try·st·imu·li

comparison of authenticated encryption schemes

One aspect of cryptography that makes it so fragile is that different constructions have different security properties. Authenticated encryption schemes are not all equivalent! You might say “we need authenticated encryption”, choose AES-GCM. And then later you discover that you want to encrypt more than 4 billion messages per key, or need key commitment.

Note, this is a work in progress and should serve pointer to different schemes. Please independently verify that your selected scheme is suitable for your purpose, and contact me suggest other properties to list here.

KC Security Key Bits Tag Bits Nonce Bits Max Length Max Messages Passes
AES128-GCM no (IND/NM)-CPA2 128 128 96 512 GB $2^{32}$ 1
AES256-GCM no (IND/NM)-CPA2 256 128 96 512 GB $2^{32}$ 1
AES256-GCM-SIV no (IND/NM)-CPA2 256 128 96 512 GB $2^{98}/len^2$ 2
ChaCha-Poly1305 no (IND/NM)-CPA2 256 128 96, 64 256 GB, 16 EB $2^{32}$, NA 1
XChaCha-Poly1305 no (IND/NM)-CPA2 256 128 192 16 EB $2^{128}$ 1
XChaCha-Blake3-EtM yes (IND/NM)-CPA2 256 256 192 16 EB $2^{128}$ 1
XChaCha-Blake3-IV yes NM-CPA2 256 192 tag 16 EB $2^{128}$ 2

Authenticated Encryption with Associated Data

Does the authentication extend to some unencrypted data also?

Key Commitment

Can a ciphertext be constructed that will decrypt with multiple keys?

Security

Security under what attacks.

  • IND-CPA2: indistinguishability under adaptive chosen plaintext attack
  • NM-CPA2: non-malleability under adaptive chosen plaintext attack

Key Bits

Number of bits in the key.

Tag Bits

Number of bits in the authentication tag.

Nonce Bits

Number of bits in the nonce.

Max Length

The maximum ciphertext length contained within a single nonce.

Max Messages

The maximum number of messages with random nonces to preserve a <$2^{-32}$ chance of collision. For some schemes (e.g. GCM-SIV) this depends on length of the messages.

Passes

Number of passes required over the plaintext during encryption.

XChaCha-Blake3-IV

The ChaCha extended-nonce construction using a truncated Blake3 keyed hash as the IV.

It is not IND-CPA2 secure because, as a deterministic scheme, the same plaintext always encrypts to the same ciphertext.

XChaCha-Blake3-EtM

The ChaCha extended-nonce construction with a Blake3 keyed hash, encrypt-then-mac.

published