Authenticated Encryption with Associated Data (AEAD) Questions
Comprehensive understanding of AEAD modes (AES-GCM, ChaCha20-Poly1305, AES-SIV) and why authenticated encryption is essential rather than separate encryption and MAC. Common implementation pitfalls and how they compromise security. When different AEAD schemes are appropriate.
MediumTechnical
35 practiced
Explain why Poly1305 requires a one-time key per message. Describe how ChaCha20-Poly1305 ensures a fresh one-time key for each message, what happens if the one-time key (r or nonce-derived key) is reused across messages, and how that enables forgery or key-recovery attacks.
EasyTechnical
30 practiced
Compare AEAD modes with the classical approach of separate encryption and MAC. Describe the recommended composition (encrypt-then-MAC), why naive combinations (MAC-then-encrypt, encrypt-and-MAC) can be dangerous, and provide a concrete example attack that breaks a wrong composition. As a cryptographer, also discuss API and misuse-resistance trade-offs.
EasyTechnical
32 practiced
Explain in technical detail why nonce reuse in AES-GCM is catastrophic. Describe the algebraic reasons including keystream reuse from CTR and GHASH linearity, what an attacker can learn (plaintext XORs, forgery capability, possible leakage of the GHASH key H), and outline concrete steps an attacker uses after observing two ciphertexts with the same nonce.
MediumTechnical
35 practiced
You are reviewing C code using OpenSSL EVP APIs that attempts to construct a 64-bit random prefix and a 64-bit counter to form a 128-bit IV but then passes that 16-byte IV to AES-GCM as though it were a correct nonce. Here is the snippet:Identify the issues with this approach (including RFC guidance about IV length for GCM), possible attacks or inefficiencies, and propose a correct and robust IV derivation and management strategy compliant with standards.
c
uint8_t iv[16];
memcpy(iv, random_prefix, 8);
memcpy(iv+8, &counter, 8); // counter is uint64_t
EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, key, iv);HardTechnical
31 practiced
You are evaluating a hardware AES-GCM accelerator. Describe the cryptanalytic tests, functional unit tests, and microarchitectural security evaluations you would require before approving it for production. Include tests for IV handling, concurrent session isolation, side-channel leakage (power, EM), fault injection resilience, and integration with HSM key management.
Unlock Full Question Bank
Get access to hundreds of Authenticated Encryption with Associated Data (AEAD) interview questions and detailed answers.
Sign in to ContinueJoin thousands of developers preparing for their dream job.