Wow, QUIC Retry Packets use AES-GCM with a fixed key/nonce, empty plaintext, and associated data prefixed with a secret as a sort of MAC.

Wow, QUIC Retry Packets use AES-GCM with a fixed key/nonce, empty plaintext, and associated data prefixed with a secret as a sort of MAC. That's... terrifying?

They essentially do MAC(K, v) = AES-GCM(key=const, nonce=const, plaintext=empty, aad=K||v). Does that actually hold?

RFC 9001: Using TLS to Secure QUIC

This document describes how Transport Layer Security (TLS) is used to secure QUIC.

(quicwg.org)