In addition to protecting message integrity and confidentiality, authenticated encryption can provide security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This, in turn, prevents the attacker from requesting the decryption of any ciphertext unless it was generated correctly using the encryption algorithm, thus implying that the plaintext is already known. Implemented correctly, authenticated encryption removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that the attacker does not already possess.
Many specialized authenticated encryption modes have been developed for use with symmetric block ciphers. However, authenticated encryption can be generically constructed by combining an encryption scheme and a message authentication code (MAC), provided that:
- The encryption scheme is semantically secure under a chosen plaintext attack.
- The MAC function is unforgeable under a chosen message attack.
A typical programming interface for an AE implementation provides the following functions:
- Input: plaintext, key, and optionally a header in plaintext that will not be encrypted, but will be covered by authenticity protection.
- Output: ciphertext and authentication tag (message authentication code).
- Input: ciphertext, key, authentication tag, and optionally a header (if used during the encryption).
- Output: plaintext, or an error if the authentication tag does not match the supplied ciphertext or header.
The header part is intended to provide authenticity and integrity protection for networking or storage metadata for which confidentiality is unnecessary, but authenticity is desired.
The need for authenticated encryption emerged from the observation that securely combining separate confidentiality and authentication block cipher operation modes could be error prone and difficult. This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of authentication (including SSL/TLS).
Around the year 2000, a number of efforts evolved around the notion of standardizing modes that ensured correct implementation. In particular, strong interest in possibly secure modes was sparked by the publication of Charanjit Jutla's integrity-aware CBC and integrity-aware parallelizable, IAPM, modes in 2000 (see OCB and chronology). Six different authenticated encryption modes (namely offset codebook mode 2.0, OCB 2.0; Key Wrap; counter with CBC-MAC, CCM; encrypt then authenticate then translate, EAX; encrypt-then-MAC, EtM; and Galois/counter mode, GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to NIST solicitation. Sponge functions can be used in duplex mode to provide authenticated encryption.
Bellare and Namprempre (2000) analyzed three compositions of encryption and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext (the Encrypt-then-MAC approach) implies security against an adaptive chosen ciphertext attack, provided that both functions meet minimum required properties. Katz and Yung investigated the notion under the name "unforgeable encryption" and proved it implies security against chosen ciphertext attacks.
In 2013, a competition was announced to encourage design of authenticated encryption modes.
Authenticated encryption with associated data (AEAD)
AEAD is a variant of AE that allows a recipient to check the integrity of both the encrypted and unencrypted information in a message. AEAD binds associated data (AD) to the ciphertext and to the context where it is supposed to appear so that attempts to "cut-and-paste" a valid ciphertext into a different context are detected and rejected.
Approaches to authenticated encryption
Encrypt-then-MAC (EtM) 
The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. Used in, e.g., IPsec. The standard method according to ISO/IEC 19772:2009. This is the only method which can reach the highest definition of security in AE, but this can only be achieved when the MAC used is "strongly unforgeable". In November 2014, TLS and DTLS extension for EtM has been published as RFC 7366. Various EtM ciphersuites exist for SSHv2 as well (e.g., firstname.lastname@example.org).
Note that key separation is mandatory (distinct keys must be used for encryption and for the keyed hash), otherwise it is potentially insecure depending on the specific encryption method and hash function used.
Encrypt-and-MAC (E&M) 
A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext's MAC and the ciphertext are sent together. Used in, e.g., SSH. Even though the E&M approach has not been proved to be strongly unforgeable in itself, it is possible to apply some minor modifications to SSH to make it strongly unforgeable despite the approach.
MAC-then-Encrypt (MtE) 
A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext (containing an encrypted MAC) is sent. Used in, e.g., SSL/TLS. Even though the MtE approach has not been proven to be strongly unforgeable in itself, the SSL/TLS implementation has been proven to be strongly unforgeable by Krawczyk who showed that SSL/TLS was, in fact, secure because of the encoding used alongside the MtE mechanism.[dubious ] Despite the theoretical security, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the block size of the encryption function. Padding errors often result in the detectable errors on the recipient's side, which in turn lead to padding oracle attacks, such as Lucky Thirteen.
- Block cipher mode of operation
- CCM mode
- CWC mode
- OCB mode
- EAX mode
- M. Bellare; P. Rogaway; D. Wagner. "A Conventional Authenticated-Encryption Mode" (PDF). NIST. Retrieved March 12, 2013.
people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)
- T. Kohno; J. Viega & D. Whiting. "The CWC Authenticated Encryption (Associated Data) Mode" (PDF). NIST. Retrieved March 12, 2013.
it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes
- "Failures of secret-key cryptography" (PDF). Daniel J. Bernstein. Archived from the original (PDF) on April 18, 2013. Retrieved March 12, 2013.
- Jutl, Charanjit S. (2000-08-01). "Encryption Modes with Almost Free Message Integrity". Cryptology ePrint Archive: Report 2000/039. Proceedings IACR EUROCRYPT 2001. IACR. Retrieved 2013-03-16.
- T. Krovetz; P. Rogaway (2011-03-01). "The Software Performance of Authenticated-Encryption Modes" (PDF). Fast Software Encryption 2011 (FSE 2011). IACR.
- "Information technology -- Security techniques -- Authenticated encryption". 19772:2009. ISO/IEC. Retrieved March 12, 2013.
- "Encryption modes development". NIST. Retrieved April 17, 2013.
- The Keccak Team. "Duplexing The Sponge" (PDF).
- Katz, J.; Yung, M. (2001). B. Schneier (ed.). Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. Fast Software Encryption (FSE): 2000 Proceedings. Lecture Notes in Computer Science. 1978. pp. 284–299. doi:10.1007/3-540-44706-7_20. ISBN 978-3-540-41728-6.
- "CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness". Retrieved March 12, 2013.
- "NIST Issues First Call for 'Lightweight Cryptography' to Protect Small Electronics". 2018-04-18. Retrieved 2019-09-04.
- "Separate Confidentiality and Integrity Algorithms". RFC 4303. Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
- "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm". M. Bellare and C. Namprempre. Retrieved April 13, 2013.
- Menezes, A.; van Oorschot, P.; Vanstone, S. (1996). Handbook of Applied Cryptography (Chapter 9, Example 9.88). ISBN 0-8493-8523-7.
- "Data Integrity". RFC 4253. Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
- Bellare, Mihir; Kohno, Tadayoshi; Namprempre, Chanathip. "Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm" (PDF). ACM Transactions on Information and System Security. Retrieved 30 August 2021.
- "Record Payload Protection". RFC 5246. Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
- "The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)" (PDF). H. Krawczyk. Retrieved April 13, 2013.
- Bellare, M.; Namprempre, C. (2000), T. Okamoto (ed.), "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm", Extended Abstract in Advances in Cryptology: Asiacrypt 2000 Proceedings, Lecture Notes in Computer Science, Springer-Verlag, 1976: 531, doi:10.1007/3-540-44448-3_41, ISBN 978-3-540-41404-9
- NIST: Modes Development
- How to choose an Authenticated Encryption mode