[tptacek]

No, that's not accurate. EtM is an implementation technique. AEAD is a cryptographic primitive service model. The concepts aren't directly comparable.

In particular: you can easily end up with AE w/o AD by doing DIY ETM, and end up with serious exploitable bugs.

[iofiiiiiiiii]

Can you go into more detail? What are the common gotchas when implementing ETM yourself?

[tptacek]

The classic example is not MAC'ing the IV.

[loup-vaillant]

Wait a minute, there are cases where this is required? Chacha20/Poly1305 is not one of them, right?

---

Another I have personally seen was using the session key for a Wegman Carter hash (such as Poly1305). I received an email suggesting I do just that in Monocypher, to avoid using up the beginning of the key stream. Didn't realise why this would lead to instant key recovery.

I have since littered my manual with scary tales of total annihilation of security.