Authenticated encryption

Authenticated encryption (AE) is a cryptographic primitive that provides both confidentiality and integrity in a single combined operation. It addresses the critical failure mode of symmetric encryption: a cipher may perfectly conceal plaintext from eavesdropping while remaining utterly vulnerable to ciphertext tampering. Without authentication, an adversary can flip bits in a ciphertext and know exactly how those changes will propagate to the decrypted plaintext — a malleability attack that is often more devastating than key recovery.

The canonical construction is Encrypt-then-MAC: the plaintext is encrypted first, and a message authentication code (MAC) is computed over the resulting ciphertext. This ordering is crucial. MAC-then-encrypt — computing the MAC on plaintext and then encrypting both — has been shown vulnerable to attacks that exploit the MAC as a padding oracle. Encrypt-and-MAC — computing separate MAC and ciphertext from the same plaintext — leaks information about the plaintext through the MAC. Only encrypt-then-MAC provides the compositional guarantee that integrity and confidentiality reinforce each other rather than creating new attack surfaces.

Modern protocols have moved toward authenticated encryption with associated data (AEAD), which permits the authentication of unencrypted metadata alongside the encrypted payload. The two dominant AEAD constructions are AES-GCM and ChaCha20-Poly1305. Both combine a stream cipher or block cipher with a universal hash function to produce a single integrated primitive. This integration is not merely an optimization; it is a recognition that the separation of encryption and authentication has historically been the source of more vulnerabilities than weak ciphers.

The lesson of authenticated encryption is that confidentiality without integrity is an illusion. A system that conceals content but allows undetected modification does not protect communication; it protects only the content of the communication, while leaving the communication itself exposed to manipulation. In adversarial environments, integrity is the more fundamental property.