Clarification needed on AEAD robustness documentation. #1525

GPUex · 2026-03-19T09:16:34Z

GPUex
Mar 19, 2026

In AEAD documentation, there is proposed fix for AEAD robustness: H(key, nonce || ciphertext_tag || ad).
1st question: ciphertext_tag here means entire ciphertext and its tag or the tag alone?
2nd question: does key has to be exactly the same as used in AEAD, or can it be derived from the same keying material as AEAD key?
3rd question on H function - can it be BLAKE2b or BLAKE3 in keyed mode?

Answered by jedisct1

Mar 19, 2026

1st question: ciphertext_tag here means entire ciphertext and its tag or the tag alone?

The tag alone is enough.

2nd question: does key has to be exactly the same as used in AEAD, or can it be derived from the same keying material as AEAD key?

A derived key is fine, and actually cleaner than reusing the key.

3rd question on H function - can it be BLAKE2b or BLAKE3 in keyed mode?

Yes, just use crypto_generichash.

View full answer

jedisct1 · 2026-03-19T10:29:50Z

jedisct1
Mar 19, 2026
Maintainer

1st question: ciphertext_tag here means entire ciphertext and its tag or the tag alone?

The tag alone is enough.

2nd question: does key has to be exactly the same as used in AEAD, or can it be derived from the same keying material as AEAD key?

A derived key is fine, and actually cleaner than reusing the key.

3rd question on H function - can it be BLAKE2b or BLAKE3 in keyed mode?

Yes, just use crypto_generichash.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Clarification needed on AEAD robustness documentation. #1525

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Clarification needed on AEAD robustness documentation. #1525

Uh oh!

GPUex Mar 19, 2026

Replies: 1 comment

Uh oh!

jedisct1 Mar 19, 2026 Maintainer

GPUex
Mar 19, 2026

jedisct1
Mar 19, 2026
Maintainer