49 min read

The AEAD Decision Matrix: Seven Ciphers, Three Edges, One Choice

AES-GCM, ChaCha20-Poly1305, CCM, OCB3, GCM-SIV, AEGIS, and Ascon, compared by the three sharp edges that decide every deployment: nonce, hardware, commitment.

Permalink

1. Two Failures That Should Have Been Impossible

In 2018, a team of cryptographers handed Facebook a single encrypted file that decrypted to two completely different, perfectly meaningful images, and whose authentication tag verified correctly for both, under two different keys [1]. The cipher was AES-GCM, the internet's default authenticated encryption. Nothing about it was broken. That is the unsettling part: AES-GCM did exactly what it promised. It had just never promised the thing everyone assumed it did.

The result defeated Facebook Messenger's abuse-reporting scheme, which relied on the encrypted attachment being bound to the key that produced it. The authors called their construction "invisible salamanders" [1]. Your reflex on reading this -- "but it is authenticated, so how did the tag pass?" -- is the entire subject of this article. The word "authenticated" carries less than you think.

Now the second failure, because one break only shows one edge. In 2016, researchers scanning the live internet found 184 HTTPS servers reusing a (key, nonce) pair under AES-GCM [2]. A repeated nonce in GCM is not a hygiene slip that costs you a little margin. It instantly leaks the XOR of the two plaintexts, and -- via an attack Antoine Joux had described to NIST a decade earlier, in 2006 -- it lets an attacker forge arbitrary messages [3]. The confidentiality half of that failure is easy to see for yourself.

JavaScript Why one repeated GCM nonce is catastrophic: the keystream cancels
// A stream-cipher-style AEAD (GCM, ChaCha20-Poly1305) turns the key+nonce
// into a keystream, then XORs it with the plaintext. Reuse the nonce and
// you reuse the keystream -- so it cancels out of the XOR of two ciphertexts.
const keystream = [0x9e, 0x37, 0xb1, 0xf2, 0x4a];   // same (key, nonce) => same keystream
const xor = (a, b) => a.map((x, i) => x ^ b[i]);

const p1 = [...'HELLO'].map(c => c.charCodeAt(0));
const p2 = [...'WORLD'].map(c => c.charCodeAt(0));

const c1 = xor(p1, keystream);   // ciphertext 1
const c2 = xor(p2, keystream);   // ciphertext 2, SAME nonce

// Attacker sees only c1 and c2, never the key or keystream:
const leaked = xor(c1, c2);      // == p1 XOR p2, the keystream is gone
const recovered = xor(leaked, p2);  // and if p2 is ever guessed, p1 falls out
console.log('c1 XOR c2 leaks P1 XOR P2:', leaked.join(','));
console.log('recovered P1:', String.fromCharCode(...recovered));

Press Run to execute.

Neither of these was a broken cipher. AES-GCM met its specification in both cases. The salamander bound nothing to a key because AES-GCM was never designed to; the TLS servers leaked plaintext because they violated the one contract GCM cannot survive. Both failures were the same shape: a deployment reached for an AEAD and then stepped on the one sharp edge its designers had moved somewhere the deployment could not avoid.

That is the thesis of this field guide. Authenticated encryption with associated data (AEAD) fused confidentiality and integrity so completely that composing them by hand became a solved problem. The remaining hard problem is choosing among AEADs, and that choice turns on three edges: the nonce contract, the performance and hardware profile, and the commitment axis.

Part 1 of this series defined an AEAD's guarantees as IND-CPA plus INT-CTXT; commitment is a robustness property beyond both. Part 6 showed the padding-oracle cost of the botched integrity AEAD was built to remove. The nonce-reuse breaks are widely mis-cited to CVE-2016-0270. That CVE actually names IBM Domino, and the NVD entry itself warns it has been "incorrectly used for GCM nonce reuse issues in other products" [4].

"Which AEAD should I use?" is not a ranking. It is a function over three edges: pick the construction whose failure mode your deployment can guarantee it will never trigger. The salamander triggered the commitment edge; the TLS servers triggered the nonce edge. Same lesson, two edges.

If "authenticated" does not mean "bound to one key," and "encrypted" does not survive a repeated nonce, then what exactly does an AEAD promise, and where does each promise stop? To answer that, we have to go back to the moment when "encrypt" and "authenticate" were still two separate calls.

2. From Two Calls to One

Here is a question that sounds trivial and is not: you have a cipher and you have a message authentication code (MAC). In which order do you apply them? Most engineers guess. The wrong guess shipped in SSL, IPsec, and SSH, and it took the field a decade of theory to sort out which guess was which.

There are three orderings. Encrypt-and-MAC authenticates the plaintext and appends the tag beside the ciphertext (SSH). MAC-then-Encrypt authenticates the plaintext, then encrypts plaintext and tag together (SSL and, for years, TLS). Encrypt-then-MAC encrypts, then authenticates the ciphertext (IPsec).

In 2000, Mihir Bellare and Chanathip Namprempre proved these are not interchangeable: only Encrypt-then-MAC generically preserves both privacy and integrity for any secure cipher and any secure MAC [5]. A year later, Hugo Krawczyk showed the authenticate-then-encrypt method used in SSL is not generically secure while Encrypt-then-MAC is [6]. Part 6 is the sequel: MAC-then-encrypt is exactly the door a padding oracle walks through.

Authenticated Encryption with Associated Data (AEAD)

One keyed call that provides confidentiality of the plaintext, integrity of the plaintext, and integrity (but not secrecy) of an extra header called the associated data. The uniform interface was standardized in RFC 5116 [7].

The lesson cut deeper than "pick Encrypt-then-MAC." If two correct primitives can combine into an insecure whole, hand-composition is a footgun no matter how good the parts are. The fix was to make a single primitive own both goals, so no protocol designer could botch the join.

Charanjit Jutla showed the way in 2001 with IAPM and IACBC, modes that delivered message integrity in essentially one pass, almost for free [8]. The same year, Phillip Rogaway and coauthors published OCB, a one-pass block-cipher mode built for exactly this [9]. Then, in 2002, Rogaway named the primitive: real messages carry a header -- routing bytes, version numbers, sequence counters -- that must be authenticated but not encrypted, because intermediaries need to read it. His "Authenticated-Encryption with Associated-Data" formalized that extra input [10].

Associated Data (AD)

The header bytes an AEAD authenticates but does not encrypt: routing information, protocol versions, sequence numbers. Tampering with the associated data makes tag verification fail, but the associated data itself travels in the clear [10].

By 2008, David McGrew closed the loop with RFC 5116, which defined the universal interface every construction in this article implements: AEAD-Encrypt(key, nonce, associated_data, plaintext) returns ciphertext || tag, and the matching decrypt either returns the plaintext or a single, uninformative failure [7]. One call in, one call out, no way to reverse the order of two primitives because there is only one primitive.

Nonce (number used once)

A value that must be unique for every encryption under a given key. The mode, not the label, sets the exact requirement: some AEADs tolerate only uniqueness, others tolerate randomness, and a few tolerate repetition. Nonce generation is the subject of Part 2 of this series.

Ctrl + scroll to zoom
Twenty-five years of authenticated encryption, from composition theorems to the modern portfolio

The interface was settled by 2008. But an interface is a promise about shape, not about sharp edges. Two constructions that satisfy AEAD-Encrypt to the letter can fail in completely different ways, and the very first AEADs to ship proved it. The one that reached the most devices did not even win on technical merit. It won because of a patent.

3. The Welded Modes: CCM and GCM

The first AEAD to reach a billion devices was not chosen by a cryptographer. It was chosen, in effect, by a patent lawyer. When IEEE 802.11i (the security amendment that became WPA2) needed an authenticated mode, the elegant candidate was OCB -- but OCB was patent-encumbered, and the working group would not build a wireless standard on it. So 802.11i standardized the plodding, unpatented alternative: AES-CCM. By device count, that decision made CCM one of the most widely deployed AEADs in the world.

AES-CCM = Counter mode + CBC-MAC. Doug Whiting, Russ Housley, and Niels Ferguson specified it in RFC 3610 in 2003, and NIST blessed it as SP 800-38C the next year [11][12]. It runs the message through CBC-MAC for the tag, then encrypts with counter (CTR) mode: two passes, a strictly serial MAC, and the message length needed up front, which makes streaming awkward. What that price buys is frugality -- nothing but AES, a tiny code footprint, no second primitive to implement.

That profile is why CCM owns the constrained niche -- Bluetooth Low Energy [13], Zigbee [14], and the TLS CCM_8 ciphersuites. IEEE 802.11i also made CCMP the mandatory data-confidentiality protocol for WPA2 [15], and CCM rode WPA2/CCMP into the overwhelming majority of Wi-Fi hardware over the following decade. Zigbee and 802.15.4 use a variant called CCM*, which additionally permits integrity-only or encryption-only operation, unlike the strict RFC 3610 CCM that always does both. So the same plodding, all-AES mode anchors two very different worlds: the smallest constrained devices and the Wi-Fi layer that WPA2 secures. These are the building blocks from Part 5, welded to a MAC.

AES-GCM = Counter mode + GHASH. David McGrew and John Viega published Galois/Counter Mode in 2004, and NIST standardized it as SP 800-38D in 2007 [16][17]. GCM is everything CCM is not: one pass, fully parallelizable, and, on any CPU with AES-NI and CLMUL, blisteringly fast. It is the internet default, and AES-128-GCM is the single mandatory-to-implement (MUST) AEAD cipher suite in TLS 1.3, per RFC 8446 Section 9.1 -- a status the spec grants to no other AEAD [18]. To understand every later failure, you need one fact about how its tag works.

Wegman-Carter one-time MAC

An authenticator of the form tag=Hk(message)+s\text{tag} = H_k(\text{message}) + s, where HkH_k is a fast keyed universal hash and ss is a one-time secret mask. It is unforgeable only if ss is never reused. Repeat the mask and the algebraic structure of HkH_k leaks. This is the shared root of both GHASH (AES-GCM) and Poly1305 (ChaCha20-Poly1305) [19].

GCM's tag is a one-time Wegman-Carter MAC. GHASH evaluates a polynomial over the finite field GF(2128)\mathrm{GF}(2^{128}), with the ciphertext and associated-data blocks as coefficients, at a single secret point H=AESk(0128)H = \operatorname{AES}_k(0^{128}). It then masks the result with a per-nonce keystream block:

T=GHASHH(A,C)AESk(J0),H=AESk(0128)T = \operatorname{GHASH}_H(A, C) \oplus \operatorname{AES}_k(J_0), \qquad H = \operatorname{AES}_k(0^{128})

where J0J_0 is the initial counter block derived from the nonce. The mask AESk(J0)\operatorname{AES}_k(J_0) is the one-time secret ss. It is one-time only because the nonce is unique. Repeat the nonce and you repeat J0J_0, so you repeat the mask, and now two tags share it -- which turns GHASH's linear structure into a system of polynomial equations an attacker can solve.

GHASH

The universal hash inside AES-GCM: a polynomial in the secret point H=AESk(0128)H = \operatorname{AES}_k(0^{128}) evaluated over GF(2128)\mathrm{GF}(2^{128}). Because the polynomial is linear in its coefficients, recovering HH lets an attacker forge tags for chosen messages [3].

Ctrl + scroll to zoom
AES-GCM in one picture: a counter-mode keystream for confidentiality, a one-time Wegman-Carter GHASH tag for integrity, both keyed from the same AES

That single design choice hands GCM two sharp edges the rest of this article pays for. The first is the nonce contract: reuse is not a weakness, it is a detonator.

The second edge is quieter and just as dangerous, because it is two different numbers people constantly merge into one.

GCM gave the internet a one-pass, hardware-fast AEAD, and in the same stroke handed it a mode where one repeated nonce is not a bug but a catastrophe. This is the same GCM negotiated inside shipping Windows protocols such as Schannel TLS and SMB 3 encryption [21][22]. Antoine Joux saw the danger in 2006 [3]. It took the rest of the world ten years, and a scan of the live internet, to believe him.

4. A Trunk With Branches

The family tree of AEAD is not a ladder from worst to best. Draw it that way and none of the modern constructions make sense, because none of them strictly dominates GCM. Draw it correctly and the whole field snaps into focus: it is a trunk with branches. The trunk is linear -- generic composition, then single-pass native AE, then the welded deployed modes CCM and GCM. Then, at GCM, the tree splits, because GCM's edges each forced a separate successor. No later generation wins. That is the entire point.

Ctrl + scroll to zoom
The AEAD family tree: a linear trunk up to GCM, then a fan-out where each of GCM's edges forces its own successor

The hardware edge: ChaCha20-Poly1305

GHASH is hard to make constant-time without the CLMUL instruction, and table-based AES is both slow and timing-leaky without AES-NI. Around 2013, that was the reality on most phones and ARM chips: no AES hardware, so GCM was either slow or a cache-timing side channel. Daniel Bernstein's answer kept GCM's exact nonce-respecting contract but threw out the parts that needed special silicon.

ChaCha20 is an ARX cipher -- addition, rotation, XOR -- with no S-box tables to leak timing, so it is constant-time by construction [23]. Poly1305 is a one-time Wegman-Carter MAC over a prime field rather than GF(2128)\mathrm{GF}(2^{128}), and its one-time key is derived from a ChaCha keystream block [19]. Poly1305's one-time key comes from a ChaCha-derived block, not from AES. ChaCha20-Poly1305 never calls AES at all -- a common misconception, since GCM's mask does use AES.

The IETF standardized the pair as an AEAD in RFC 8439 [24], and it now protects TLS 1.3, WireGuard, OpenSSH, and the age file-encryption tool [25][26][27]. Its normative status is widely overstated: in TLS 1.3, ChaCha20-Poly1305 is a recommended (SHOULD) cipher suite, not mandatory-to-implement, per RFC 8446 Section 9.1 -- a default by adoption, not by requirement [18]. It is not weaker than GCM; it is the same nonce contract on a different, table-free engine. XChaCha20-Poly1305 extends the nonce to 192 bits, large enough that random nonces essentially never collide. That is a mitigation of nonce-collision anxiety, not misuse-resistance -- reuse the full 192-bit nonce and it fails exactly like GCM.

The nonce edge: misuse-resistance and SIV

Every mode so far detonates on a repeated nonce, and reuse keeps happening in the real world: cloned virtual machines that resume with identical RNG state, counters reset by a crash, embedded devices with weak entropy at first boot. If the operator cannot guarantee uniqueness, the fix is a mode that survives the operator's mistake. In 2006, Phillip Rogaway and Thomas Shrimpton formalized exactly that goal and built the first construction for it [28].

Nonce-misuse-resistant AE (MRAE)

An AEAD whose failure under a repeated nonce is graceful, not catastrophic. Repeating a (key, nonce, associated_data, plaintext) tuple leaks only whether two encryptions were of the same message -- message equality -- and nothing else. It never leaks a plaintext XOR and never hands over the authentication subkey [28][29].

The mechanism is a single clean idea: derive the initialization vector synthetically, as a pseudorandom function of the entire message, rather than accepting it from the caller. The tag is the IV.

Synthetic IV (SIV)

A construction in which the initialization vector is computed as a MAC over the associated data and the full plaintext, then reused as the authentication tag. Two different messages under a repeated nonce produce different synthetic IVs, so their keystreams differ and nothing leaks [28].

Ctrl + scroll to zoom
The SIV construction: the IV is a MAC of the whole message, so identical nonces on different messages still produce different keystreams

That picture also explains the price, which returns as a theorem in Section 8: to compute the IV you must read the whole message first, so SIV cannot emit its first ciphertext byte until it has seen the last plaintext byte. It is inherently two-pass.

Two deployable forms exist. AES-SIV, standardized by Dan Harkins in RFC 5297, targets deterministic authenticated encryption and key wrapping [30]. AES-GCM-SIV, from Shay Gueron, Adam Langley, and Yehuda Lindell in RFC 8452, keeps AES-NI and CLMUL speed while adding misuse-resistance, building on the Gueron-Lindell GCM-SIV design [29][31]. AES-GCM-SIV hashes with POLYVAL, a little-endian sibling of GHASH, and derives a fresh message-authentication and encryption key per nonce -- a structure whose tight multi-user bounds were later established by Bose, Hoang, and Tessaro [32].

"...two authenticated encryption algorithms that are nonce misuse resistant -- that is, they do not fail catastrophically if a nonce is repeated." -- RFC 8452 [29]

Read that phrasing carefully, because it is the most misquoted sentence about SIV. "Do not fail catastrophically" is not "do not fail." A repeated nonce in AES-GCM-SIV still leaks message equality: an attacker learns that two ciphertexts encrypt the same plaintext, which is a real and sometimes serious leak. SIV makes reuse survivable, never free.

The elegance detour: OCB3 and the patent that chose a standard

Two edges now had answers, each on its own branch. A third construction sits off to the side -- not because it is worse, but because history was unkind to it. OCB3, finalized by Ted Krovetz and Phillip Rogaway in 2011 and standardized as RFC 7253, is arguably the most elegant AEAD ever standardized: one block-cipher key, one pass, fully parallel, roughly one cipher call per block [33][34].

Its mechanism is where the elegance lives. Each block is masked by a key-derived offset -- Offseti=Offseti1Lntz(i)\text{Offset}_i = \text{Offset}_{i-1} \oplus L_{\text{ntz}(i)}, a Gray-code walk over precomputed LL values -- and wrapped as Ci=OffsetiENCIPHER(K,PiOffseti)C_i = \text{Offset}_i \oplus \operatorname{ENCIPHER}(K, P_i \oplus \text{Offset}_i), while a single running plaintext checksum, Checksum=P1P2\text{Checksum} = P_1 \oplus P_2 \oplus \cdots, produces the tag in the same pass [34]. No second key, no separate MAC. It matches or beats GCM in software. And it lost anyway -- not for a technical reason. A widely repeated claim is that OCB3 is inverse-free. It is not. OCB-DECRYPT recovers each block as Pi=OffsetiDECIPHER(K,CiOffseti)P_i = \text{Offset}_i \oplus \operatorname{DECIPHER}(K, C_i \oplus \text{Offset}_i), calling the block-cipher inverse EK1E_K^{-1} (RFC 7253 Section 4.3), so a hardware implementation needs both the AES encrypt and decrypt circuits [34]. Inverse-free is the property of the CTR, stream, and sponge modes -- AES-GCM, AES-CCM, ChaCha20-Poly1305, AEGIS, and Ascon -- and OCB is precisely the lineage that trades it away for single-primitive elegance.

The dead end: OCB2 and the limits of "provably secure"

There is one more branch, and it is a warning. Between OCB1 and OCB3 sat OCB2, an ISO-standardized refinement with a security proof. In 2019, Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, and Bertram Poettering broke it outright: universal forgery and full plaintext recovery, because OCB2 used the XEX* tweakable cipher outside the regime its proof actually covered [36].

Two of GCM's three edges now had dedicated successors, and the family tree looked complete. But every construction so far -- GCM, ChaCha20-Poly1305, even the misuse-resistant SIV family -- quietly shared a third assumption nobody had thought to check: that "authenticated" meant "bound to one key." In 2018, that assumption broke in production, on the desk of a Facebook security engineer holding a single file with two faces.

5. The Commitment Reckoning and the CAESAR Crucible

Now we can explain the salamanders. Recall the mechanism from Section 3: a GCM tag is a one-time Wegman-Carter value, GHASHH(A,C)AESk(J0)\operatorname{GHASH}_H(A,C) \oplus \operatorname{AES}_k(J_0), and GHASH is linear in its coefficients. An attacker who gets to pick two keys, k1k_1 and k2k_2, can treat "make the tag verify under both" as a system of linear equations over GF(2128)\mathrm{GF}(2^{128}) and simply solve it, producing one ciphertext that decrypts to two chosen, meaningful plaintexts and passes verification under each key [1].

Nothing is broken. GCM guarantees confidentiality and integrity; it never promised that a ciphertext binds to a single key. That promise has a name, and until 2018 almost nobody was asking for it.

Key commitment (CMT-1 through CMT-4)

A graded robustness property beyond confidentiality and integrity. CMT-1 means a ciphertext binds to exactly one key; CMT-4 means it binds to the full context -- key, nonce, associated data, and message. Bellare and Hoang proved that CMT-1 does not imply CMT-4: committing to the key is strictly weaker than committing to everything [37]. RFC 9771 standardized the vocabulary [38].

"Authenticated" never meant "committed." An AEAD's guarantees -- IND-CPA plus INT-CTXT -- say nothing about binding a ciphertext to one key. Commitment is a third, orthogonal axis. That is why every default AEAD was non-committing and nobody noticed for fifteen years: the property was simply outside the definition everyone was proving.

Two ideas define the modern state of the art, and both come from refusing to treat "cipher plus separate hash" as the end of the design space.

The first is robustness as an explicit goal -- against the operator and against the adversary who supplies the key. The operator side is MRAE from Section 4, elevated from a mode into a principle. The adversary side is committing AEAD, and its timeline is a tidy example of a theoretical curiosity becoming an operational threat.

Invisible salamanders (2018) showed a non-committing AEAD could defeat message franking [1]. Then, in 2021, Julia Len, Paul Grubbs, and Thomas Ristenpart turned it into a weapon: partitioning oracle attacks use the missing commitment to recover passwords and other low-entropy keys, crafting one ciphertext that decrypts under many candidate keys and using each success or failure to bisect the key space [39].

Mihir Bellare and Viet Tung Hoang then built the graded CMT-1 through CMT-4 theory and cheap transforms that add full commitment with no ciphertext-size increase [37]; Ange Albertini and coauthors independently catalogued the abuses and a padding-based fix [40], with further theory from John Chan and Phillip Rogaway [41]. Sanketh Menda and coauthors then showed the gap is portfolio-wide, with context-discovery attacks against CCM, EAX, SIV, GCM, and OCB3 [42]. RFC 9771 (2025) finally fixed the vocabulary the field had been improvising [38].

A vetted AEAD gives you confidentiality and integrity and stops there. Commitment is a third axis nobody put in the definition -- which is exactly why one ciphertext could wear two faces.

The second idea is native co-design: stop bolting a cipher to a hash and instead build the AEAD around the hardware or footprint you actually have. Hongjun Wu and Bart Preneel's AEGIS (2013) is the AES-hardware extreme [43].

It keeps a large internal state -- eight 128-bit words in AEGIS-128L -- seeded directly from the key and nonce; the AES round function updates that state as it absorbs associated data and plaintext, encryption squeezes a keystream out of the state, and the tag comes from the finalized state. One primitive, one pass, no separate hash, and the IETF draft records that all variants are inverse-free and built from the AES encryption round [44].

That structure is why AEGIS outruns GCM on AES silicon, and why nonce reuse is catastrophic: the whole state is a function of (key, nonce), so a repeat lets an attacker unwind it. Its commitment story is a nuance, not a headline -- a 128-bit AEGIS tag delivers only about 64-bit committing security, while a 256-bit tag pushes cross-key collisions out of reach, so AEGIS is partially committing by tag length, neither fully committing nor flatly broken [44].

At the other extreme, Ascon -- by Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer -- uses a single lightweight permutation in a sponge, giving a tiny gate count and a side-channel-friendly structure for constrained hardware [45].

Ctrl + scroll to zoom
AEGIS in one picture: a large state seeded from key and nonce, updated by the AES round function as it absorbs data, squeezed for keystream, and finalized into the tag
Sponge construction

A mode built from one public permutation whose state is split into a "rate" (absorbs input and is squeezed for output) and a "capacity" (the hidden security margin). A single permutation absorbs the key, nonce, associated data, and plaintext, then squeezes keystream and a tag -- no separate cipher and hash. Ascon is a sponge [45].

What forced this whole portfolio into existence was a contest. The CAESAR competition (2013-2019), organized by Daniel Bernstein, was a public, multi-year, break-it-in-the-open bake-off [46]. Its most important decision was structural: rather than crown a single winner, it selected a portfolio across three use cases -- itself the thesis of this article. The winners were Ascon and ACORN for lightweight use, AEGIS-128 and OCB for high-performance use, and Deoxys-II (first choice) and COLM for defense in depth [47]. Deoxys-II is built on the TWEAKEY framework for tweakable block ciphers, by Jérémy Jean, Ivica Nikolić, Thomas Peyrin, and Yannick Seurin [47].

Note carefully: Deoxys-II is a CAESAR winner, not an also-ran -- it simply was never deployed at scale. The real also-rans are the candidates eliminated during the competition, including MORUS, which took a certificational break from Tomer Ashur, Maria Eichlseder, and coauthors and did not make the final portfolio [48].

The competition ended in 2019 with no single champion, on purpose. So where does that leave a working engineer in 2026, staring at seven names in a crypto library's documentation? To choose well, you need the current map: exactly what each construction is, where it wins, and where it bites.

6. The 2026 Portfolio, Precisely

The current portfolio has a stable shape: two defaults and five specialists. By deployment, the two internet defaults are AES-GCM and ChaCha20-Poly1305 -- but normatively they are not equals. In TLS 1.3 only AES-128-GCM is mandatory-to-implement (MUST); AES-256-GCM and ChaCha20-Poly1305 are both recommended (SHOULD), the same normative level as each other, per RFC 8446 Section 9.1 [18]. Everything else is a deliberate escalation. Here is each construction on its edges.

AES-GCM. Counter mode plus a one-time GHASH tag; one pass, parallel, O(1) online state [16]. Excels on any CPU with AES-NI and CLMUL, which is every server and most modern clients. Struggles on hardware without those instructions and, above all, on nonce discipline: reuse is fatal and the two ceilings are easy to breach [17]. Adoption: the internet default.

ChaCha20-Poly1305. ARX stream cipher plus a prime-field one-time MAC; constant-time in pure software with no lookup tables [24]. Excels precisely where GCM struggles -- phones, embedded ARM, any target without AES hardware. Same nonce contract as GCM, so it struggles on the exact same reuse cliff. Adoption: TLS 1.3, WireGuard, OpenSSH [25][26].

AES-CCM. Counter mode plus CBC-MAC; two passes, serial, needs the length up front, but all-AES and tiny [11]. Excels in constrained stacks (BLE [13], Zigbee [14]) and inside WPA2 [15]. Struggles on throughput and streaming, and the truncated CCM_8 tag trades a real forgery budget for eight bytes [11]. Adoption: enormous by device count.

AES-GCM-SIV and AES-SIV. Synthetic-IV misuse-resistant modes; two-pass by necessity [29][30]. Excel when nonce uniqueness cannot be guaranteed: reuse degrades to leaking message equality rather than catastrophe. Struggle on streaming (they must buffer) and still leak equality, so they are survivable, not free. AES-GCM-SIV runs near AES-GCM speed on server hardware, around 0.92 cycles per byte on Broadwell in the original design [31]. Adoption: growing where reuse risk is real.

OCB3. One block-cipher key, one pass, fully parallel, roughly one cipher call per block -- technically superb [33][34]. Excels on elegance and software speed. Struggles on adoption, for the patent reasons in Section 4; it is nonce-respecting like GCM; and, unlike the CTR and stream modes, it is not inverse-free -- decryption calls the AES inverse circuit (RFC 7253 Section 4.3), a genuine hardware cost [34]. Adoption: minimal, despite standardization.

AEGIS. Keystream and authentication driven straight from the AES round function over a large nonce-seeded state; the throughput frontier, around 0.48 cycles per byte for AEGIS-128L on 4 KB messages, faster than CCM, GCM, and OCB [43][49]. Excels on raw speed when you control both endpoints. Struggles on maturity and contract: nonce-respecting (catastrophic on reuse, since its whole state is nonce-seeded) and only partially committing -- about 64-bit committing security at a 128-bit tag, stronger at a 256-bit tag [44].

Critically, AEGIS is still an active Internet-Draft, draft-irtf-cfrg-aegis-aead-18 from October 2025, not an RFC -- it states plainly that it "is not an IETF product and is not a standard," and it expires on 8 April 2026 [44].

Ascon-AEAD128. A single 320-bit lightweight permutation in a sponge; tiny state, side-channel-friendly [45]. Excels on constrained hardware and gate count. Struggles on server throughput, where AEGIS and GCM win. It is nonce-respecting, but -- unlike the CTR and stream modes -- it commits to its inputs without any added transform: the tag is squeezed from the sponge's large hidden capacity after that capacity has already absorbed the key, so one ciphertext binds natively to the key it was produced under. RFC 9771 lists Ascon-AEAD128 as both key-committing and full-committing as-is, not merely as a candidate for a bolt-on fix [38]. The currency fact matters here: NIST SP 800-232 is final (August 2025) and standardizes Ascon-AEAD128, a tweaked variant of CAESAR Ascon-128 using a larger data-absorption rate -- widely reported as 128-bit, up from the CAESAR design's 64-bit, with the exact parameter in the SP 800-232 body [50][51]. It is not byte-identical to CAESAR Ascon [52].

A profile only helps if you can actually call the construction, so here is where each one ships as of mid-2026, with each cell cited to that project's official documentation.

ConstructionWhere it ships (libraries and frameworks)
AES-GCMOpenSSL/BoringSSL [53][54], Go crypto/cipher [55], Java JCA [56], .NET CNG [57], WebCrypto (the only AEAD in the browser) [58], libsodium (hardware-gated) [59]
ChaCha20-Poly1305 / XChaCha20OpenSSL/BoringSSL [60][54], libsodium (default for random-nonce APIs) [59], Go x/crypto [61], WireGuard [25], OpenSSH [26], age [27]
AES-CCMmbedTLS [62], wolfSSL [63], Wi-Fi [15] / BLE [13] / Zigbee [14] firmware
AES-GCM-SIVBoringSSL/OpenSSL [54][53] and several bindings; less universal than the defaults
AES-SIVmiscreant-lineage (deterministic / key-wrap) libraries [64]
OCB3some libraries (public domain since 2021 [35]); rarely a default
AEGISlibsodium (crypto_aead_aegis128l / aegis256) [59] and a growing set of high-performance libraries; not a TLS suite
Ascon-AEAD128reference and third-party implementations [52]; adoption ramping since SP 800-232 [50]

Two entries on that map decide real architectures. In the browser, AES-GCM is the only AEAD you can call. WebCrypto's SubtleCrypto.encrypt recognizes RSA-OAEP, AES-CTR, AES-CBC, and AES-GCM, and AES-GCM is the only one of those that authenticates. Browser JavaScript that needs an AEAD without bundling a crypto library therefore has exactly one option [58]. And AEGIS, still pre-RFC, is nonetheless callable in production today through libsodium's crypto_aead_aegis128l and crypto_aead_aegis256 APIs -- deployability and standardization are not the same axis [59].

Two more items complete the 2026 map. The CAESAR defense-in-depth winners, Deoxys-II and COLM, remain excellent and essentially undeployed [47]. And committing transforms -- the fix for the commitment edge -- exist and are cheap, but as of mid-2026 none is mandated in a shipping standard; RFC 9771 supplies vocabulary, not a required construction [38][37].

Laid side by side, those eight look interchangeable. They are not, and the tool that makes the difference legible is a single table built on the three edges.

7. The Decision Matrix

This is the one screen to memorize. Everything in the previous six sections collapses into two tables and a flowchart, all built on the same three edges.

The first table answers the only question that matters at selection time: for each construction, what happens on the first repeated nonce, what hardware does it want, and does one ciphertext bind to one key?

ConstructionFirst repeated nonceHardware profileCommitment
AES-GCMCatastrophic: leaks P1 XOR P2, enables forgeryAES-NI + CLMUL fastNot committing
ChaCha20-Poly1305Catastrophic: same one-time-MAC cliffConstant-time in softwareNot committing
AES-CCMCatastrophicAll-AES, tiny footprintNot committing
AES-GCM-SIVGraceful: leaks message equality onlyAES-NI + CLMULNot committing
AES-SIVGraceful: leaks message equality onlyAll-AES, two-passNot committing
OCB3CatastrophicFast one-pass softwareNot committing
AEGISCatastrophicAES round function, fastestNot fully committing
Ascon-AEAD128CatastrophicA few thousand gatesCommitting from the sponge, no transform

Read down the commitment column and the reckoning of Section 5 gets sharper than a flat "nobody commits." Every deployed CTR, stream, and welded construction -- AES-GCM, ChaCha20-Poly1305, AES-CCM, the SIV family, and OCB3 -- is non-committing by default, which is exactly what the salamander and the portfolio-wide context-discovery attacks exploit [1][42]. Two constructions break the pattern, and it is no accident that both fuse the tag with the cipher state instead of bolting on a separate hash: AEGIS partially commits through tag length, and Ascon commits natively from its sponge [44][38]. So commitment is not a uniform failure across the portfolio -- the commitment edge is a real axis of variation, with Ascon at the strong end, AEGIS in between, and the CTR, stream, and welded modes needing a bolt-on transform. Read the nonce column and only the SIV family survives a repeat, and only by leaking equality [29]. The second table adds the structural and performance facts you need once the edges are settled.

ConstructionPasses / parallelOnline stateNonceTagReported speedInverse-free?Best suited for
AES-GCM1 pass, parallelO(1)96-bit128-bit~1 cpb with AES-NIYesThe default, server and client
ChaCha20-Poly13051 passO(1)96-bit128-bitFast in pure softwareYesTargets without AES hardware
AES-CCM2 pass, serialO(1)7 to 13 byte128-bit (CCM_8: 64)ModestYesConstrained stacks, WPA2
AES-GCM-SIV2 passO(n) buffered96-bit128-bit~0.92 cpb on BroadwellYesNonce-reuse risk
AES-SIV2 passO(n) bufferedNone or supplied128-bitModestYesKey wrap, deterministic AE
OCB31 pass, parallelO(1)up to 120-bitup to 128-bitFast in softwareNo (needs AES decrypt)Elegance (now patent-clear)
AEGIS1 pass, parallelO(1)128 or 256-bit128 or 256-bit~0.48 cpb (AEGIS-128L)YesMaximum throughput, both endpoints
Ascon-AEAD1281 passO(1)128-bit128-bitSmall, not server-fastYesNew constrained designs

Reported speeds are platform-dependent and should be read against live cross-platform benchmarks rather than a single headline number; the AEGIS and GCM-SIV figures come from their design papers, and the ECRYPT benchmarking project tracks the rest across many CPUs [43][31][65]. One column earns a second look: OCB3 is the only full-treatment construction that is not inverse-free, so it alone needs the AES decrypt circuit in hardware -- the honest cost behind its elegance [34].

The tables classify. To choose, turn them into a procedure. The flowchart below is the thesis rendered as a decision tree: branch on the nonce guarantee first (it is the edge that fails hardest), then on hardware, and treat commitment as an orthogonal final step because no default provides it.

Ctrl + scroll to zoom
The which-AEAD decision procedure: branch on the nonce guarantee, then hardware, then handle commitment as a separate add-on

The argument is now explicit and testable. "Which AEAD?" reduces to "which edge can your deployment guarantee it never triggers?" If you cannot guarantee nonce uniqueness, move right on the nonce edge to the SIV family. If you have no AES hardware, move on the hardware edge to ChaCha20-Poly1305 or, for a constrained device, Ascon. If a ciphertext must bind to exactly one key, you must add something on the commitment edge, because none of the defaults gives it to you. You can even write the function down.

JavaScript The thesis as code: three edges in, one AEAD out
// "Which AEAD?" is a function of three edges, not a ranking.
function chooseAEAD({ nonceUnique, hasAesHardware, constrained, mustCommitToKey }) {
let pick;
if (!nonceUnique) {
  pick = 'AES-GCM-SIV';        // edge 1: cannot guarantee unique nonces
} else if (hasAesHardware) {
  pick = 'AES-GCM';            // the internet default when AES-NI + CLMUL are present
} else if (constrained) {
  pick = 'Ascon-AEAD128';      // edge 2: no AES hardware, only a few thousand gates
} else {
  pick = 'ChaCha20-Poly1305';  // edge 2: no AES hardware, constant-time in software
}
// edge 3 is orthogonal: most picks do not commit, so you must ADD a transform --
// except Ascon, which already commits natively from its sponge (RFC 9771).
const alreadyCommits = pick === 'Ascon-AEAD128';
return (mustCommitToKey && !alreadyCommits)
  ? pick + ' + key-commitment transform (this construction does not bind to one key)'
  : pick;
}

console.log(chooseAEAD({ nonceUnique: true,  hasAesHardware: true,  constrained: false, mustCommitToKey: false }));
console.log(chooseAEAD({ nonceUnique: false, hasAesHardware: true,  constrained: false, mustCommitToKey: false }));
console.log(chooseAEAD({ nonceUnique: true,  hasAesHardware: false, constrained: false, mustCommitToKey: false }));
console.log(chooseAEAD({ nonceUnique: true,  hasAesHardware: true,  constrained: false, mustCommitToKey: true  }));

Press Run to execute.

"Which AEAD should I use?" is not a ranking from worst to best. It is a function: pick the one whose failure mode your deployment can guarantee it will never trigger.

The table tells you which edge to move. It does not tell you why you sometimes cannot move all of them at once -- why there is no row that is graceful on reuse and single-pass and fully committing and fastest. That absence is not a gap in the engineering. It is a theorem.

8. The Limits Are Theorems

Everything so far has been a design choice: move an edge here, pay for it there. Now the hard walls -- the places where no cleverness helps, because a proof says so. There are four, and each maps to an edge; the standard graduate references develop these bounds in full [66][67].

GCM's two ceilings, correctly attributed (the nonce edge). GCM's two limits from SP 800-38D are not conservative engineering guesses; they are where the security proof runs out -- and they come from two different mechanisms people constantly merge into one.

The per-message limit of 2392562^{39}-256 bits (about 64 GiB) is 32-bit counter-mode block-space exhaustion, not a GHASH property: with a 96-bit nonce GCM forms the initial counter block J0=IV0311J_0 = \mathrm{IV} \parallel 0^{31} \parallel 1, the increment function advances only the low 32 bits, so counter mode emits at most 23222^{32}-2 keystream blocks, and (2322)×128(2^{32}-2)\times 128 bits =239256= 2^{39}-256 bits; exceed it and the counter wraps, repeating a keystream block -- a two-time pad (SP 800-38D Section 5.2.1.1) [17].

The per-key cap of roughly 2322^{32} messages under random 96-bit nonces is a different quantity entirely: the birthday bound on nonce collision, where with qq messages the probability of a repeat scales as q2/296q^2 / 2^{96}, so q232q \approx 2^{32} keeps it negligible (SP 800-38D Section 8.3) [17]. Hoang, Tessaro, and Thiruvengadam proved these multi-user bounds tight, validating the nonce-randomization mechanism TLS 1.3 uses [20].

Tag length obeys its own bound: for a one-time Wegman-Carter MAC, forgery probability grows with the number of attempts and shrinks with tag length -- exactly why a 64-bit CCM_8 tag is a genuine, quantifiable forgery budget rather than a free optimization [11].

Misuse-resistance cannot be online (the nonce edge, again). This is the deepest limit in the article, and it explains a design decision that otherwise looks like laziness. Rogaway and Shrimpton proved that a deterministic, nonce-misuse-resistant AEAD cannot be online or single-pass [28]. The reason is forced by the definition: to be misuse-resistant, the ciphertext must depend on the entire plaintext (otherwise two messages sharing a prefix under a repeated nonce would leak that prefix), so the encryptor cannot emit even the first ciphertext byte until it has read the last plaintext byte. There is no implementation trick around it.

You cannot have both streaming and misuse-resistance. It is a theorem, not a missing feature: a misuse-resistant AEAD must read the whole message before it can output any ciphertext. That single impossibility is why AES-GCM-SIV is two-pass, and why "just make GCM misuse-resistant without slowing it down" is a request for something that provably does not exist [28].

Commitment is an orthogonal axis (the commitment edge). A conventional CTR-based AEAD like GCM is provably not key-committing -- the property is simply absent from IND-CPA and INT-CTXT, so no amount of using GCM "correctly" produces it. Worse, commitment is not one property but a lattice: Bellare and Hoang proved CMT-1 (bind to the key) does not imply CMT-4 (bind to the full context), a separation RFC 9771 later codified [37][38].

And the attacks are cheaper than the naive birthday intuition suggests: Menda and coauthors found context-discovery attacks against CCM, EAX, SIV, GCM, and OCB3, including an O(2n/3)O(2^{n/3}) attack on SIV using Wagner's k-tree algorithm -- well below the 2n/22^{n/2} a birthday bound would suggest [42].

Releasing plaintext early is a strictly weaker world (all edges). The fourth limit is about what your decrypt function is allowed to do before it finishes.

Release of Unverified Plaintext (RUP)

What an implementation exposes if it emits decrypted plaintext before checking the authentication tag. The formal integrity notion for this setting, INT-RUP, is codified in RFC 9771 Section 4.3.10; security that survives releasing unverified plaintext is strictly stronger than standard AEAD security, and most fast one-pass modes satisfy it only weakly -- which is why the safe API contract is verify-then-release: never act on plaintext until the tag checks out [38].

Now assemble the thought experiment. Imagine the ideal AEAD: graceful on nonce reuse and fully committing and online/single-pass and fastest at both the server and constrained extremes. The second limit rules out "misuse-resistant and online" together. The third makes commitment an add-on that the CTR, stream, and welded defaults lack -- Ascon, uniquely, commits natively. The performance extremes pull in opposite directions -- AES round function for servers, a few thousand gates for sensors. You cannot have all of it in one construction, and this is not because nobody has been clever enough. It is because the properties provably conflict.

So that is settled, provably. Which turns the interesting question inside out. Not "which mode wins?" but "can we make the robustness the default instead of the expert's opt-in?" That is exactly where the field is fighting right now.

9. Where AEAD Still Bites

The classical problem is closed. For confidentiality and integrity, the bounds are tight and the constructions are vetted. The entire live frontier is about robustness: turning the properties nobody used to ask for into defaults nobody has to remember. Six problems are open, and every one of them has the same shape.

Committing AEAD by default. Salamanders and partitioning oracles still bite wherever a committing transform is omitted, which today means almost everywhere [1][39]. The frustrating part is that the fix is cheap: Bellare and Hoang give transforms that add full commitment with no ciphertext-size increase, and Albertini and coauthors give a padding-based alternative [37][40]. Yet as of mid-2026, none is mandated by a shipping standard. RFC 9771 gives the field a shared vocabulary for the property but does not require any construction to have it [38]. The open question is not "how?" but "why is it still opt-in?"

Misuse-resistance by default. If nonce reuse is a recurring operational reality, why is the misuse-resistant mode the escalation rather than the default? The answer is the theorem from Section 8: defaulting to SIV means defaulting to two-pass, non-streaming encryption, and a great deal of infrastructure assumes it can encrypt a stream as it arrives [28]. Whether that trade is worth making by default is an active argument, not a settled one.

The release-of-unverified-plaintext trade space. Between "buffer everything and verify first" and "stream plaintext out immediately" is a design space that streaming media, large-file transfer, and constrained receivers all care about, and the security definitions there -- INT-RUP and its relatives -- are still maturing [38].

Hardware co-design versus conservative margin. AEGIS already beats AES-GCM on AES-NI hardware, and the appetite for line-rate encryption keeps growing [43]. Newer AES-round designs push the throughput frontier even higher, but they trade cryptanalytic maturity for speed, and their standardization status is unsettled -- AEGIS itself is still only an Internet-Draft, not an RFC [44]. How much margin to spend for how much throughput is an open judgment call.

Post-quantum reality, minus the myth. This one is mostly a matter of correcting a widespread misconception.

Constant-time without special hardware. GHASH is hard to implement in constant time without CLMUL, and table-based AES leaks timing without AES-NI -- the exact side-channel pressure that motivated both ChaCha20-Poly1305 and Ascon [23][45]. On the smallest devices, where neither special instruction exists and power analysis is a live threat, side-channel-resistant AEAD is still an open engineering problem, and it is much of the reason NIST ran a lightweight competition at all.

None of these has a finished answer. But notice the shape of every one: they are all attempts to move an edge to a place where the deployer cannot step on it by mistake -- misuse-resistance you do not have to remember, commitment you do not have to add, side-channel safety you do not have to hand-tune. Which brings us back to the only rule that actually travels.

10. The Field Guide: Rules and Parameters

Everything above collapses into one default and a short list of deliberate escalations. Follow the ladder and you will never again pick an AEAD by folklore.

The escalation ladder, each rung mapped to the edge it moves:

  • Cannot guarantee a unique nonce? Escalate on the nonce edge to AES-GCM-SIV [29]. Cloned VMs, counters that reset on crash, weak first-boot entropy -- if any of these is in your threat model, the graceful failure is worth the second pass.
  • A stack mandates it, or the device is tiny? Use AES-CCM where WPA2, BLE, or Zigbee require it [11], and Ascon-AEAD128 for new constrained designs, now that it is a NIST standard [50].
  • Deterministic encryption or key wrapping? Use AES-SIV, which needs no nonce at all and is built for exactly this [30].
  • You want one-pass, single-primitive elegance? OCB3 is now patent-clear, though rarely the right call given how entrenched the defaults are [34][35].
  • You control both endpoints and need maximum throughput? AEGIS is the fastest option, if you can accept a pre-RFC specification [44][43].
  • Must a ciphertext bind to exactly one key? Add a key-commitment transform -- for password-based encryption, key rotation, message franking, or multi-recipient encryption -- because no default provides it [37].

Nonce generation itself is the subject of Part 2 of this series; do not re-derive it here, but do treat "unique per key" as a hard contract, not a hope. On Windows, the CNG architecture post in this collection shows AES-GCM exposed through the BCryptEncrypt API with an authenticated-cipher-mode information structure -- a concrete example of the parameters below appearing in a real API.

Pair the ladder with the support map from Section 6 when you check feasibility: browser JavaScript means AES-GCM through WebCrypto, and a target with no AES hardware means ChaCha20-Poly1305 or, if it is also tiny, Ascon-AEAD128 [58].

The exact operational contract, per construction:

ConstructionNonceTagPer-key limitPer-message limitOn nonce reuse
AES-GCM96-bit, unique128-bit~2^32 msgs (random nonce)2^39 - 256 bits, ~64 GiBCatastrophic
ChaCha20-Poly130596-bit, unique128-bit~2^32 msgs (random nonce)~256 GiBCatastrophic
AES-CCM7 to 13 byteup to 128-bit (CCM_8: 64)Set by nonce lengthSet by length fieldCatastrophic
AES-GCM-SIV96-bit128-bitImproved (per-nonce derived keys)~64 GiBGraceful: message equality
AES-SIVNone or supplied128-bitLargeLargeGraceful: message equality
OCB3up to 120-bitup to 128-bitLargeLargeCatastrophic
AEGIS128 or 256-bit128 or 256-bitLarge (wide nonce)LargeCatastrophic
Ascon-AEAD128128-bit128-bitPer SP 800-232Per SP 800-232Catastrophic

The only two numeric limits you must hard-code are GCM's, because they are the ones people breach silently: cap messages per key well under 2322^{32} and messages under 64 GiB each [17]. ChaCha20-Poly1305's own ~256 GiB per-message ceiling comes the same way, from its 32-bit block counter over 64-byte blocks (232×642^{32}\times 64 bytes =238= 2^{38} bytes), per RFC 8439 [24]. AES-GCM-SIV's per-nonce key derivation buys better multi-user bounds, which is the whole reason RFC 8452 derives fresh keys rather than reusing one [32][29].

Every rung of that ladder has a mirror image: a misuse pattern that punishes the deployment for stepping on the edge it ignored. Each row below maps a real-code mistake to the named break that catches it.

Misuse seen in real codeEdge it triggersNamed break
Reusing a (key, nonce) in GCM or AEGISNonceNonce-Disrespecting Adversaries, 2016
Assuming an AEAD binds a ciphertext to one keyCommitmentInvisible salamanders; partitioning oracles
Truncating the tag to save bytes (CCM_8)Integrity budgetWegman-Carter forgery bound
Treating AES-GCM-SIV reuse as "free"NonceSIV leaks message equality
Hand-rolling Encrypt-and-MACCompositionBellare-Namprempre; Krawczyk
Conflating GCM's two ceilingsNonceThe two SP 800-38D limits

The evidence for each is in the sections above: nonce reuse on live servers [2], the salamander and its weaponization [1][39], the tag-length forgery budget [11], the SIV equality leak [29], the composition theorems [5][6], and the two ceilings [17]. One extra caution on attribution: the live-TLS nonce-reuse break is repeatedly mis-cited to CVE-2016-0270, which actually names IBM Domino and which the NVD itself flags as commonly misapplied to other products [4].

A five-minute self-audit for the commitment edge

Search your codebase for any AEAD decryption that runs under an attacker-influenced key: password-based encryption, key wrapping, token decryption, or multi-recipient envelopes. If a decrypt path lets the caller supply or guess the key and then branches on whether decryption succeeded, you are exposed to a partitioning oracle and need a key-commitment transform on top of the AEAD [39][37].

That ladder is your inoculation against folklore. But folklore is sticky, so let us take the most common misconceptions head-on.

11. Seven Beliefs That Get Deployments Broken

Frequently asked questions about choosing an AEAD

Reusing a nonce just weakens things a bit, right?

No. For every nonce-respecting mode -- AES-GCM, ChaCha20-Poly1305, AES-CCM, OCB3, AEGIS, and Ascon -- a single repeated (key, nonce) is an immediate, total break: it leaks the XOR of the two plaintexts, and a second collision hands over the authentication subkey for universal forgery [3][2]. Only the SIV family degrades gracefully, and only to leaking message equality [29].

Does AES-GCM-SIV make nonce reuse totally safe?

No. It makes reuse survivable, not free. A repeated nonce still leaks message equality -- an attacker learns that two ciphertexts encrypt the same plaintext -- which can matter a great deal in the right context. Use it as a safety net, not a license to stop managing nonces [29][28].

Isn't ChaCha20-Poly1305 weaker than AES-GCM, or a mandatory TLS 1.3 cipher?

No to both misreadings. It is a different trade-off on the hardware edge, not a weaker cipher: constant-time in pure software with no lookup tables, which makes it the stronger choice on hardware without AES-NI, where table-based AES leaks timing. And it is not mandatory-to-implement in TLS 1.3 -- it is a recommended (SHOULD) cipher suite, while only AES-128-GCM is the MUST, per RFC 8446 Section 9.1 [18]. Recommended, not weaker, not mandatory.

Are random 96-bit GCM nonces safe forever?

No. Random 96-bit nonces are collision-safe only up to roughly 2322^{32} messages per key, by the birthday bound. That per-key invocation cap is a different number from the per-message limit of about 64 GiB; enforce both, and prefer a counter over a random nonce when you can [17][20].

Doesn't authenticated mean a ciphertext decrypts only one way?

No. Most AEADs are not key-committing. One AES-GCM ciphertext can be built to decrypt to two different meaningful plaintexts under two different keys, with the tag valid both times -- the invisible-salamanders result. If a ciphertext must bind to one key, add a commitment transform [1][37].

Is AEGIS the best because it is the newest and fastest?

No. AEGIS leads on raw throughput, but it is nonce-respecting (catastrophic on reuse), not fully key-committing, and still an active Internet-Draft rather than an RFC -- it states plainly that it "is not a standard" and expires on 8 April 2026. Fastest is not the same as best for your deployment [44][43].

Do I need to replace my AEAD for post-quantum security?

No. Symmetric authenticated encryption survives the quantum transition. Grover's algorithm only halves effective key length [68], so prefer 256-bit keys and size tags with margin. The post-quantum upheaval is in key exchange and signatures, not the AEAD record layer. Separately, note that NIST's Ascon-AEAD128 is a tweaked variant of the CAESAR Ascon-128, not byte-identical [50].

The Function, Not the Ranking

Seven ciphers, one interface, three edges. Every break here was a deployment triggering an edge its designers deliberately moved elsewhere. The invisible salamanders triggered the commitment edge that AEAD never promised to close [1]. The 184 TLS servers triggered the nonce edge that GHASH cannot survive [2]. The CCM_8 forgery budget is the tag-length edge priced in bits [11]. The SIV equality leak is the residue of the one edge SIV does close -- even the fix has a seam [29]. And OCB3's near-total absence is the patent grave, an edge that was never technical at all [35].

Put them together and the thesis is earned rather than asserted. "Which AEAD should I use?" is not a ranking from worst to best, because Section 8 proved there is no best -- no single construction can be misuse-resistant and single-pass and fully committing and fastest at once. It is a function: pick the construction whose failure mode your deployment can guarantee it will never trigger.

Master the three edges and you can place any construction on the map, predict any misuse before it ships, and evaluate whatever the next competition invents -- key-derivation-bound AEADs, the TLS record layer's next mode, or a lightweight winner that does not exist yet. The names will change. The edges will not.

Study guide

Key terms

AEAD
One keyed call giving confidentiality, plaintext integrity, and associated-data integrity
Associated Data
Header bytes authenticated but not encrypted, travelling in the clear
Nonce
A value that must be unique per key for a nonce-respecting mode
MRAE
Misuse-resistant AE, where nonce reuse leaks only message equality
Wegman-Carter one-time MAC
A tag of the form keyed-hash plus one-time mask, the shared root of GHASH and Poly1305
GHASH
GCM's linear universal hash at a secret point, recovering which forges tags
Synthetic IV (SIV)
An IV derived as a MAC of the whole message, so the tag is the IV
Key commitment
Binding a ciphertext to one key (CMT-1) up to the full context (CMT-4)
Sponge
One permutation that absorbs input and squeezes keystream and tag, as in Ascon
Inverse-free
A decryption path that never calls the block-cipher inverse, true of the CTR, stream, and sponge modes but not OCB3
RUP
Release of Unverified Plaintext, emitting plaintext before the tag is checked

Comprehension questions

  1. What are the three edges that decide an AEAD choice?

    The nonce contract, the performance and hardware profile, and commitment.

  2. Why is a repeated nonce catastrophic in AES-GCM?

    It reuses the one-time Wegman-Carter mask, leaking the plaintext XOR and, with a second collision, the GHASH subkey for forgery.

  3. Why can a misuse-resistant AEAD not be single-pass?

    Its ciphertext must depend on the whole message, so it must read the last plaintext byte before emitting any ciphertext, a Rogaway-Shrimpton theorem.

  4. Does authenticated mean a ciphertext binds to one key?

    No. Commitment is an orthogonal axis, and most AEADs are not key-committing by default.

References

  1. Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, & Joanne Woodage (2018). Fast Message Franking: From Invisible Salamanders to Encryptment. https://eprint.iacr.org/2019/016
  2. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, & Philipp Jovanovic (2016). Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. https://www.usenix.org/system/files/conference/woot16/woot16-paper-bock.pdf
  3. Antoine Joux (2006). Authentication Failures in NIST Version of GCM. https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf
  4. National Vulnerability Database (2016). CVE-2016-0270 (IBM Domino AES-GCM nonce generation). https://nvd.nist.gov/vuln/detail/CVE-2016-0270
  5. Mihir Bellare & Chanathip Namprempre (2000). Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition. https://eprint.iacr.org/2000/025
  6. Hugo Krawczyk (2001). The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). https://eprint.iacr.org/2001/045
  7. David McGrew (2008). RFC 5116: An Interface and Algorithms for Authenticated Encryption. https://www.rfc-editor.org/rfc/rfc5116
  8. Charanjit S. Jutla (2001). Encryption Modes with Almost Free Message Integrity. https://link.springer.com/chapter/10.1007/3-540-44987-6_32
  9. Phillip Rogaway, Mihir Bellare, John Black, & Ted Krovetz (2001). OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption. https://web.cs.ucdavis.edu/~rogaway/papers/ocb.pdf
  10. Phillip Rogaway (2002). Authenticated-Encryption with Associated-Data. https://web.cs.ucdavis.edu/~rogaway/papers/ad.pdf
  11. Doug Whiting, Russ Housley, & Niels Ferguson (2003). RFC 3610: Counter with CBC-MAC (CCM). https://www.rfc-editor.org/rfc/rfc3610
  12. Morris Dworkin (2004). NIST SP 800-38C: Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality. https://csrc.nist.gov/pubs/sp/800/38/c/final
  13. Bluetooth SIG (2023). Bluetooth Core Specification (Security Manager, AES-CCM). https://www.bluetooth.com/specifications/specs/core-specification/
  14. IEEE (2020). IEEE Std 802.15.4: Low-Rate Wireless Networks (AES-CCM* security). https://standards.ieee.org/ieee/802.15.4/7029/
  15. IEEE (2004). IEEE Std 802.11i-2004: Medium Access Control (MAC) Security Enhancements (Amendment 6). https://standards.ieee.org/ieee/802.11i/3127/
  16. David McGrew & John Viega (2004). The Security and Performance of the Galois/Counter Mode (GCM) of Operation. https://eprint.iacr.org/2004/193
  17. Morris Dworkin (2007). NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. https://csrc.nist.gov/pubs/sp/800/38/d/final
  18. Eric Rescorla (2018). RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3. https://www.rfc-editor.org/rfc/rfc8446
  19. Daniel J. Bernstein (2005). Poly1305-AES: A State-of-the-Art Message-Authentication Code. https://cr.yp.to/mac.html
  20. Viet Tung Hoang, Stefano Tessaro, & Aishwarya Thiruvengadam (2018). The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization. https://eprint.iacr.org/2018/993
  21. Microsoft (2024). TLS Cipher Suites in Windows 11. https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11
  22. Microsoft (2025). SMB Security Enhancements. https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security
  23. Daniel J. Bernstein (2008). ChaCha, a variant of Salsa20. https://cr.yp.to/chacha.html
  24. Yoav Nir & Adam Langley (2018). RFC 8439: ChaCha20 and Poly1305 for IETF Protocols. https://www.rfc-editor.org/rfc/rfc8439
  25. Jason A. Donenfeld (2024). WireGuard: Protocol & Cryptography. https://www.wireguard.com/protocol/
  26. OpenSSH (2024). OpenSSH PROTOCOL: chacha20-poly1305@openssh.com authenticated encryption. https://github.com/openssh/openssh-portable/blob/master/PROTOCOL
  27. Filippo Valsorda (2024). The age Encryption Format, Version 1. https://age-encryption.org/v1
  28. Phillip Rogaway & Thomas Shrimpton (2006). A Provable-Security Treatment of the Key-Wrap Problem (SIV / Misuse-Resistant AE). https://eprint.iacr.org/2006/221
  29. Shay Gueron, Adam Langley, & Yehuda Lindell (2019). RFC 8452: AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. https://www.rfc-editor.org/rfc/rfc8452
  30. Dan Harkins (2008). RFC 5297: Synthetic Initialization Vector (SIV) Authenticated Encryption Using AES. https://www.rfc-editor.org/rfc/rfc5297
  31. Shay Gueron & Yehuda Lindell (2015). GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. https://eprint.iacr.org/2015/102
  32. Priyanka Bose, Viet Tung Hoang, & Stefano Tessaro (2018). Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds. https://eprint.iacr.org/2018/136
  33. Ted Krovetz & Phillip Rogaway (2011). The Software Performance of Authenticated-Encryption Modes. https://web.cs.ucdavis.edu/~rogaway/papers/ae.pdf
  34. Ted Krovetz & Phillip Rogaway (2014). RFC 7253: The OCB Authenticated-Encryption Algorithm. https://www.rfc-editor.org/rfc/rfc7253
  35. Ted Krovetz & Phillip Rogaway (2021). The Design and Evolution of OCB (Journal of Cryptology 34:36). https://link.springer.com/content/pdf/10.1007/s00145-021-09399-8.pdf
  36. Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, & Bertram Poettering (2019). Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality. https://eprint.iacr.org/2019/311
  37. Mihir Bellare & Viet Tung Hoang (2022). Efficient Schemes for Committing Authenticated Encryption. https://eprint.iacr.org/2022/268
  38. IETF CFRG (2025). RFC 9771: Properties of AEAD Algorithms. https://www.rfc-editor.org/rfc/rfc9771
  39. Julia Len, Paul Grubbs, & Thomas Ristenpart (2021). Partitioning Oracle Attacks. https://www.usenix.org/conference/usenixsecurity21/presentation/len
  40. Ange Albertini, Thai Duong, Shay Gueron, Stefan Kölbl, Atul Luykx, & Sophie Schmieg (2022). How to Abuse and Fix Authenticated Encryption Without Key Commitment. https://www.usenix.org/conference/usenixsecurity22/presentation/albertini
  41. John Chan & Phillip Rogaway (2022). On Committing Authenticated Encryption. https://par.nsf.gov/servlets/purl/10391723
  42. Sanketh Menda, Julia Len, Paul Grubbs, & Thomas Ristenpart (2023). Context Discovery and Commitment Attacks: How to Break CCM, EAX, SIV, and More. https://eprint.iacr.org/2023/526
  43. Hongjun Wu & Bart Preneel (2013). AEGIS: A Fast Authenticated Encryption Algorithm. https://eprint.iacr.org/2013/695
  44. Frank Denis & Samuel Lucas (2025). The AEGIS Family of Authenticated Encryption Algorithms (draft-irtf-cfrg-aegis-aead-18). https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/
  45. Christoph Dobraunig, Maria Eichlseder, Florian Mendel, & Martin Schläffer (2021). Ascon v1.2: Lightweight Authenticated Encryption and Hashing (Journal of Cryptology 34:33). https://link.springer.com/article/10.1007/s00145-021-09398-9
  46. Daniel J. Bernstein (2019). CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. https://competitions.cr.yp.to/caesar.html
  47. Daniel J. Bernstein (2019). CAESAR Submissions and Final Portfolio. https://competitions.cr.yp.to/caesar-submissions.html
  48. Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Gaëtan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki, & Benoît Viguier (2018). Cryptanalysis of MORUS. https://eprint.iacr.org/2018/464
  49. Hongjun Wu & Bart Preneel (2016). AEGIS v1.1 (CAESAR submission). https://competitions.cr.yp.to/round3/aegisv11.pdf
  50. National Institute of Standards and Technology (2025). NIST SP 800-232: Ascon-Based Lightweight Cryptography Standards for Constrained Devices. https://csrc.nist.gov/pubs/sp/800/232/final
  51. National Institute of Standards and Technology (2023). Lightweight Cryptography: NIST Selects Ascon. https://csrc.nist.gov/news/2023/lightweight-cryptography-nist-selects-ascon
  52. Ascon Team (2025). Ascon: Lightweight Authenticated Encryption and Hashing. https://ascon.isec.tugraz.at/
  53. OpenSSL Project (2023). EVP_CIPHER-AES: the AES EVP_CIPHER implementations (AES-GCM, AES-CCM, AES-GCM-SIV, AES-SIV). https://docs.openssl.org/master/man7/EVP_CIPHER-AES/
  54. BoringSSL Authors (2025). BoringSSL aead.h: AEAD interfaces (AES-GCM, ChaCha20-Poly1305, XChaCha20-Poly1305, AES-GCM-SIV, AES-CCM). https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html
  55. The Go Authors (2025). Go crypto/cipher: NewGCM (AES-GCM AEAD). https://pkg.go.dev/crypto/cipher#NewGCM
  56. Oracle (2023). Java Security Standard Algorithm Names (Cipher AES/GCM/NoPadding, ChaCha20-Poly1305). https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html
  57. Microsoft (2025). AesGcm Class (System.Security.Cryptography). https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm
  58. W3C (2017). Web Cryptography API. https://www.w3.org/TR/webcrypto/
  59. Frank Denis (2025). libsodium Documentation. https://doc.libsodium.org/
  60. OpenSSL Project (2021). EVP_CIPHER-CHACHA: the ChaCha EVP_CIPHER implementations (ChaCha20-Poly1305). https://docs.openssl.org/master/man7/EVP_CIPHER-CHACHA/
  61. The Go Authors (2025). Go golang.org/x/crypto/chacha20poly1305 (ChaCha20-Poly1305 and XChaCha20-Poly1305). https://pkg.go.dev/golang.org/x/crypto/chacha20poly1305
  62. Mbed TLS Project (2024). Mbed TLS ccm.h: CCM authenticated encryption API. https://raw.githubusercontent.com/Mbed-TLS/mbedtls/v3.6.2/include/mbedtls/ccm.h
  63. wolfSSL (2025). wolfCrypt AES API: wc_AesCcmEncrypt (AES-CCM). https://www.wolfssl.com/documentation/manuals/wolfssl/group__AES.html
  64. The Miscreant Developers (2018). Miscreant: misuse-resistant symmetric encryption (AES-SIV, RFC 5297). https://github.com/miscreant/meta
  65. Daniel J. Bernstein & Tanja Lange (2026). eBAEAD: ECRYPT Benchmarking of Authenticated Ciphers. https://bench.cr.yp.to/results-aead.html
  66. Dan Boneh & Victor Shoup (2023). A Graduate Course in Applied Cryptography. https://toc.cryptobook.us/
  67. Jonathan Katz & Yehuda Lindell (2020). Introduction to Modern Cryptography, 3rd Edition. ISBN 978-0815354369.
  68. Lov K. Grover (1996). A Fast Quantum Mechanical Algorithm for Database Search. https://arxiv.org/abs/quant-ph/9605043