Authenticated Encryption

Authenticated encryption (AE)

In the labyrinthine world of cryptography , where every shadow might conceal a threat, authenticated encryption (AE) emerges as a rather necessary construct. It’s an encryption scheme that, with a commendable lack of fuss, manages to simultaneously guarantee two fundamental properties for data in transit or at rest: its confidentiality and its authenticity . One might imagine these as two distinct, yet equally vital, layers of protection, ensuring not only that a message remains private but also that it hasn’t been tampered with by any unwelcome hands.

Firstly, AE ensures confidentiality , often referred to as privacy. This means the encrypted message, or ciphertext , is rendered utterly incomprehensible to anyone who does not possess the designated secret key . Without this shared secret, the data remains an opaque, meaningless jumble, a silent testament to its guarded nature.

Secondly, and just as critically, AE guarantees authenticity . This property means the encrypted message is, for all practical purposes, unforgeable. It includes an integral component known as an authentication tag . This tag serves as a cryptographic fingerprint, meticulously calculated by the sender using the same secret key . Upon receipt, the legitimate recipient can verify this tag. If the tag doesn’t match the received ciphertext or has been altered, it immediately signals that the message has either been modified in transit or originated from an unauthorized source. This prevents adversaries from injecting malicious or altered data disguised as legitimate communications.

Illustrative examples of encryption modes that elegantly provide this dual assurance of authenticated encryption include Galois/Counter Mode (GCM) and Counter with CBC-MAC (CCM). These modes are not merely academic curiosities but practical workhorses in securing digital communications.

A significant number, though notably not all, authenticated encryption schemes also possess the foresight to allow for the inclusion of “associated data” (AD). This associated data is an intriguing concept: it is deliberately not made confidential, meaning it remains readable in its original form. However, and this is where the utility lies, it is rigorously protected for integrity , making it tamper-evident . Consider, for instance, the header of a network packet . For the packet to be correctly routed across various network nodes, these intermediate points must be able to read the destination address contained within the header. Yet, for security reasons, these intermediate nodes should not, and often cannot, possess the secret key required to decrypt the actual payload. In such scenarios, associated data protection ensures that while the header is readable, any attempt to alter it will be immediately detected. Schemes that incorporate this feature are known as authenticated encryption with associated data (AEAD) schemes, a testament to the real-world complexities that cryptography must navigate.

Programming interface

For those tasked with implementing or interacting with authenticated encryption within software, a typical programming interface presents a rather straightforward, almost deceptively simple, set of functions. One might think such critical operations would be shrouded in more complexity, but the elegance lies in their clear delineation.

At its core, an AE implementation generally offers two primary functions:

• Encryption: This function takes the original, unencrypted message, known as the plaintext , as its primary input. It also requires the secret key that will be used for both confidentiality and authenticity . Crucially, and reflecting the real-world demands of AEAD, it often accepts an optional “header.” This header, also referred to as additional authenticated data (AAD) or simply associated data (AD), is provided in plaintext . Its purpose is explicit: it will not be encrypted, remaining fully readable, but it will be meticulously covered by the authenticity protection. The output of this function is a formidable pair: the ciphertext , which is the encrypted form of the original plaintext , and an authentication tag . This tag is essentially a message authentication code (MAC), a compact cryptographic checksum that vouches for the integrity and authenticity of both the ciphertext and the optional header.

• Decryption: This function is the mirror image of encryption, designed to reverse the process and verify the message’s integrity. Its inputs include the received ciphertext , the same secret key used during encryption, and the authentication tag that accompanied the message. If a header (AAD/AD) was used during encryption, it must also be provided here, in its original plaintext form, for the authenticity check. The output of this function is either the original plaintext , faithfully restored, or, perhaps more frequently in the chaotic digital landscape, an error. This error signals a critical failure: the provided authentication tag simply does not match the supplied ciphertext or header, indicating that the message has been compromised or is illegitimate.

The aforementioned header part is not an afterthought; it’s a deliberate design choice. Its primary intent is to extend both authenticity and integrity protection to networking or storage metadata. This metadata, while vital for the correct functioning of systems (like a packet’s destination address or a file’s creation timestamp), does not require confidentiality . Yet, its authenticity is paramount to prevent malicious manipulation that could lead to misrouting, data corruption, or other system failures. It’s a pragmatic concession to the realities of system architecture, ensuring that even non-secret components are trustworthy.

History

The genesis of authenticated encryption as a formalized concept was, predictably, born out of necessity—or, more accurately, out of the widespread failure to adequately combine existing cryptographic primitives. It became rather painfully clear that attempting to securely glue together separate confidentiality (encryption) and authentication (message authentication code or MAC) block cipher operation modes was a task far more error-prone and difficult than many initially assumed. One might have thought that “secure encryption” plus “secure authentication” would automatically yield “secure authenticated encryption.” Such naive optimism, it turned out, was largely unfounded.

This harsh reality was underscored by a disconcerting parade of practical attacks. These vulnerabilities were not confined to theoretical papers but manifested directly in production protocols and applications, stemming from incorrect implementations or, perhaps more egregiously, a complete lack of proper authentication. The consequences were, as one might expect, rather dire, highlighting a critical gap in cryptographic design and application.

Around the turn of the millennium, a collective realization sparked numerous efforts focused on the standardization of modes that could inherently ensure correct implementation of both privacy and integrity. The burgeoning interest in demonstrably secure modes was significantly catalyzed by the publication of Charanjit Jutla’s seminal work in 2000, introducing his integrity-aware CBC and integrity-aware parallelizable (IAPM) modes. These early contributions, which would later influence modes like OCB , marked a crucial step towards robust authenticated encryption .

The international community, recognizing the urgent need for reliable solutions, eventually codified several different authenticated encryption modes. Six distinct approaches—specifically Offset Codebook Mode 2.0 (OCB 2.0), Key Wrap , Counter with CBC-MAC (CCM), Encrypt then Authenticate then Translate (EAX), Encrypt-then-MAC (EtM), and Galois/Counter Mode (GCM)—were formally standardized within ISO/IEC 19772:2009 . This standardization represented a significant milestone, providing a framework for developers to implement these complex functions correctly and consistently.

The momentum continued, with even more authenticated encryption methods being developed and proposed in response to solicitations from the National Institute of Standards and Technology (NIST), demonstrating an ongoing commitment to refining and expanding the cryptographic toolkit. Furthermore, the versatile concept of sponge functions , known for their ability to absorb input and squeeze out output, was found to be adaptable for providing authenticated encryption when employed in duplex mode, showcasing the flexibility of modern cryptographic primitives.

Earlier, in 2000, Mihir Bellare and Chanathip Namprempre conducted a rigorous analysis of three common compositions of encryption and MAC primitives. Their work was instrumental in demonstrating that the approach of encrypting a message first and then applying a MAC to the resulting ciphertext —the so-called Encrypt-then-MAC (EtM) paradigm—could indeed imply security against an adaptive chosen ciphertext attack , provided that both the encryption and MAC functions met minimum required security properties. Concurrently, Jonathan Katz and Moti Yung explored a similar notion, terming it “unforgeable encryption,” and further solidified its theoretical underpinnings by proving its implication of security against chosen-ciphertext attacks . These foundational analyses provided much-needed theoretical rigor to the practical challenges of combining primitives.

The pursuit of better authenticated encryption continued, leading to the announcement of the CAESAR competition in 2013. This competition aimed to stimulate the design and evaluation of new, more robust, and efficient authenticated encryption modes, pushing the boundaries of what was considered state-of-the-art.

In a more recent development from 2015, ChaCha20-Poly1305 was introduced as a potent alternative authenticated encryption construction to GCM within various Internet Engineering Task Force (IETF) protocols. This addition reflected an ongoing evolution in cryptographic preferences, driven by factors such as performance, resistance to certain types of attacks, and ease of implementation.

Variants

The core concept of authenticated encryption , while robust, has seen several refinements and specialized variants emerge to address specific challenges and use cases. These adaptations acknowledge that the digital landscape is rarely a one-size-fits-all scenario.

Authenticated encryption with associated data

As previously hinted, authenticated encryption with associated data (AEAD) stands as a prominent variant of AE. It’s designed for scenarios where certain portions of a message, while not requiring confidentiality , absolutely demand integrity and authenticity . The “associated data” (AD), also known as “additional non-confidential information” or “additional authenticated data” (AAD), allows for this nuanced protection. A recipient using an AEAD scheme can, therefore, rigorously check the integrity of both the associated data and the confidential information within a message.

This feature proves immensely useful in contexts such as network packets . Here, the header of a packet, containing essential metadata like source and destination addresses, must remain visible for efficient routing across the network. However, the integrity of this header is paramount; any malicious alteration could lead to misdirection or denial of service. Concurrently, the actual payload of the packet often requires full confidentiality . AEAD expertly handles this duality, ensuring that the header is readable but tamper-evident, while the payload is both confidential and authenticated. The formalization of this critical notion was provided by Phillip Rogaway in 2002, solidifying its place in modern cryptography.

Key-committing AEAD

One might assume that if an authenticated encryption scheme successfully validates an authentication tag using a specific symmetric key , say K_A, held by Alice , it inherently proves that the message originated from a party possessing K_A and was not tampered with by an adversary, such as Mallory , who lacks K_A. This is the essence of ciphertext integrity . However, most AE schemes, even the widely popular GCM , traditionally do not provide what is known as key commitment. Key commitment is a stronger guarantee: it ensures that decryption would unequivocally fail if any other key were used.

As of 2021, a rather unsettling reality persists: many existing AE schemes permit certain specially crafted messages to be decrypted without error using keys other than the single, correct K_A. While the plaintext recovered using a second (incorrect) key, K_M, would undoubtedly be garbled and incorrect, the authentication tag might, disturbingly, still match this new, incorrect plaintext . This vulnerability, though seemingly esoteric and requiring Mallory to possess both K_A and K_M to craft such a message, is far from a purely academic concern.

Under specific, unfortunate circumstances, practical attacks can be mounted against implementations vulnerable to this lack of key commitment. Imagine an identity authentication protocol where a user’s identity is verified solely by the successful decryption of a message using a password-based key. If Mallory can craft a single message that successfully decrypts under, say, a thousand different weak (and thus known to her) potential passwords, she can accelerate her dictionary attack by a factor of nearly 1000. For such an attack to succeed, Mallory also needs a mechanism to distinguish a successful decryption by Alice from an unsuccessful one, effectively turning Alice ’s side into an oracle —a flaw often stemming from poor protocol design or implementation. Naturally, this attack vector is entirely moot when keys are generated randomly, as is best practice.

The concept of key commitment was initially explored in the 2010s by researchers such as Abdalla et al. and Farshim et al., often under the moniker “robust encryption.” Their work laid the groundwork for understanding and mitigating this subtle but significant vulnerability.

To counteract the described attack without requiring the removal of the potentially problematic “oracle” (which might be difficult in existing systems), a key-committing AEAD scheme can be employed. These schemes are designed to prevent the existence of such crafted messages. AEGIS stands as an example of a fast and efficient key-committing AEAD, particularly when modern processor instruction sets like AES-NI are available. Furthermore, it is demonstrably possible to augment existing AEAD schemes with key-commitment properties, offering a pathway to enhance security without a complete overhaul.

Misuse-resistant authenticated encryption

In a world where human error is not just a possibility but a near certainty, misuse-resistant authenticated encryption (MRAE) offers a pragmatic concession to reality. MRAE schemes possess an invaluable additional property: even if the same cryptographic nonce (a number used once) is inadvertently reused for multiple messages—a common and catastrophic mistake in many cryptographic contexts—an attacker will not be able to recover the plaintext . This robustness against common implementation errors makes MRAE particularly appealing for systems where developers might lack deep cryptographic expertise or where operational constraints could lead to nonce reuse.

The formalization of MRAE was provided in 2006 by the esteemed cryptographers Phillip Rogaway and Thomas Shrimpton, recognizing the critical need for schemes that fail gracefully, rather than catastrophically, in the face of operational misuse. A prominent example of an MRAE algorithm, designed with this resilience in mind, is AES-GCM-SIV .

Approaches to authenticated encryption

The journey towards robust authenticated encryption has seen various architectural approaches, each with its own set of strengths, weaknesses, and historical implications. These paradigms dictate the order in which encryption and authentication operations are applied, a sequence that, as history has repeatedly shown, is far from arbitrary.

Encrypt-then-MAC (EtM)

The Encrypt-then-MAC (EtM) approach is, for many cryptographers, the conceptually most sound method for combining confidentiality and authenticity . In this paradigm, the plaintext message is first subjected to the encryption process, yielding a ciphertext . Subsequently, a message authentication code (MAC) is computed solely based on this resulting ciphertext . The ciphertext and its accompanying MAC are then transmitted together.

This sequence is not merely a preference; it is the standardized method according to ISO/IEC 19772:2009 . The reason for its prominence lies in its security properties: EtM is uniquely positioned as the only method among the generic composition paradigms that can achieve the highest definition of security in AE, specifically “strong unforgeability.” This pinnacle of security is attainable, however, only when the MAC employed is itself “strongly unforgeable,” underscoring the importance of robust underlying primitives.

The practical adoption of EtM reflects its proven security. IPsec , the suite of protocols used to secure Internet Protocol (IP) communications, formally adopted EtM in 2005. More recently, in November 2014, TLS and DTLS (Datagram Transport Layer Security) received extensions specifically for EtM via RFC 7366 , further cementing its role in securing web and real-time communications. Even SSHv2 (Secure Shell version 2) offers various EtM ciphersuites , such as hmac-sha1-etm@openssh.com, demonstrating its widespread acceptance across different secure communication protocols.

Encrypt-and-MAC (E&M)

The Encrypt-and-MAC (E&M) approach takes a somewhat different path, one that has been the subject of considerable scrutiny. In this method, a message authentication code (MAC) is generated based on the original plaintext . Simultaneously, or independently, the plaintext is encrypted, but without incorporating the MAC into the encryption process itself. Both the plaintext ’s MAC and the resulting ciphertext are then transmitted together.

A notable example of E&M’s deployment can be found in SSH . While this approach has not, in its raw form, been proven to achieve the coveted “strong unforgeability” that EtM can, it’s not entirely without hope. Researchers have shown that it is possible to apply certain minor modifications to SSH ’s implementation to bolster its security, enabling it to achieve strong unforgeability despite its foundational E&M paradigm. This highlights a recurring theme in cryptography: theoretical weaknesses can sometimes be mitigated through careful, protocol-specific engineering, though it often requires a deeper understanding of the entire system rather than just the individual cryptographic primitives.

MAC-then-Encrypt (MtE)

The MAC-then-Encrypt (MtE) approach is, by many accounts, the least advisable of the generic composition methods, and its history is replete with cautionary tales. Here, a message authentication code (MAC) is first computed over the plaintext . Then, both the original plaintext and the calculated MAC are bundled together and encrypted to produce a single ciphertext . This ciphertext , now containing an encrypted MAC, is what gets transmitted.

Historically, this approach was prevalent. Indeed, until TLS 1.2 , virtually all available SSL/TLS cipher suites relied on the MtE paradigm. This widespread adoption, however, did not equate to inherent security.

The MtE approach, much like E&M, has not been proven to be strongly unforgeable in its generic form. While Hugo Krawczyk famously provided a proof that SSL/TLS was, in fact, secure despite using MtE, his proof relied on specific encoding mechanisms employed alongside the MtE structure. However, even Krawczyk’s proof contained assumptions that later proved flawed, particularly concerning the randomness of the initialization vector (IV).

These flawed assumptions had tangible consequences. The infamous 2011 BEAST attack (Browser Exploit Against SSL/TLS) directly exploited the non-random chained IVs prevalent in TLS 1.0 and earlier, effectively breaking all CBC algorithms when used with MtE. This attack served as a stark reminder that even seemingly minor deviations from cryptographic best practices, or assumptions about randomness that don’t hold in practice, can lead to devastating vulnerabilities.

Further, deeper analysis of SSL/TLS modeled its protection not merely as MAC-then-Encrypt, but more precisely as MAC-then-pad-then-encrypt. This involves the plaintext being first padded to align with the block size of the encryption function. This padding, while necessary for block ciphers, introduced another critical attack surface. Errors in padding frequently result in detectable errors on the recipient’s side—errors that can be leveraged by attackers. This led directly to the development of sophisticated padding oracle attacks , such as the notorious Lucky Thirteen attack , which could reveal plaintext information byte by byte by observing server responses to malformed ciphertexts. The history of MtE in SSL/TLS is a compelling, if somewhat depressing, case study in the perils of cryptographic design choices and the persistent challenge of securing complex protocols against ingenious adversaries.

See also

• Block cipher mode of operation
• CCM mode
• CWC mode
• OCB mode
• EAX mode
• GCM
• GCM-SIV
• ChaCha20-Poly1305
• SGCM
• Signcryption

References

• ^ 1 a b c Black 2005, p. 1.
• ^ 2 Katz & Lindell 2020, p. 116.
• ^ 3 a b c Black 2005, p. 2.
• ^ 4
  • M. Bellare; P. Rogaway; D. Wagner. “A Conventional Authenticated-Encryption Mode ” (PDF). NIST. Retrieved March 12, 2013. people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)
• ^ 5
  • T. Kohno; J. Viega & D. Whiting. “The CWC Authenticated Encryption (Associated Data) Mode ” (PDF). NIST. Retrieved March 12, 2013. it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes
• ^ 6
  • “Failures of secret-key cryptography ” (PDF). Daniel J. Bernstein. Archived from the original (PDF) on April 18, 2013. Retrieved March 12, 2013.
• ^ 7
  • Jutl, Charanjit S. (2000-08-01). “Encryption Modes with Almost Free Message Integrity ” (PDF). Cryptology ePrint Archive: Report 2000/039. Proceedings IACR EUROCRYPT 2001. IACR . Retrieved 2013-03-16.
• ^ 8
  • T. Krovetz; P. Rogaway (2011-03-01). “The Software Performance of Authenticated-Encryption Modes ” (PDF). Fast Software Encryption 2011 (FSE 2011). IACR .
• ^ 9 a b
  • “Information technology – Security techniques – Authenticated encryption ”. 19772:2009. ISO/IEC. Retrieved March 12, 2013.
• ^ 10
  • “Encryption modes development ”. NIST. Retrieved April 17, 2013.
• ^ 11
  • The Keccak Team. “Duplexing The Sponge ” (PDF).
• ^ 12
  • Katz, J.; Yung, M. (2001). “Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation”. In B. Schneier (ed.). Fast Software Encryption (FSE): 2000 Proceedings. Lecture Notes in Computer Science . Vol. 1978. pp. 284–299. doi :10.1007/3-540-44706-7_20 . ISBN 978-3-540-41728-6.
• ^ 13
  • “CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness ”. Retrieved March 12, 2013.
• ^ 14 Albertini et al. 2020, pp. 1–2.
• ^ 15
  • “Invisible Salamanders Are Not What You Think ”. Dhole Moments. 2024-09-10. Retrieved 2025-02-21.
• ^ 16 a b Albertini et al. 2020, p. 2.
• ^ 17
  • Len, Julia; Grubbs, Paul; Ristenpart, Thomas (2021). “Partitioning Oracle Attacks ”. USENET ‘21. pp. 195–212.
• ^ 18 Abdalla, Bellare & Neven 2010, pp. 480–497.
• ^ 19 Farshim et al. 2013, pp. 352–368.
• ^ 20 Bellare & Hoang 2022, p. 5.
• ^ 21
  • Denis, Frank. “The AEGIS Family of Authenticated Encryption Algorithms ”. cfrg.github.io.
• ^ 22
  • Gueron, Shay (2020). “Key Committing AEADs ” (PDF).
• ^ 23
  • poncho. “Key Committing AEADs ”. Cryptography Stack Exchange. Retrieved 21 February 2024. (See also the comment section discussing a revised libsodium recommendation for adding key-commitment.)
• ^ 24
  • Rogaway, Phillip ; Shrimpton, Thomas (2006). “Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem ” (PDF). EUROCRYPT . Lecture Notes in Computer Science . Vol. 4004. Springer . pp. 373–390. doi :10.1007/11761679_23 . Archived (PDF) from the original on 2024-12-18. Retrieved 2025-06-22.
• ^ 25 a b c
  • “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm ”. M. Bellare and C. Namprempre. Archived from the original on January 23, 2018. Retrieved April 13, 2013.
• ^ 26
  • Kent, Stephen (December 2005). “Separate Confidentiality and Integrity Algorithms ”. RFC 4303 - IP Encapsulating Security Payload (ESP) . Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
• ^ 27
  • Lonvick, Chris M.; Ylonen, Tatu (January 2006). “Data Integrity ”. RFC 4253 . Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
• ^ 28
  • Bellare, Mihir; Kohno, Tadayoshi; Namprempre, Chanathip. “Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm ” (PDF). ACM Transactions on Information and System Security. Retrieved 30 August 2021.
• ^ 29
  • Rescorla, Eric; Dierks, Tim (August 2008). “Record Payload Protection ”. RFC 5246 . Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
• ^ 30
  • “The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) ” (PDF). H. Krawczyk. Retrieved April 13, 2013.
• ^ 31
  • Duong, Thai; Rizzo, Juliano (May 13, 2011). “Here Come The ⊕ Ninjas ” (PDF). – BEAST attack whitepaper

General

• Bellare, M.; Namprempre, C. (2000), “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm ” (PDF), in T. Okamoto (ed.), Advances in Cryptology — ASIACRYPT 2000, Lecture Notes in Computer Science , vol. 1976, Springer-Verlag, pp. 531–545, doi :10.1007/3-540-44448-3_41 , ISBN 978-3-540-41404-9

Sources

• Katz, J.; Lindell, Y. (2020). Introduction to Modern Cryptography . Chapman & Hall/CRC Cryptography and Network Security Series. CRC Press. ISBN 978-1-351-13301-2. Retrieved 2023-06-08.
• Black, J. (2005). “Authenticated encryption ”. Encyclopedia of Cryptography and Security. Springer US. pp. 11–21. doi :10.1007/0-387-23483-7_15 . ISBN 978-0-387-23473-1.
• Albertini, Ange; Duong, Thai; Gueron, Shay; Kölbl, Stefan; Luykx, Atul; Schmieg, Sophie (2020). “How to Abuse and Fix Authenticated Encryption Without Key Commitment ” (PDF). USENIX.
• Bellare, Mihir; Hoang, Viet Tung (2022). “Efficient Schemes for Committing Authenticated Encryption ” (PDF). EUROCRYPT 2022.
• Abdalla, Michel; Bellare, Mihir; Neven, Gregory (2010). “Robust Encryption ”. Theory of Cryptography. Vol. 5978. Berlin, Heidelberg: Springer Berlin Heidelberg. doi :10.1007/978-3-642-11799-2_28 . ISBN 978-3-642-11798-5.
• Farshim, Pooya; Libert, Benoît; Paterson, Kenneth G.; Quaglia, Elizabeth A. (2013). “Robust Encryption, Revisited ”. Public-Key Cryptography – PKC 2013. Vol. 7778. Berlin, Heidelberg: Springer Berlin Heidelberg. doi :10.1007/978-3-642-36362-7_22 . ISBN 978-3-642-36361-0.
• Chan, John; Rogaway, Phillip (2022). “On Committing Authenticated-Encryption ”. Computer Security – ESORICS 2022. Vol. 13555. Cham: Springer Nature Switzerland. doi :10.1007/978-3-031-17146-8_14 . ISBN 978-3-031-17145-1.