I am using EAX AEAD with an 8-byte message header which carries a 32-bit sequence number, a message length, and some other bits that I don't mind exposing. Assuming the sequence number never repeats for the same key, is there any security difference between treating that as a 4-byte nonce with 4 bytes of "associated data" or just calling it an 8-byte nonce and skipping any MAC calculations on the header?
Asked
Active
Viewed 1,287 times
1 Answers
5
The following picture shows EAX:
As you can see there is a OMAC calculation (or CMAC as it is usually called) over both $N$ (the nonce) and $H$ (the header / associated data). With regards to security it doesn't matter where you place the nonce and the other data in the header.
I'll not go into the security of XOR'ing the calculated OMAC values for nonce, header and ciphertext. EAX has a security proof, as long as that holds the cipher should be secure.
It would be best to treat the nonce and the rest of the header separately, as that would be the expected way of treating the input data. It also allows you to pre-calculate the header's OMAC value if it remains static. Note that you could remove the size of the plaintext from the OMAC calculation. You could calculate size of ciphertext + tag, and verify that.
Maarten Bodewes
- 96,351
- 14
- 169
- 323