Authenticated encryption is the cryptographer’s front-line defense against attackers. It is the
protective shield applied to every network packet. It is the foundation of security for medical
devices, connected vehicles, the financial sector, the smart grid, and the Internet of Things.
But is this shield actually being used? Is it actually working? Is it doing what the users
actually need? Are industry practitioners listening to researchers? Are researchers listening
to industry practitioners?
This white paper identifies critical ongoing problems whose solutions will need concerted
community effort stretching years into the future. The challenges described in this white
paper are classified into four categories:
• Chapter 1: The security target is wrong.
• Chapter 2: The interface is wrong.
• Chapter 3: The performance target is wrong.
• Chapter 4: Mistakes and malice.
This white paper does not mean to suggest that authenticated ciphers are always aiming at
the wrong target. It is important to understand that, for many environments today, using
an existing standard such as AES-128-GCM  is simple, safe, and efficient. However, it is
equally important to understand that the existing standards fail to meet the needs of many
other environments. The AES cipher  and the AES-GCM authenticated cipher are used
as examples throughout this document to illustrate what can and does go wrong.