I just looked over our encryption for device sync again out of interest because of #764864.
We use AES-GCM because AES-CBC—a very popular mode of operation for block ciphers—has no authentication and it's usually a very bad idea to attempt decryption of stuff you can't be sure where it came from1:
It's strongly recommended to use authenticated encryption, which includes checks that the ciphertext has not been modified by an attacker. Authentication helps protect against chosen-ciphertext attacks, in which an attacker can ask the system to decrypt arbitrary messages, and use the result to deduce information about the secret key. While it's possible to add authentication to CTR and CBC modes, they do not provide it by default and when implementing it manually one can easily make minor, but serious mistakes. GCM does provide built-in authentication, and for this reason it's often recommended over the other two AES modes.
Thanks to this article, I found out that Signal also uses AES-GCM to store encrypted keys on your devices. That has a nice ring to it.
However, AES-GCM isn't perfect and this is what this blog post is about.