Authenticated Encryption (AEAD)

Authenticated Encryption with Associated Data (AEAD)

AEAD is a class of encryption algorithms that provide both confidentiality (data cannot be read) and integrity/authenticity (data cannot be tampered with). This is a critical distinction — encryption without authentication is dangerous.

Why Encryption Alone Is Not Enough

Standard encryption (e.g., AES-CBC without a MAC) protects confidentiality but does not detect tampering. An attacker can modify the ciphertext, and the decryption will produce altered plaintext without any indication of manipulation.

Original:    Encrypt("Transfer $100 to Alice") ──▶ ciphertext
Tampered:    Modify ciphertext bytes
Decrypted:   "Transfer $900 to Alice"  ← No error! Silently corrupted

This is not a theoretical concern — real-world attacks like bit-flipping in CBC mode and padding oracle attacks exploit the lack of authentication.

How AEAD Works

An AEAD algorithm takes four inputs:

1. Key — The secret encryption key
2. Nonce/IV — A unique value for this encryption operation
3. Plaintext — The data to encrypt
4. Associated Data (AD) — Data that is authenticated but not encrypted (e.g., headers, metadata)

And produces two outputs:

1. Ciphertext — The encrypted data
2. Authentication Tag — A fixed-size tag that authenticates both the ciphertext and the associated data

Encrypt(Key, Nonce, Plaintext, AD) ──▶ (Ciphertext, Tag)
Decrypt(Key, Nonce, Ciphertext, Tag, AD) ──▶ Plaintext or ERROR

If any bit of the ciphertext, tag, or associated data is modified, decryption returns an error instead of corrupted plaintext.

Associated Data Use Cases

The "AD" in AEAD protects metadata that must be readable but not modifiable:

• Network packets — Encrypt the payload, authenticate the header
• Database records — Encrypt sensitive fields, authenticate the row ID and timestamp
• File encryption — Encrypt the file content, authenticate the filename and permissions

Common AEAD Algorithms

Algorithm	Key Size	Nonce Size	Tag Size
AES-128-GCM	128-bit	96-bit	128-bit
AES-256-GCM	256-bit	96-bit	128-bit
ChaCha20-Poly1305	256-bit	96-bit	128-bit
XChaCha20-Poly1305	256-bit	192-bit	128-bit
AES-GCM-SIV	128/256-bit	96-bit	128-bit

The Encrypt-then-MAC Alternative

Before AEAD algorithms existed, developers used Encrypt-then-MAC: encrypt the plaintext, then compute an HMAC over the ciphertext. This is correct but error-prone — many implementations get the order wrong (MAC-then-encrypt) or make timing side-channel mistakes.

AEAD algorithms eliminate these implementation pitfalls by combining encryption and authentication into a single, audited primitive.

AES-GCM-SIV: Nonce Misuse Resistance

Standard AES-GCM fails catastrophically if a nonce is reused. AES-GCM-SIV provides nonce-misuse resistance: if a nonce is accidentally reused, only the fact that two plaintexts are identical is leaked — the key and other plaintexts remain secure.