AEAD (Authenticated Encryption with Associated Data)
What is AEAD (Authenticated Encryption with Associated Data)?
AEAD (Authenticated Encryption with Associated Data)A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag.
Authenticated Encryption with Associated Data (AEAD) is the modern building block of symmetric cryptography. An AEAD scheme takes a key, a nonce, a plaintext, and arbitrary associated data (AD) and produces a ciphertext plus an authentication tag; on decryption it returns the plaintext only if the tag verifies, otherwise refusing. The associated data is authenticated but not encrypted, letting protocols bind unencrypted context such as packet headers, sequence numbers, or version metadata to the ciphertext without ever sending them encrypted. Compared to encrypt-then-MAC or MAC-then-encrypt compositions, AEAD eliminates whole classes of bugs (padding oracles, key reuse across MAC and cipher, ordering mistakes) and is what every modern protocol — TLS 1.3, QUIC, IPsec ESP-GCM, Signal, Noise, WireGuard, JWE — uses. The dominant AEAD schemes are AES-GCM and ChaCha20-Poly1305; nonce-misuse-resistant variants (AES-GCM-SIV) exist for use cases where the caller cannot guarantee unique nonces. Always prefer an AEAD over a homebrew encrypt-and-MAC composition.
● Examples
- 01
TLS 1.3 encrypts each record with AES-128-GCM or ChaCha20-Poly1305, using the record header bytes as associated data.
- 02
A protocol stores per-document encrypted blobs in a database; the document ID is passed as AD so an attacker cannot swap ciphertexts between documents without breaking the tag.
● Frequently asked questions
What is AEAD (Authenticated Encryption with Associated Data)?
A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag. It belongs to the Cryptography category of cybersecurity.
What does AEAD (Authenticated Encryption with Associated Data) mean?
A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag.
How does AEAD (Authenticated Encryption with Associated Data) work?
Authenticated Encryption with Associated Data (AEAD) is the modern building block of symmetric cryptography. An AEAD scheme takes a key, a nonce, a plaintext, and arbitrary associated data (AD) and produces a ciphertext plus an authentication tag; on decryption it returns the plaintext only if the tag verifies, otherwise refusing. The associated data is authenticated but not encrypted, letting protocols bind unencrypted context such as packet headers, sequence numbers, or version metadata to the ciphertext without ever sending them encrypted. Compared to encrypt-then-MAC or MAC-then-encrypt compositions, AEAD eliminates whole classes of bugs (padding oracles, key reuse across MAC and cipher, ordering mistakes) and is what every modern protocol — TLS 1.3, QUIC, IPsec ESP-GCM, Signal, Noise, WireGuard, JWE — uses. The dominant AEAD schemes are AES-GCM and ChaCha20-Poly1305; nonce-misuse-resistant variants (AES-GCM-SIV) exist for use cases where the caller cannot guarantee unique nonces. Always prefer an AEAD over a homebrew encrypt-and-MAC composition.
How do you defend against AEAD (Authenticated Encryption with Associated Data)?
Defences for AEAD (Authenticated Encryption with Associated Data) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AEAD (Authenticated Encryption with Associated Data)?
Common alternative names include: Authenticated encryption, AEAD scheme.
● Related terms
- cryptography№ 025
AES-GCM
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
- cryptography№ 179
ChaCha20-Poly1305
An AEAD construction pairing the ChaCha20 stream cipher with the Poly1305 one-time authenticator, standardised in RFC 8439 for TLS 1.3 and WireGuard.
- cryptography№ 022
AES (Advanced Encryption Standard)
A NIST-standardized 128-bit block cipher with 128-, 192- or 256-bit keys, designed by Daemen and Rijmen and used as the dominant symmetric cipher worldwide.
- cryptography№ 189
Cipher
Algorithm that transforms plaintext into ciphertext (encryption) and back (decryption), parameterized by one or more cryptographic keys.
- cryptography№ 121
Block Cipher
A symmetric cipher that encrypts fixed-size blocks of plaintext with a secret key, usually combined with a mode of operation to handle data of arbitrary length.
- cryptography№ 1227
Stream Cipher
A symmetric cipher that encrypts data one bit or byte at a time by XORing it with a pseudorandom keystream derived from a key and nonce.
● See also
- № 1386XChaCha20-Poly1305
- № 829Noise Protocol Framework