What drivers are causing an increase in authenticated encryption modes?

So I'm currently working through this cryptography question and so far I have the answer of an increase of hackers due to increase in computational power. But apart from that I don't know what else. Number spoofing? Weaker security mechanisms in organisations? Not really sure apart from the computational power increase point.

A lot of things could be contributing to an increase. I would tie most of them to advancements in the TLS protocol over time.

• The sunsetting of TLS 1.1 and older SSL protocols, which did not include any support for AE cipher modes
• The introduction of easy-to-use and efficient AE cipher modes, such as GCM, in TLS 1.2
• AE cipher modes are the only cipher suites allowed in TLS 1.3

Encryption without authentication does not always protect confidentiality against active attackers. An active attacker can often conduct an oracle attack: take some ciphertext that the attacker wants to decrypt, tweak it, and send it to a server that will decrypt it and act on it. The attacker doesn't know either the original plaintext or the plaintext for the modified ciphertext, but the server's response might give some indication. Repeat again with a different tweak, and again, and so on. Depending on how the encryption is done, this can eventually give the attacker enough information to decrypt the plaintext.

A well-documented example is the Lucky Thirteen attack against earlier versions of the TLS protocol (which implements the S in HTTPS). TLS originally used CBC with MAC-then-encrypt, in a way that is vulnerable to a padding oracle attack. It is possible to defend against the attack, but this is difficult and costly.

Authenticated encryption completely defeats this class of attacks. If the attacker sends a tweaked ciphertext, it will always have an incorrect tag (because you can't forge a tag without the secret key), so the server's response will be uniformly “invalid message”, and the attacker can't learn anything about the plaintext. TLS 1.2 introduced the possibility of using authenticated encryption instead of CBC, and TLS 1.3 removes the possibility of using CBC. As of 2022, most of the TLS traffic on the web thus uses authenticated encryption.

What has driven the move towards authenticated encryption is a combination of factors: the increased awareness that non-authenticated encryption is not enough, the increased ubiquity of authenticated encryption in cryptography libraries, the gradual renewal of old software and systems.

Computational power is completely irrelevant. Modern authenticated encryption modes are typically slightly faster than traditional do-it-yourself combinations of encryption and MAC, but slower than traditional encryption without authentication. The difference is negligible compared to Moore's law.