AES-SIV-CMAC nonce sizes

[davidv1992]

RFC 5297 specifies AES-CIV-CMAC as being able to accept any nonce size >= 1. However, the implementation here only supports 16 byte nonces. Would it be possible to support the other nonce sizes? I guess this would require a more general change to move closer to the aead interface specified in rfc 5116?

I am specifically asking for this as it would be required for me to support those different nonce sizes if I want to build a RFC-8915 compliant NTS server.

[tarcieri]

It could potentially use a similar technique to the aes-gcm crate, which is generic around nonce sizes:

https://docs.rs/aes-gcm/latest/aes_gcm/struct.AesGcm.html

[tarcieri]

Re: RFC5116, it was the original design impetus for the aead crate

[davidv1992]

Hmm, that design is distinctly non-optimal for my usecase, as nonce length is really only known at runtime and is technically allowed to vary between 1 and infinity, and as such this would require a lot of instantiations of the types.

[tarcieri]

If you really need a nonce whose length varies at runtime, I’d suggest building on top of the core Siv type:

https://docs.rs/aes-siv/latest/aes_siv/siv/struct.Siv.html

See the SivAead type for how the AEAD construction is built on top of it.

You can open an issue on the upstream traits repo to discuss traits for runtime-variable nonce lengths, though it’s obscure enough of a usecase and effectively an antipattern to the point that I’m not sure the additional complexity is worth it.

[tarcieri]

Whoops, should probably leave this open to track potential support for type-level nonce size control