Consider situations where AAD is non-negligible in length compared to the plaintext

[chris-wood]

From Dan Harkins in the call. This could affect the presented limits.

[chris-wood]

See https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-28 as another use case. From Hal Murray on the list:

NTP (Network Time Protocol) uses UDP which is easy to forge. It's getting a
layer of authentication which uses AEAD.

The basic NTP packet is 48 bytes. NTS bumps that up to roughly 200. The
client-to-server has no encryption. The server-to-client encrypts roughly 100
bytes.

That 100 bytes is a cookie which also uses AEAD. The cookie contains a
client-to-server and a server-to-client key for the above AEAD so the server
doesn't have to maintain any per-client state. The cookie key is maintained
by the server.

[chris-wood]

Closing as WONTFIX, since (a) not all published analyses make this distinction between AAD and plaintext length inputs, and (b) assuming AAD is part of the plaintext in practice likely does not have any substantial impact on key update or rotation logic.