Another AD example: Ben Toews, in our Vault replacement secret storage system Pet Semetary, uses the AD on SQLite ciphertexts to bind them to a particular row (and/or a particular key path).<p>I wrote a local file encryption tool, around the same time Filippo was doing `age`, and used the AD on Chapoly to authenticate the chunk offset into the file. (The only thing interesting my tool did was that it could pull keys from AWS KMS).<p>So one use for AD is to authenticate headers; another is contextual binding.<p>If it helps (because 'stavros asked across the thread why bother having AD at all rather than just including it in the ciphertext), authenticated data can include data that <i>doesn't even appear in the message</i>, but rather is derived from the context at the time the message is encrypted and decrypted. A message only meant to be decrypted on a particular host (or whatever), for instance, could include the host in its AD, but never record that in the actual bits of the message.