While trying to improve organization of SIV-mode tests (and AEAD in general), I noticed that SIV-CMAC currently doesn't support in-place operation (src == dst). That's unlike more or less all other encryption mechanisms in Nettle.
That needs to be either fixed, or properly documented. I think adding support for in-place operation will need two new variants of ctr_crypt, one operating from the start of the message, and the other operating from the end, and neither using the destination area for storing the ctr blocks. Opinions? It's a bit curious that siv-cmac (unlike most other AEAD schemes, including siv-gcm) stores the tag at the start of the plaintext, which means that in-place operation does not quite correspond to an in-place operatino for the underlying ctr mode encryption. I guess the reason for htis design choice is that decrypting (but not encrypting) a SIV-CMAC message can be done with with only one sequential pass over the ciphertext data. Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
