Authenticated Encryption with Associated Data (AEAD)

The AEAD primitive is the most common primitive for data encryption, and is suitable for most encryption needs.

AEAD has the following properties:

  • Secrecy: Nobody will be able to get any information about the encrypted plaintext, except the length.
  • Authenticity: Without the key it is impossible to change the plaintext underlying the ciphertext undetected.
  • Symmetric: Encrypting the message and decrypting the ciphertext is done with the same key.
  • Randomization: The encryption is randomized. Two messages with the same plaintext will not yield the same ciphertext. This prevents attackers from knowing which ciphertext corresponds to a given plaintext. If you don't want this, see Deterministic AEAD.

Associated data

AEAD can also be used to tie ciphertext to specific associated data. For example, suppose you have a database with a field, user-id, and a field, encrypted-medical-history. In this case, user-id should be used as associated data when encrypting the medical history. This ensures that an attacker cannot move medical history from one user to another.

Choosing a key type

While we recommend using AES128_GCM for most uses, there are a variety of key types for different needs. In general, the following holds true:

  • AES128_CTR_HMAC_SHA256 (AES256_CTR_HMAC_SHA256, if you want 256-bit security) with 16-byte Initialization Vector (IV) is the most conservative mode with good bounds.
  • AES128_EAX (AES256_EAX, if you want 256-bit security) is slightly less conservative and slightly faster than AES128_CTR_HMAC_SHA256.
  • AES128_GCM (AES256_GCM, if you want 256-bit security) is usually the fastest mode, with the strictest limits on the number of messages and message size. Note that when these limits on plaintext and associated data lengths (listed below) are not upheld, AES128_GCM will fail and leak key material.
  • AES128_GCM_SIV (AES256_GCM_SIV, if you want 256-bit security) is nearly as fast as AES128_GCM with very good bounds for a large amount of messages, but is slightly less established. Note that in order to use this mode in Java you have to install Conscrypt.
  • XChaCha20Poly1305 has a much greater limit on the number of messages and message size than AES128_GCM, but when it does fail (again, very unlikely) it also leaks key material. Because it's not hardware accelerated, it can be slower than AES modes if hardware acceleration is available.

Minimal security guarantees

The following guarantees apply to all AEAD implementations:

  • CCA2 security
  • At least 80-bit authentication strength
  • The plaintext and associated data can have arbitrary lengths (within the range 0..232 bytes)
  • Can encrypt at least 232 messages with a total of 250 bytes so that no attack has success probability larger than 2-32
  • There are no secrecy or validity guarantees for associated data

Example use case

See I want to encrypt data.