As @mulmarta noted in a review, there's some ambiguity in the spec right now because we say AES-CTR takes a 12-byte nonce, when in fact an AES-CTR IV is 16 bytes wide. We should clarify that the IV is the nonce plus four zero bytes, something like:
def AEAD.Encrypt(key, nonce, aad, pt):
enc_key, auth_key = derive_subkeys(key)
- ct = AES-CTR.Encrypt(enc_key, nonce, pt)
+ iv = nonce + 0x00000000 /* append four zero bytes */
+ ct = AES-CTR.Encrypt(enc_key, iv, pt)
tag = compute_tag(auth_key, nonce, aad, ct)
return ct + tag
As @mulmarta noted in a review, there's some ambiguity in the spec right now because we say AES-CTR takes a 12-byte nonce, when in fact an AES-CTR IV is 16 bytes wide. We should clarify that the IV is the nonce plus four zero bytes, something like: