I prefer the second option because I think the zero nonce variant requires a disproportionate, to its usefullness and use, discussion to define the "right" semantics.
On May 11, 2019 7:49:31 AM UTC, [email protected] wrote: >Nikos Mavrogiannopoulos <[email protected]> writes: > >> Thanks. If you added the zero-nonce method, maybe it would be better >> to add test vectors for it as well. I'm copying from my last patch >> with it: > >I was about to add the miscreant.js examples (and with nettle's output, >which is different), to illustrate interop issue. Unfortunately, the >RFC >5297 testvectors appear useless if one wants to test the RFC 5116 mode >of operation. > >And on second thought, maybe it makes more sense to change nettle to be >interoperable with miscreant here? I think that's how you did it >originally, and I found it confusing. RFC 5297 (SIV mode) says that for >use according to RFC5116 (AEAD interface), N_MIN = 1. > >Another option, which you've also tried, is to to require non-empty >nonce, i.e., add back the assert (nlength > 0), and define >SIV_MIN_NONCE_SIZE as one, not zero. That's perhaps the most >conservative approach: support for empty nonce, however that should >behave, can be added later. > >Opinions? > >Regards, >/Niels -- Sent from my mobile. Please excuse my brevity. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
