overlap of dst and additionalData in AEAD.Seal

[Eric Grosse]

I'm puzzled why crypto/cipher type AEAD has the comment

      dst and additionalData may not overlap.

Just as it is idiomatic to provide a dst that already contains a nonce prefix,

I find it useful to include an additionalData prefix. This seems to work

and does not trigger a warning even after the fixes from issue #21624.

For concreteness, consider

  dst := make([]byte, 0, len(ad)+len(nonce)+len(plaintext)+aead.Overhead())

  dst = append(dst, ad)

  dst = append(dst, nonce)

  dst = aead.Seal(dst, nonce, plaintext, ad)

in preparation for writing dst to a network connection.

In the language of crypto internal function sliceForAppend, I understand

that ad may not overlap tail, but why not allow it to be part of head?

Is there some subtle timing side-channel that I'm overlooking?

Is the comment just poorly worded and should be improved?

[Jason E. Aten]

In your example, you are passing a dst slice that starts _after_ ad and nonce,

so you are satisfying the API. I don't think the API is trying to require anything

about an earlier portion of the backing array that is not pointed to by dst;

the dst slice in your example does not include the ad or the nonce.

Does that help?

[Eric Grosse]

It would help if the comment were changed to say something like
"On input, dst[len(dst):cap(dst)] may not overlap additionalData."

(Sorry to be pedantic, but there have been library changes in the past that
changed what I considered "obviously implicit" but was not explicitly in
the spec, hence not covered under the Go1 guarantee.)

p.s. to fix a transcription error: should have written "dst =
append(dst, ad...)" etc.

> --
> You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/gWHiAc2oIqs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/a0dc539d-0fc4-44ec-b2d5-a39c5ca90debn%40googlegroups.com.

[Jason E. Aten]

I don't think there is any way to read https://go.dev/ref/spec#Slice_types 

and come away mixing up the slice and the backing array it refers to. They

are distinct, and the API is talking about dst, which is a slice.

That said, this is just a group of users -- I'm just a user -- and if you

want to suggest different API description, you would want to write up an 

issue: https://github.com/golang/go/issues

[Eric Grosse]

filed issue #75968

> --
> You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/gWHiAc2oIqs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/cdcbb5bf-de93-4114-938f-5b49db2e3c21n%40googlegroups.com.

[Jason E. Aten]

Thanks. The new example on the ticket makes it much clearer to me what you were getting at. 

Seems like a valid point to clarify.

On Saturday, October 18, 2025 at 7:19:20 PM UTC+1 Eric Grosse wrote:

filed issue #75968