AEAD robustness implementation examples

[samuel-lucas6]

From the Robustness section for AEAD constructions:

If that turns out to be a concern, this can be solved in different ways:

• By incorporating a key identifier in the nonce
• By including a key identifier in the additional data
• By including a 128-bit fixed string in the message and verifying it during the decryption process

The third bullet point is very clear. However, it's less clear how to create a key identifier for the first and second bullet point implementations. The papers on the subject are rather confusing if you're not used to the notation. Please could you explain a suitable method of generating a key identifier in the documentation. Thank you.

[jedisct1]

A key identifier is anything that can let your application uniquely identify a key, in a protocol handling key rotation.

This information doesn't have to be secret nor unpredictable. It can be a serial number (even a simple counter) or a random value, although padding to at least 128 bit wouldn't be a bad idea.

If this is confusing, I'd rather remove this from the documentation, especially since papers have been published on that subject.

[samuel-lucas6]

That makes sense. I assumed it was referring to deriving some sort of subkey before.