Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 022

AEAD (Authenticated Encryption with Associated Data)

Reviewed byCybersecurity entrepreneur & security researcher

What is AEAD (Authenticated Encryption with Associated Data)?

AEAD (Authenticated Encryption with Associated Data)A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag.


Authenticated Encryption with Associated Data (AEAD) is the modern building block of symmetric cryptography. An AEAD scheme takes a key, a nonce, a plaintext, and arbitrary associated data (AD) and produces a ciphertext plus an authentication tag; on decryption it returns the plaintext only if the tag verifies, otherwise refusing. The associated data is authenticated but not encrypted, letting protocols bind unencrypted context such as packet headers, sequence numbers, or version metadata to the ciphertext without ever sending them encrypted.

Compared to encrypt-then-MAC or MAC-then-encrypt compositions, AEAD eliminates whole classes of bugs and is what every modern protocol — TLS 1.3, QUIC, IPsec ESP-GCM, Signal, Noise, WireGuard, JWE — uses. History shows why this matters: the Lucky 13 (2013) and POODLE (CVE-2014-3566) attacks both exploited the fragile MAC-then-encrypt CBC construction in TLS, and the move to AEAD record protection closed those doors. The formal model was defined by Rogaway in 2002 and standardised as RFC 5116, with concrete schemes registered by IANA.

The dominant AEAD schemes are AES-GCM (hardware-accelerated via AES-NI and PCLMULQDQ) and ChaCha20-Poly1305 (RFC 8439, fast in software on mobile CPUs). Both fail catastrophically if a (key, nonce) pair repeats — GCM nonce reuse can leak the authentication key. Where unique nonces cannot be guaranteed, nonce-misuse-resistant AES-GCM-SIV (RFC 8452) limits the leak to whether two plaintexts were equal. Always prefer a vetted AEAD over a homebrew encrypt-and-MAC composition.

flowchart LR
  K[Key] --> ENC
  N[Nonce] --> ENC
  P[Plaintext] --> ENC[AEAD encrypt]
  AD[Associated data<br/>headers · IDs] --> ENC
  ENC --> CT[Ciphertext]
  ENC --> TAG[Auth tag]
  CT --> DEC[AEAD decrypt]
  TAG --> DEC
  AD --> DEC
  K --> DEC
  N --> DEC
  DEC --> V{Tag valid?}
  V -->|Yes| OUT[Return plaintext]
  V -->|No| REJ[Reject · no plaintext leaked]

Examples

  1. 01

    TLS 1.3 encrypts each record with AES-128-GCM or ChaCha20-Poly1305, using the record header bytes as associated data.

  2. 02

    A protocol stores per-document encrypted blobs in a database; the document ID is passed as AD so an attacker cannot swap ciphertexts between documents without breaking the tag.

Frequently asked questions

What is AEAD (Authenticated Encryption with Associated Data)?

A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag. It belongs to the Cryptography category of cybersecurity.

What does AEAD (Authenticated Encryption with Associated Data) mean?

A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag.

How do you defend against AEAD (Authenticated Encryption with Associated Data)?

Defences for AEAD (Authenticated Encryption with Associated Data) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for AEAD (Authenticated Encryption with Associated Data)?

Common alternative names include: Authenticated encryption, AEAD scheme.

Related terms

See also