comparison of authenticated encryption schemes
One aspect of cryptography that makes it so fragile is that different constructions have different security properties. Authenticated encryption schemes are not all equivalent! You might say “we need authenticated encryption”, choose AES-GCM. And then later you discover that you want to encrypt more than 4 billion messages per key, or need key commitment.
Note, this is a work in progress and should serve pointer to different schemes. Please independently verify that your selected scheme is suitable for your purpose, and contact me to suggest other properties to list here.
| Cipher | KC | CPA2 | Key Bits | Tag Bits | IV Bits | Max Length | Max Msgs | Pass |
|---|---|---|---|---|---|---|---|---|
| AES128-GCM | no | IND | 128 | 128 | 96 | 512 GB | $2^{32}$ | 1 |
| AES256-GCM | no | IND | 256 | 128 | 96 | 512 GB | $2^{32}$ | 1 |
| AES256-GCM-SIV | no | IND | 256 | 128 | 96 | 512 GB | $2^{98}\over len^2$ | 2 |
| ChaCha-Poly1305 IETF | no | IND | 256 | 128 | 96 | 256 GB | $2^{32}$ | 1 |
| ChaCha-Poly1305 DJB | no | IND | 256 | 128 | 64 | 16 EB | Seq | 1 |
| XChaCha-Poly1305 | no | IND | 256 | 128 | 192 | 16 EB | $2^{128}$ | 1 |
| XChaCha-Blake3-EtM | yes | IND | 256 | 256 | 192 | 16 EB | $2^{128}$ | 1 |
| XChaCha-Blake3-IV | yes | NM | 256 | 192 | tag | 16 EB | $2^{128}$ | 2 |
| ChaCha-Blake3-IV | yes | NM | 256 | 96 | tag | 256 GB | $2^{16}$ | 2 |
Properties
Key Commitment
Can a ciphertext be constructed that will decrypt with multiple keys?
Security
Security under what attacks.
- IND-CPA2
- indistinguishability under adaptive chosen plaintext attack, implies NM-CPA2.
- NM-CPA2
- non-malleability under adaptive chosen plaintext attack.
Key Bits
Number of bits in the key.
Tag Bits
Number of bits in the authentication tag.
IV Bits
Number of bits in the nonce.
Max Length
The maximum ciphertext length contained within a single nonce.
Max Messages
The maximum number of messages with random nonces to preserve a <$2^{-32}$ chance of collision. For some schemes (e.g. GCM-SIV) this depends on length of the messages.
Pass
Number of passes required over the plaintext during encryption.
Ciphers
XChaCha-Blake3-IV
The ChaCha extended-nonce construction using a truncated Blake3 keyed hash as the IV.
It is not IND-CPA2 secure because, as a deterministic scheme, the same plaintext always encrypts to the same ciphertext.
XChaCha-Blake3-EtM
The ChaCha extended-nonce construction with a Blake3 keyed hash, encrypt-then-mac.