Nikos Mavrogiannopoulos <[email protected]> writes: > Thanks. If you added the zero-nonce method, maybe it would be better > to add test vectors for it as well. I'm copying from my last patch > with it:
I was about to add the miscreant.js examples (and with nettle's output, which is different), to illustrate interop issue. Unfortunately, the RFC 5297 testvectors appear useless if one wants to test the RFC 5116 mode of operation. And on second thought, maybe it makes more sense to change nettle to be interoperable with miscreant here? I think that's how you did it originally, and I found it confusing. RFC 5297 (SIV mode) says that for use according to RFC5116 (AEAD interface), N_MIN = 1. Another option, which you've also tried, is to to require non-empty nonce, i.e., add back the assert (nlength > 0), and define SIV_MIN_NONCE_SIZE as one, not zero. That's perhaps the most conservative approach: support for empty nonce, however that should behave, can be added later. Opinions? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
