Just a mention. the HMAC (or AE/AD) can be disabled in AES-GCM. HMAC in
AES-GCM is an encrypt-then-hash MAC.
CRC-32 is not a crypto-safe hash (technically CRC-32 is not a hash
function). Cryptographers may unhappy with CRC-32.
I think CRC or SHA is not such important. If IV can be stored, I believe
there should have enough space to store HMAC.
On 2021/10/18 05:23, Tomas Vondra wrote:
>
> I've argued for storing the nonce, but I don't quite see why would we
> need integrity guarantees?