Score:0

AES256-GCM Is it safe to both add the IV to the AAD and use it in the encryption?

br flag

I'm looking at a protocol which adds the IV (used for the encryption) into the AAD.

If the IV (which is part of the message) was incorrect, decryption would fail anyway.

Why is it useful to add the IV to AES256-GCM's AAD?

Is it actively harmful?

kelalaka avatar
in flag
The IV is generally pre-prepended to ciphertext. Did they omit this? The IV is only on the AAD or there is already two IVs around? Any link to the paper/source? Please not a paper from senior undergraduate papers.
SAI Peregrinus avatar
si flag
Maybe they're thinking of Authenticated Hedged Encryption with Associated Data (AHEAD): using an AEAD like AES-GCM, use a MAC of the message as the IV (with the encryption key as the MAC key), then sticking a random nonce in the AAD. That makes it key-committing, authenticated, non-deterministic encryption. It takes 2 passes, and there are better constructs for AHEAD than using AES-GCM, but it's safe enough. (If you want AES, it's possible to use AES-GCM-SIV with a random 256-bit nonce in the AAD followed by a key check value, but that takes more design.)
SAI Peregrinus avatar
si flag
This question needs some clarity to properly answer. Why do you think the IV is part of the message? What's the context of the protocol? It's possible to have the IV in the AAD and everything will be fine, the IV is not secret data, so adding the IV to the AAD isn't harmful on its own. But AES256-GCM doesn't specify how to pick the IV, and putting it in the AAD is weird, so it's possible wherever you saw this is doing something wildly unsafe! Without a link to the source we can't really answer whether this case is harmful.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.