Selecting AEAD for Production Systems
Apply a decision framework to choose the right AEAD scheme based on threat model and performance requirements.
AES-GCM: The Default Choice
AES-GCM is the correct default AEAD for most production systems. It is hardware-accelerated via AES-NI on virtually all modern x86 and ARM64 processors, widely supported across TLS stacks and cryptographic libraries, and benefits from extensive cryptanalysis and real-world deployment experience.
AES-GCM Nonce Limits
AES-GCM uses a 96-bit nonce. With randomly generated nonces, the birthday bound is reached after approximately 2^32 messages under the same key, at which point nonce collision probability becomes non-negligible. For high-volume systems, nonce management via a counter or key rotation after 2^32 messages is essential.
All lessons in this course
- Why Encrypt-Then-MAC Beats MAC-Then-Encrypt
- SIV Mode: Nonce-Misuse Resistant AEAD
- AEGIS: High-Speed Authenticated Encryption
- Selecting AEAD for Production Systems