Closed jsalowey closed 3 years ago
The length of any authentication tag (if such an item exists) is an internal detail of an AEAD cipher. In RFC5116 "Authenticated Encryption" tag length is deliberately not a separate external parameter to specify along with an AEAD cipher. Any tag is part of the ciphertext.
Each AEAD algorithm MUST provide a description relating the length of the plaintext to that of the ciphertext. This relation MUST NOT depend on external parameters, such as an authentication strength parameter (e.g., authentication tag length). That sort of dependence would complicate the use of the algorithm by creating a situation in which the information from the AEAD registry was not sufficient to ensure interoperability.
I suggest using the labels from the IANA AEAD Algorithms list, eg "AEAD_AES_128_GCM" instead of "AES-128-GCM", to have a precise reference to the algorithm, which includes all its parameters and details.
I guess listing Nk, Nn, and even Nt is okay. They are a convenient summary of aspects of the AEAD alg without having to follow the references. But defining Nt (tag length) encourages bad APIs that have separate fields for tag & the rest of the ciphertext, instead of just 1 field for the ciphertext.
Just drop the sentence saying "The AEAD cipher is initialized with an authentication tag length".
I see your point. Using the IANA AEAD algorithms list would be ideal, it may have already been discussed. I think the draft should say something about tag length even if it does fix the reference to point to RFC 5116 for the definition of AES-GCM (it currently points to the NIST doc which parameterizes the tag length). I fixed the sentence to say:
The AEAD cipher produces an authentication tag length, Nt, which is equal to 16 bytes for the AEAD ciphers defined in this document.
Even better would be:
The AEAD cipher produces ciphertext that is Nt bytes longer than the plaintext, which is 16 bytes longer for the AEAD ciphers defined in this document.
Added Nt as authentication tag length for AEAD ciphers. This should resolve issue #238