ZK-Friendly AEADs

[AndAlBo]

Russ Housley:

Section 4.4.9: This subsection seems very different than the others. There is not an example AEAD that offers this property. If you really want to keep this subsection, please provide more discussion about The usefulness of a Zero-Knowledge proofs in an AEAD algorithm.

It is definitely not clear from the definition that ZK-friendly AEADs are intended to be efficiently implemented in proofs. I also agree that the example provided is not satisfactory.

[jedisct1]

This is a can of worms. Are you sure you want to keep that property?

[AndAlBo]

Are you sure you want to keep that property?

I've spent several hours today looking for more research on it, and after that, I am leaning towards "No" =) It seems too specific, and I feel like most lightweight AEADs should be efficient in DSL.