0Pricing
Cryptology Academy · Lesson

Selecting AEAD for Production Systems

Apply a decision framework to choose the right AEAD scheme based on threat model and performance requirements.

AES-GCM: The Default Choice

AES-GCM is the correct default AEAD for most production systems. It is hardware-accelerated via AES-NI on virtually all modern x86 and ARM64 processors, widely supported across TLS stacks and cryptographic libraries, and benefits from extensive cryptanalysis and real-world deployment experience.

AES-GCM Nonce Limits

AES-GCM uses a 96-bit nonce. With randomly generated nonces, the birthday bound is reached after approximately 2^32 messages under the same key, at which point nonce collision probability becomes non-negligible. For high-volume systems, nonce management via a counter or key rotation after 2^32 messages is essential.

All lessons in this course

  1. Why Encrypt-Then-MAC Beats MAC-Then-Encrypt
  2. SIV Mode: Nonce-Misuse Resistant AEAD
  3. AEGIS: High-Speed Authenticated Encryption
  4. Selecting AEAD for Production Systems
← Back to Cryptology Academy