Deterministic Authenticated Encryption with Associated Data (Deterministic AEAD)
Stay organized with collections
Save and categorize content based on your preferences.
The Deterministic Authenticated Encryption with Associated Data (Deterministic
AEAD) primitive provides encryption with a deterministic property: encrypting
the same data always yields the same ciphertext. This type of encryption is
useful for key wrapping or for some schemes for searching on encrypted data (see
RFC 5297, Section
1.3
for more info). Because of its deterministic property, implementations of this
primitive can lead to loss of secrecy because an attacker only needs to find out
the ciphertext for a given message to identify other instances of that message.
Deterministic AEAD has the following properties:
Secrecy: Nothing about the plaintext is known, except its length and the
equality of repeated plaintexts.
Authenticity: It is impossible to change the encrypted plaintext
underlying the ciphertext without being detected.
Symmetric: Encrypting the plaintext and decrypting the ciphertext is
done with the same key.
Deterministic: As long as the primary key is not changed, encrypting a
plaintext twice with the same parameters results in the same ciphertext.
Associated data
Deterministic AEAD can also be used to tie ciphertext to specific associated
data. For example, if you have a database with the fields
user-id and encrypted-medical-history: In this scenario, user-id can be
used as associated data when encrypting encrypted-medical-history. This
prevents an attacker from moving medical history from one user to another.
Choose a key type
We recommend the AES256_SIV key type for all use cases.
Security guarantees
At least 80-bit authentication strength.
The plaintext and associated data can have arbitrary lengths (within the
range 0..232 bytes).
128-bit security level against key recovery attacks, and also in multi-user
attacks with up to 232 keys — that means if an adversary obtains
232 ciphertexts of the same message encrypted under
232 keys, they need to do 2128 computations to obtain
a single key.
The ability to safely encrypt 238 messages, provided each is less
than 1MB in length.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-03 UTC."],[[["Deterministic Authenticated Encryption with Associated Data (AEAD) encrypts the same data into the same ciphertext, useful for key wrapping or searchable encryption but revealing repeated messages."],["It offers secrecy (except for length and repetition), authenticity, symmetry, and determinism in encryption."],["While associated data is authenticated, it is not encrypted, allowing ciphertext binding to specific contexts like user IDs."],["The recommended key type is AES256_SIV, providing strong security guarantees including 128-bit security level and the capacity to encrypt numerous messages safely."],["Deterministic AEAD is suitable for scenarios where deterministic encryption and context binding are prioritized, such as preventing unauthorized data transfer in databases."]]],["Deterministic AEAD encrypts data deterministically, producing the same ciphertext for identical data. It offers secrecy (except for repeated plaintexts), authenticity, symmetry, and determinism. A key use is binding ciphertext to associated data for integrity. While offering strong security, repeated messages can reveal equality. Associated data is authenticated but not encrypted. The AES256_SIV key type is recommended, ensuring at least 80-bit authentication and 128-bit security against key recovery. It supports large messages and numerous encryptions.\n"]]
