What is Authenticated Encryption (AE) and what does AES-GCM provide?
Authenticated Encryption combines encryption and integrity protection in a single algorithm, and AES-GCM is the most widely used AE mode — providing confidentiality, integrity, and authenticity in one pass.
* AES-GCM fuses CTR-mode encryption with a GHASH tag in one authenticated pass (confidentiality + integrity + authenticity). *
AE exists because hand-combining "encrypt, then bolt on a MAC" is precisely where most real-world protocol breaks happened (wrong order, reused keys, verifying too late). Folding both jobs into one analysed construction removes those dangerous degrees of freedom, which is why modern advice is to reach for an AE mode rather than assemble your own.
Authenticated Encryption provides:
- Confidentiality (data is encrypted)
- Integrity (data hasn't been modified)
- Authenticity (data came from the key holder)
AES-GCM (Galois/Counter Mode):
- Combines CTR mode encryption with GHASH (a polynomial MAC over GF(2^128))
- Single pass: encrypts and computes the authentication tag simultaneously
- Very fast — benefits from both AES-NI and pipelining
- Used in TLS 1.3 (the mandatory cipher suite), IPsec, SSH
AEAD (Authenticated Encryption with Associated Data):
- Extension that also authenticates unencrypted header data (e.g., packet headers)
- The "AD" part is authenticated but not encrypted
- GCM supports AEAD natively
Other AE modes: CCM (Counter with CBC-MAC), ChaCha20-Poly1305
Tip: In modern crypto, always use authenticated encryption (AES-GCM or ChaCha20-Poly1305). Never "roll your own" encrypt + MAC combination.
Go deeper:
Galois/Counter Mode (Wikipedia) — how GCM combines CTR with a GF(2¹²⁸) polynomial MAC.
NIST SP 800-38D — GCM and GMAC — the authoritative GCM specification.