I prefer the second option because I think the zero nonce variant requires a disproportionate, to its usefullness and use, discussion to define the "right" semantics.
On May 11, 2019 7:49:31 AM UTC, nisse@lysator.liu.se wrote:
Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Thanks. If you added the zero-nonce method, maybe it would be better to add test vectors for it as well. I'm copying from my last patch with it:
I was about to add the miscreant.js examples (and with nettle's output, which is different), to illustrate interop issue. Unfortunately, the RFC 5297 testvectors appear useless if one wants to test the RFC 5116 mode of operation.
And on second thought, maybe it makes more sense to change nettle to be interoperable with miscreant here? I think that's how you did it originally, and I found it confusing. RFC 5297 (SIV mode) says that for use according to RFC5116 (AEAD interface), N_MIN = 1.
Another option, which you've also tried, is to to require non-empty nonce, i.e., add back the assert (nlength > 0), and define SIV_MIN_NONCE_SIZE as one, not zero. That's perhaps the most conservative approach: support for empty nonce, however that should behave, can be added later.
Opinions?
Regards, /Niels