comparison of authenticated encryption schemes

One aspect of cryptography that makes it so fragile is that different constructions have different security properties. Authenticated encryption schemes are not all equivalent! You might say “we need authenticated encryption”, choose AES-GCM. And then later you discover that you want to encrypt more than 4 billion messages per key, or need key commitment.

Note, this is a work in progress and should serve pointer to different schemes. Please independently verify that your selected scheme is suitable for your purpose, and contact me to suggest other properties to list here.

Cipher KC CPA2 Key Bits Tag Bits IV Bits Max Length Max Msgs Pass
AES128-GCM no IND 128 128 96 512 GB $2^{32}$ 1
AES256-GCM no IND 256 128 96 512 GB $2^{32}$ 1
AES256-GCM-SIV no IND 256 128 96 512 GB $2^{98}\over len^2$ 2
ChaCha-Poly1305 IETF no IND 256 128 96 256 GB $2^{32}$ 1
ChaCha-Poly1305 DJB no IND 256 128 64 16 EB Seq 1
XChaCha-Poly1305 no IND 256 128 192 16 EB $2^{128}$ 1
XChaCha-Blake3-EtM yes IND 256 256 192 16 EB $2^{128}$ 1
XChaCha-Blake3-IV yes NM 256 192 tag 16 EB $2^{128}$ 2
ChaCha-Blake3-IV yes NM 256 96 tag 256 GB $2^{16}$ 2


Key Commitment

Can a ciphertext be constructed that will decrypt with multiple keys?


Security under what attacks.

indistinguishability under adaptive chosen plaintext attack, implies NM-CPA2.
non-malleability under adaptive chosen plaintext attack.

Key Bits

Number of bits in the key.

Tag Bits

Number of bits in the authentication tag.

IV Bits

Number of bits in the nonce.

Max Length

The maximum ciphertext length contained within a single nonce.

Max Messages

The maximum number of messages with random nonces to preserve a <$2^{-32}$ chance of collision. For some schemes (e.g. GCM-SIV) this depends on length of the messages.


Number of passes required over the plaintext during encryption.



The ChaCha extended-nonce construction using a truncated Blake3 keyed hash as the IV.

It is not IND-CPA2 secure because, as a deterministic scheme, the same plaintext always encrypts to the same ciphertext.


The ChaCha extended-nonce construction with a Blake3 keyed hash, encrypt-then-mac.