Guidance on how to use info and aad

[davidben]

Should the spec include some guidance (not sure how detailed or for what audience) on when to use the info parameter to Setup* and when to use aad to Seal and Open? In particular, for protocols that only need the single-shot mode, both seem to serve roughly the same purpose. (Though they do work very differently internally...)

One difference I can see is you're better off sticking your label string into info since other protocols might not be single-shot. (Is it worth a suggestion to incorporate a label string into info.) @chris-wood also points out that processing aad with your AEAD's universal hash function is likely faster than processing info with your KDF. So there's probably some benefit to keeping bulk data in the aad side of things. But I also expect this is negligible compared to the KEM. :-)

Beyond that, I'm not sure. aad is per-encryption and info is per-context, but what "feels" per-encryption vs per-context is a little hazy for single-shot uses.

(CC @csharrison)

[blipp]

This discussion over at MLS seems related https://github.com/mlswg/mls-protocol/issues/470.