Clarifying the new AEAD robustness solution

[samuel-lucas6]

In the AEAD Robustness section, the interactive protocol explanation is a lot better now, but the new non-interactive protocol solution isn't very clear. In this commit you wrote H(k, nonce || ciphertext_tag) and mentioned using HMAC. However, I saw that you then changed the example to H(key || nonce || ciphertext_tag) and now mention BLAKE2. This raises two questions:

1. Is this meant to be a MAC? I presume the answer is yes considering that HMAC is still listed, but that format suggests that it's just an unkeyed hash.
2. If so, where does the key for the MAC come from? Unless the suggestion is to use the same key for the MAC and the AEAD, but then why would the key have to be concatenated with the nonce and ciphertext_tag as well? Plus implementing it in that way would probably get some criticism due to the key reuse.

I believe it would be beneficial to answer these questions in the documentation. There's a lot of confusion about this topic, and that's not surprising when it seems to be underdocumented and not explained in layman's terms anywhere, which seems to be a common problem in the field of cryptography. This page has to be the best summary currently available, but there's still some room for improvement.

Finally, just out of curiosity, what was the reasoning behind removing the padding fix suggestion? Was it due to potential timing attacks? It seems to be the most discussed fix in papers on the topic, and it's also easy to implement.

[jedisct1]

Sorry, I don't do free support.