Authenticated Encryption with Associated Data (AEAD), such as AES-GCM, is a form of encryption that has a "built-in" integrity verification. This means that if the encrypted message is modified in any way, then this will be detected (with very high probability) in the decryption process and the decryption is going to fail with an error. Additionally, we have so-called "associated data" that is not encrypted, but that still is protected by the integrity verification.
Now, I wonder: What if we leave the confidential message empty and use only "associated data"? Doesn't this come down to a MAC over the "associated data", similar to a keyed-hash (e.g. HMAC)? And, if so, is this a valid application of AEAD, such as AES-GCM function?
There is one thing that is concerning me: HMAC produces MAC of length 256-Bit or even 512-bit, when used with SHA-256 or SHA-512, which seems to be a common choice these days. Using SHA-1 with 160-bit is not considered secure anymore. But AES-GCM produces an "auth tag" with only 128-bits in size! This seems rather small, compared to the state-of-the-art secure hash functions. So, does AES-GCM as a MAC provide security comparable to HMAC (with SHA-2)?
If we use AES-GCM as a MAC function, we have to provide a secret key (just like HMAC) plus a random/unique IV for each message. HMAC doesn't have this random per-message IV. I assume that with AES-GCM we would have to return the random IV as part of the computed MAC, so that verification will later be possible. How does this effect the security of AES-GCM as a MAC?
