (CTR) component generates identical keystreams for both encryptions, leaking the XOR of the corresponding blocks to an eavesdropper. Additionally, the Galois hash (GHASH) authentication allows of the hash subkey H through manipulation of the authentication tags, enabling indefinite message forgeries thereafter. This issue was practically demonstrated in theoretical analyses of GCM implementations as early as and has been exploited in real-world scenarios, such as applications where nonce reuse led to full after collecting sufficient ciphertexts. The partitioning oracle attack, presented by Len et al. in 2021, targets AEAD schemes lacking key commitment, including AES-GCM and AES-GCM-SIV. By querying a decryption that reveals whether a decrypts to a valid in specific partitions of the key space, an attacker can recover the secret key in approximately $2^{32} operations through adaptive chosen-ciphertext queries. This attack exploits the non-committing nature of the underlying , partitioning the key into halves and iteratively refining , and has implications for protocols providing such oracles, like certain password-based systems. Forgery attacks on schemes using Poly1305, such as , become feasible in multi-user settings with nonce collisions. If the same is reused across encryptions under the same , the deterministic MAC computation allows an attacker to forge valid tags for arbitrary messages by XORing differences in known ciphertexts and tags. A 2015 analysis in the context of IETF protocols emphasized that such collisions compromise across multiple users, tightening bounds to account for up to \sqrt{q} collisions in q queries. Side-channel attacks pose significant risks to AEAD implementations. Timing attacks on the GHASH function in AES-GCM, analyzed in 2013, exploit variations in operations during , potentially leaking bits of the subkey through measurable execution time differences in non-constant-time implementations. Similarly, cache-timing attacks target the AES-CTR component, where shared lines in multi-tenant environments (e.g., cloud servers) reveal key-dependent access patterns, enabling full key recovery from as few as 800 encryptions in cross-VM scenarios. These vulnerabilities, first detailed for in 2005, persist in GCM due to its reliance on table-based . In the post-quantum setting, standard AEAD schemes like AES-GCM face no major cryptanalytic breaks beyond providing a speedup for key search.

Best Practices

When implementing authenticated encryption (AE), proper management is essential to maintain . Nonces must be unique for each encryption under the same key to prevent attacks that compromise and ; for example, in GCM, the recommended 96-bit length facilitates , and they can be generated using a random number generator or as a fixed combined with a or invocation , with the probability of collision kept below 2^{-32}. Avoid using simple counters in environments where rollover is possible without careful , as reuse can lead to full disclosure of plaintexts. In schemes like XChaCha20-Poly1305, larger 192-bit nonces allow safer random generation, supporting up to 2^{48} messages per key with negligible collision risk. Authentication tags must be handled with care during decryption to avoid side-channel vulnerabilities. Always verify the full before processing or releasing the , using a constant-time to prevent timing attacks that could leak information about the tag contents. Tag lengths should be fixed per key, with shorter lengths (e.g., or 32 bits in GCM) reducing security margins and thus avoided unless bandwidth constraints demand it. Effective underpins secure AE deployment. Generate fresh, uniformly random keys for each session or communication channel, rotating them regularly based on usage limits—such as processing no more than 2^{} blocks per key in GCM—to limit exposure if compromised. For multi-user scenarios, prefer key-committing AEAD modes, which bind the to the specific key and resist key-recovery attacks across users, as analyzed in constructions extending standard schemes like GCM. Associated data (AD) should encompass all non-confidential that requires protection, such as headers, timestamps, or fields, to prevent tampering or replay attacks. Include it explicitly in the invocation, ensuring correct parsing and padding—e.g., zero-padding to 128-bit multiples in GCM's GHASH computation—without encrypting it, as AD lengths are typically capped at 2^{64}-1 bits. Select well-audited cryptographic libraries for implementation to minimize risks from flawed code. Libraries like libsodium provide verified AEAD primitives, such as crypto_aead_xchacha20poly1305_ietf_encrypt, which handle generation and tag verification securely; enable (e.g., AES-NI for GCM) where available to improve performance without sacrificing security, provided the implementation is validated against standards like FIPS 140.

References

  1. [1]
    RFC 5116 - An Interface and Algorithms for Authenticated Encryption
    This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms.
  2. [2]
    [PDF] Authenticated Encryption - Purdue Computer Science
    Authenticated Encryption – Informal Definition. A symmetric encryption scheme is said to offer Authenticated Encryption security if: A chosen plaintext ...
  3. [3]
    None
    ### Summary of GCM as an Authenticated Encryption Mode
  4. [4]
    RFC 5288 - AES Galois Counter Mode (GCM) Cipher Suites for TLS
    This memo defines TLS cipher suites that use AES-GCM with RSA, DSA, and Diffie-Hellman-based key exchange mechanisms.
  5. [5]
    https://doi.org/10.6028/NIST.SP.800-77r1
  6. [6]
    [PDF] Authenticated Encryption: Relations among notions and analysis of ...
    Jul 14, 2007 · Abstract. An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity.
  7. [7]
    Proposal to Revise SP 800-38A | CSRC
    Mar 21, 2022 · ... padding oracle attack on SSL/TLS. Eventually, this led to recommendations to use authenticated encryption modes in protocols. For example ...
  8. [8]
    [PDF] Authenticated-Encryption with Associated-Data
    Sep 20, 2002 · Authenticated-encryption with associated-data (AEAD) protects both the privacy and authenticity of a message, including additional data like a ...
  9. [9]
    Authenticated Encryption: Relations among notions and analysis of ...
    An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity.
  10. [10]
    [PDF] Unforgeable Encryption and Chosen Ciphertext Secure Modes of ...
    A trivial solution to the problem of unforgeability is to share two keys—one for encryption and one for authentication (e.g., using a MAC). Also, various.
  11. [11]
    [PDF] The Rise of Authenticated Encryption
    May 28, 2018 · Thm [Jonsson 2002]. CCM is provably secure if E is a good PRP. Page ... The Rise of Authenticated Encryption.
  12. [12]
    On the Security of CTR + CBC-MAC - SpringerLink
    Feb 17, 2003 · We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (“ ...
  13. [13]
    [PDF] The NESSIE Project: Towards New Cryptographic Algorithms - COSIC
    The NESSIE call includes a request for a broad set of algorithms providing date confidentiality, data authentication, and entity authentication. These algo ...
  14. [14]
    SP 800-38C, Recommendation for Block Cipher Modes of Operation
    This Recommendation defines a mode of operation, called Counter with Cipher Block Chaining-Message Authentication Code (CCM), for a symmetric key block cipher ...
  15. [15]
    SP 800-38D, Recommendation for Block Cipher Modes of Operation
    This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC.<|separator|>
  16. [16]
    RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3
    This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet.
  17. [17]
    ISO/IEC 19772:2009 - Authenticated encryption
    ISO/IEC 19772:2009 specifies six methods for authenticated encryption, ie defined ways of processing a data string with the following security objectives.
  18. [18]
    The AEGIS Family of Authenticated Encryption Algorithms
    This document describes the AEGIS-128L, AEGIS-256, AEGIS-128X, and AEGIS-256X AES-based authenticated encryption algorithms designed for high-performance ...Missing: post- | Show results with:post-
  19. [19]
    Key Committing Security Analysis of AEGIS - Cryptology ePrint Archive
    Sep 30, 2023 · In this work, we assess the key committing security of AEGIS, which emerged as a winner in the Competition for Authenticated Encryption: Security, ...
  20. [20]
    [PDF] Nonce-Based Symmetric Encryption
    We believe that a nonce-based formalization is especially desir- able when constructing an encryption scheme for a cryptographic standard: not knowing how the ...
  21. [21]
    [PDF] Key Committing AEADs - Cryptology ePrint Archive
    Abstract. This note describes some methods for adding a key commit- ment property to a generic (nonce-based) AEAD scheme. We analyze.
  22. [22]
    Partitioning Oracle Attacks - USENIX
    We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the ...
  23. [23]
    [PDF] Partitioning Oracle Attacks - IACR
    As a result, cryptogra- phers now advocate the use of authenticated encryption with associated data (AEAD) schemes and CCA-secure public key encryption. There ...
  24. [24]
    [PDF] On Committing Authenticated-Encryption
    Abstract. We provide a strong definition for committing authenticated- encryption (cAE), as well as a framework that encompasses earlier and weaker definitions ...
  25. [25]
    [PDF] Rugged PRPs, Nonce-Set AEAD, and Order-Resilient Channels
    The stronger notion of misuse-resistant AEAD MRAE is defined analogously by replacing the re- quirement on the adversary that it be nonce-respecting with the ...<|control11|><|separator|>
  26. [26]
    [PDF] The SIV Mode of Operation for Deterministic Authenticated ...
    The SIV mode of operation specifies a way for using a blockcipher to encrypt. Encryption under SIV (which stands for “Synthetic IV”) takes as input a key, ...
  27. [27]
    [PDF] AES-GCM-SIV: Specification and Analysis - Cryptology ePrint Archive
    generates an authentication tag by AES-encrypting the hash value, XOR-ed with ... The SIV Mode of Operation for Deterministic Authenticated-Encryption (Key.<|control11|><|separator|>
  28. [28]
    None
    ### Summary of COPA from https://eprint.iacr.org/2013/790.pdf
  29. [29]
    [PDF] Combining message encryption and authentication
    Bellare and Nanprempre in [7] and Krawczyk in [9] showed, that EtM approach, with secure encryption scheme, secure authentication scheme and two indepen- dent ...<|control11|><|separator|>
  30. [30]
    [PDF] AN INTRODUCTION TO AUTHENTICATED ENCRYPTION
    Mar 7, 2013 · Recommendation for block cipher modes of operation: the ccm mode for authentication and confidentiality. NIST Special Publication 800-38C, 2004.<|control11|><|separator|>
  31. [31]
    [PDF] Combining Authentication with Encryption to get IND-CCA
    Mac-then-Encrypt: IND-CPA? ▫ Theorem: If SE is IND-CPA and MA is SUF-CMA then MtE(SE,MA) is IND-CPA: InsecMtE ind-cpa(k,t,q,l) ≤ InsecSE ind-cpa(k,t,q,l+qs).
  32. [32]
    The Security and Performance of the Galois/Counter Mode of ...
    The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing.
  33. [33]
    None
    ### Summary of Authenticated Encryption with Associated Data (AEAD) from NIST SP 800-38D
  34. [34]
    [PDF] Performance Galois-Counter- Mode on Intel® Architecture Processors
    The main usage of GCM is in the. IPSec, TLS 1.2 and SSH protocols – mostly for secure network communications. With the recent introduction of AES-NI ...
  35. [35]
    [PDF] Intel® Advanced Encryption Standard (AES) New Instructions Set
    This paper provides an overview of the AES algorithm and guidelines for utilizing the. Intel AES New Instructions to achieve high performance and secure AES ...
  36. [36]
    RFC 7539: ChaCha20 and Poly1305 for IETF Protocols
    ### Summary of ChaCha20-Poly1305 AEAD Construction (RFC 7539, Sections 2 and 3)
  37. [37]
    [PDF] ChaCha, a variant of Salsa20
    Jan 28, 2008 · This paper presents the ChaCha family and explains the differences between Salsa20 and. ChaCha. 1 Introduction. 1.1 Background. The Salsa20/20 ...
  38. [38]
    https://cr.yp.to/chacha/chacha-20080128.pdf
  39. [39]
    [PDF] The Poly1305-AES message-authentication code
    Mar 29, 2005 · Abstract. Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes.
  40. [40]
    https://cr.yp.to/mac/poly1305-20050329.pdf
  41. [41]
    https://datatracker.ietf.org/doc/html/rfc7539#section-2.5
  42. [42]
    https://datatracker.ietf.org/doc/html/rfc7539#section-2.6
  43. [43]
    https://datatracker.ietf.org/doc/html/rfc7539#section-2.8
  44. [44]
    RFC 5297 - Synthetic Initialization Vector (SIV) Authenticated ...
    This memo describes SIV (Synthetic Initialization Vector), a block cipher mode of operation. SIV takes a key, a plaintext, and multiple variable-length octet ...
  45. [45]
    [PDF] AEGIS: A Fast Authenticated Encryption Algorithm (v1.1)
    Sep 15, 2016 · The CAESAR committee members gave very helpful comments on AEGIS. In ... for AEGIS-128 Authenticated Encryption. International ...
  46. [46]
    [PDF] OCB Mode - Cryptology ePrint Archive
    Apr 1, 2001 · An authenticated-encryption scheme can be constructed by appropriately combining an encryp- tion scheme and a message authentication code (MAC), ...
  47. [47]
    RFC 7253 - The OCB Authenticated-Encryption Algorithm
    This document specifies OCB, a shared-key blockcipher-based encryption scheme that provides confidentiality and authenticity for plaintexts and authenticity ...
  48. [48]
    Announcing Lightweight Cryptography Selection | CSRC
    The team has decided to standardize the Ascon family for lightweight cryptography applications as it meets the needs of most use cases where lightweight ...
  49. [49]
    [PDF] Status Report on the Final Round of the NIST Lightweight ...
    Jun 4, 2023 · On February 7, 2023, NIST announced the decision to standardize the ASCON family for lightweight cryptography applications. This report.
  50. [50]
    [PDF] Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM ...
    May 17, 2016 · We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed.
  51. [51]
    Attacks on GCM with Repeated Nonces - elttam
    Sep 25, 2020 · This post focuses on AES-GCM and the security impact of using the same IV (nonce) to encrypt data to the users of a web application.<|separator|>
  52. [52]
    [PDF] The Security of ChaCha20-Poly1305 in the Multi-user Setting
    ChaCha20-Poly1305 and Galois Counter Mode (GCM) are the two most popular AEAD schemes in use on the Internet today. The TLS 1.3 specification [Res18] ...<|control11|><|separator|>
  53. [53]
    [PDF] The fragility of AES-GCM authentication algorithm
    Mar 15, 2013 · The second type of attack requires the receiver to store (in memory) the incoming buffer in such a way that it is followed by a zero block ( ...
  54. [54]
    [PDF] Cache-timing attacks on AES
    Apr 14, 2005 · Abstract. This paper demonstrates complete AES key recovery from known-plaintext timings of a network server on another computer. This.
  55. [55]
    [PDF] Efficient Lattice-based Authenticated Encryption: A Practice-Oriented ...
    Secondly, the proposed AEs are resistant to quantum attacks. The best known quantum attack to sym- metric encryption schemes is based on the work of Grover [17] ...