cipher/ascon: go routine safe?

[enj]

A quick peak at the ascon implementation suggests that the cipher is unsafe to use across go routines:

circl/cipher/ascon/ascon.go

Line 178 in 278354d

a.s[0] = ((kS * 8) << 56) | ((bcs * 8) << 48) | (permA << 40) | (pB << 32) | a.key[0]

I believe the general intent is for a cipher.AEAD to be safely reusable across go routines to avoid the setup cost.

Either way, it would be good to at least document.

[bwesterb]

In general AEADs don't have to be thread safe, cf golang/go#41689