Add AES-DNDK-GCM AEAD

[script3r]

Summary:

• Implement AESDNDKGCM (32-byte root key, 24-byte nonce, no key commitment)
• Derive per-message AES-256-GCM key/IV per draft-gueron-cfrg-dndkgcm
• Expose bindings and add Appendix A2 vector + basic tests

Spec: https://datatracker.ietf.org/doc/draft-gueron-cfrg-dndkgcm/

Testing: python -m pytest tests/hazmat/primitives/test_aead.py -k AESDNDKGCM

[alex]

Thanks for submitting this.

Given the draft RFC is still early days, I don't think we'll consider this for merging at this time. For us to add something we generally want there to be a degree of adoption (or sufficient benefits that we want to encourage the adoption!).

In this case there's also the benefit that this can be implemented on top of our existing AES-GCM API.

[script3r]

Thanks for submitting this.

Given the draft RFC is still early days, I don't think we'll consider this for merging at this time. For us to add something we generally want there to be a degree of adoption (or sufficient benefits that we want to encourage the adoption!).

In this case there's also the benefit that this can be implemented on top of our existing AES-GCM API.

Thanks @alex! That makes sense. We were looking for extended nonce setups and between xaes-gcm, xchacha-poly1305 and aes-gcm-dndk, we ended up choosing the latter.

As you said, it's pretty simple to construct on top of existing aes-gcm setup, which is one of the reasons we chose it.