1 files changed, 22 insertions, 2 deletions

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 78e8e63..59c03db 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -38,6 +38,25 @@ ref
     - lane 6: M_R^3 (unchanged)
   (multiplications.h, tweakey.c)
 
+[break]
+- Make byte string concatenation more consistent in AE modes:
+
+    - v1 mixed two interpretations of concatenation:
+        1. M_0 || M_1 was interpreted as { M[0], ... M[15] } || { M[16], ... M[31] },
+        2. pad(10*) and tweak-building functions interpreted X||Y as { Y[0], ... Y[ylen-1] } || { X[0], ... X[xlen-1] }.
+
+      This was potentially confusing, and also led to inefficient hardware implementations. E.g. a message M of length 34 bytes was padded as follows:
+
+                  M_0                     M_1                     pad10*(M_*)
+          { M[0], ... M[15] } || { M[16], ... M[31] } || { 0, ... 0, 0x80, M[32], M[33] }
+
+    - v1.1 sticks to the first interpretation. The same message M is now padded as follows:
+
+                  M_0                     M_1                     pad10*(M_*)
+          { M[0], ... M[15] } || { M[16], ... M[31] } || { M[32], M[33], 0x80, 0, ... 0 }
+
+  (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c)
+
 add_felicsref
 -------------
 
@@ -102,7 +121,8 @@ See [spec] and [break] changes in reference implementation. Further changes:
   - Isolate input and output from critical path.
   (roundexe_lilliput.vhd, machine_etat_chiffrement.vhd)
 
-v1.0
-====
+
+v1
+==
 
 Initial release to round 1 of the LWC standardization process.