Authenticated Encryption with Associated Data (AEAD)

Page Summary

Authenticated Encryption with Associated Data (AEAD) is the recommended primitive for most data encryption needs, providing secrecy, authenticity, and randomization.
AEAD utilizes the same key for encryption and decryption, and randomizes the encryption process for enhanced security, although deterministic options are available.
While AES128_GCM is generally the fastest and recommended key type, other options like AES128_CTR_HMAC_SHA256, AES128_EAX, AES128_GCM_SIV, and XChaCha20Poly1305 cater to specific security and performance requirements.
Associated data used in AEAD is authenticated but not encrypted, meaning it can be verified but is still visible.
AEAD implementations provide strong security guarantees, including CCA2 security and at least 80-bit authentication strength, but do not guarantee the secrecy of associated data.

The Authenticated Encryption with Associated Data (AEAD) primitive is the most common primitive for data encryption and is suitable for most needs.

AEAD has the following properties:

Secrecy: Nothing about the plaintext is known, except its length.
Authenticity: It is impossible to change the encrypted plaintext underlying the ciphertext without being detected.
Symmetric: Encrypting the plaintext and decrypting the ciphertext is done with the same key.
Randomization: Encryption is randomized. Two messages with the same plaintext yield different ciphertexts. Attackers cannot know which ciphertext corresponds to a given plaintext. If you want to avoid this, use Deterministic AEAD instead.

Associated data

AEAD can be used to tie ciphertext to specific associated data. Suppose you have a database with the fields user-id and encrypted-medical-history. In this scenario, user-id can be used as associated data when encrypting encrypted-medical-history. This prevents an attacker from moving medical history from one user to another.

Associated data is optional. If specified, decryption only succeeds if the same associated data is passed to both encrypt and decrypt calls.

Choose a key type

While we recommend AES128_GCM for most uses, there are various key types for different needs. AES128 offers 128-bit security, and AES256 offers 256-bit security.

The two notable security constraints when choosing a mode are:

QPS: How many messages are encrypted with the same key?
Message size: How large are the messages?

Generally:

AES-CTR-HMAC (AES128_CTR_HMAC_SHA256, AES256_CTR_HMAC_SHA256) with a 16-byte Initialization Vector (IV) is the most conservative mode with good bounds.
AES-EAX (AES128_EAX, AES256_EAX) is slightly less conservative and slightly faster than AES128_CTR_HMAC_SHA256.
AES-GCM (AES128_GCM, AES256_GCM) is usually the fastest mode with the strictest limits on the number of messages and message size. When these limits on plaintext and associated data lengths (below) are exceeded, AES-GCM fails catastrophically and leaks key material.
AES-GCM-SIV (AES128_GCM_SIV, AES256_GCM_SIV) is nearly as fast as AES-GCM. It has the same limits as AES-GCM on the number of messages and message size, but when these limits are exceeded, it fails in a less catastrophic way: it may only leak the fact that two messages are equal. This makes it safer to use than AES-GCM, but it is less widely used in practice. To use this in Java, you have to install Conscrypt.
XChaCha20-Poly1305 (XCHACHA20_POLY1305) has a much greater limit on the number of messages and message size than AES-GCM, but when it does fail (very unlikely), it also leaks key material. It isn't hardware accelerated, so it can be slower than AES modes in situations where hardware acceleration is available.

Security guarantees

AEAD implementations offer:

CCA2 security.
At least 80-bit authentication strength.
The ability to encrypt at least 2³² messages with a total of 2⁵⁰ bytes. No attack with up to 2³² chosen plaintexts or chosen ciphertexts has success probability larger than 2^-32.

Example use cases

See I want to encrypt data and I want to bind ciphertext to its context.