The algorithms AES with Galois/Counter Mode (AES-GCM) and ChaCha20Poly1305 provide both authenticated encryption (confidentiality and authentication) and the ability to check the integrity and authentication of additional authenticated data (AAD) that is sent in the clear. AES-GCM is specified in NIST Special Publication 800-38D [SP800-38D] and ChaCha20Poly1305 in [RFC8439].
There are four inputs for authenticated encryption: the secret key, initialization vector (IV) (sometimes called a nonce†), the plaintext itself, and optional additional authentication data (AAD). The nonce and AAD are passed in the clear. There are two outputs: the ciphertext, which is exactly the same length as the plaintext, and an authentication tag (the "tag"). The tag is sometimes called the message authentication code (MAC) or integrity check value (ICV).
This Toolkit provides authenticated encryption using AES-GCM according to "RFC 5116 An Interface and Algorithms for Authenticated Encryption" [RFC 5116], and [New in v22.0] using ChaCha20Poly1305 as in [RFC8439]. We also add support for the AES-192-GCM algorithm (RFC 5116 only has AES-128-GCM and AES-256-GCM).
We add the further restriction that AES-GCM must have a fixed-length nonce (IV) of exactly 12 bytes (96 bits) and it can only create a fixed-length tag of exactly 16 bytes (128 bits). There is no option to use different lengths for the IV or tag. The tag is automatically appended to the output of the encryption operation. The IV may optionally be prepended to the output in accordance with section 5.2.4 of "XML Encryption Syntax and Processing Version 1.1" [XMLENC].
† Note that the term "IV" is used here to mean exactly the same as "nonce".