[null,null,["อัปเดตล่าสุด 2025-07-25 UTC"],[[["\u003cp\u003eDeterministic Authenticated Encryption with Associated Data (AEAD) encrypts the same data into the same ciphertext, useful for key wrapping or searchable encryption but revealing repeated messages.\u003c/p\u003e\n"],["\u003cp\u003eIt offers secrecy (except for length and repetition), authenticity, symmetry, and determinism in encryption.\u003c/p\u003e\n"],["\u003cp\u003eWhile associated data is authenticated, it is not encrypted, allowing ciphertext binding to specific contexts like user IDs.\u003c/p\u003e\n"],["\u003cp\u003eThe recommended key type is AES256_SIV, providing strong security guarantees including 128-bit security level and the capacity to encrypt numerous messages safely.\u003c/p\u003e\n"],["\u003cp\u003eDeterministic AEAD is suitable for scenarios where deterministic encryption and context binding are prioritized, such as preventing unauthorized data transfer in databases.\u003c/p\u003e\n"]]],["Deterministic AEAD encrypts data deterministically, producing the same ciphertext for identical data. It offers secrecy (except for repeated plaintexts), authenticity, symmetry, and determinism. A key use is binding ciphertext to associated data for integrity. While offering strong security, repeated messages can reveal equality. Associated data is authenticated but not encrypted. The AES256_SIV key type is recommended, ensuring at least 80-bit authentication and 128-bit security against key recovery. It supports large messages and numerous encryptions.\n"],null,["# Deterministic Authenticated Encryption with Associated Data (Deterministic AEAD)\n\nThe Deterministic Authenticated Encryption with Associated Data (Deterministic\nAEAD) primitive provides encryption with a *deterministic* property: encrypting\nthe same data always yields the same ciphertext. This type of encryption is\nuseful for key wrapping or for some schemes for searching on encrypted data (see\n[RFC 5297, Section\n1.3](https://tools.ietf.org/html/rfc5297#section-1.3)\nfor more info). Because of its deterministic property, implementations of this\nprimitive can lead to loss of secrecy because an attacker only needs to find out\nthe ciphertext for a given message to identify other instances of that message.\n\nDeterministic AEAD has the following properties:\n\n- **Secrecy**: Nothing about the plaintext is known, except its length and the equality of repeated plaintexts.\n- **Authenticity**: It is impossible to change the encrypted plaintext underlying the ciphertext without being detected.\n- **Symmetric**: Encrypting the plaintext and decrypting the ciphertext is done with the same key.\n- **Deterministic**: As long as the primary key is not changed, encrypting a plaintext twice with the same parameters results in the same ciphertext.\n\n| **Note:** Deterministic AEAD protects data almost as well as the normal AEAD primitive. However, if you send the same message twice, an attacker can notice that the two messages are equal. If this is not the intended behaviour, see [AEAD](/tink/aead).\n\n### Associated data\n\n| **Caution:** Associated data is authenticated but *NOT* encrypted.\n\nDeterministic AEAD can also be used to [tie ciphertext to specific associated\ndata](/tink/bind-ciphertext). For example, if you have a database with the fields\n`user-id` and `encrypted-medical-history`: In this scenario, `user-id` can be\nused as associated data when encrypting `encrypted-medical-history`. This\nprevents an attacker from moving medical history from one user to another.\n\n### Choose a key type\n\nWe recommend the **AES256_SIV** key type for all use cases.\n| **Note:** Tink doesn't offer AES128_SIV because it doesn't provide 128-bit security in multi-user scenarios.\n\n### Security guarantees\n\n- At least 80-bit authentication strength.\n- The plaintext and associated data can have arbitrary lengths (within the range 0..2^32^ bytes).\n- 128-bit security level against key recovery attacks, and also in multi-user attacks with up to 2^32^ keys --- that means if an adversary obtains 2^32^ ciphertexts of the same message encrypted under 2^32^ keys, they need to do 2^128^ computations to obtain a single key.\n- The ability to safely encrypt 2^38^ messages, provided each is less than 1MB in length.\n\n| **Caution:** **Deterministic AEAD offers no secrecy guarantees for associated\n| data.**\n\n### Example use case\n\nSee I want to [encrypt data deterministically](/tink/deterministic-encryption) and\nI want to [bind ciphertext to its context](/tink/bind-ciphertext)."]]
