++++++++++++++++++++++++++
New features
---------------
* Added support for the Counter Mode KDF defined in SP 800-108 Rev 1.
* Reduce the minimum tag length for the EAX cipher to 2 bytes.
* An RSA object has 4 new properties for the CRT coefficients:
``dp``, ``dq``, ``invq`` and ``invq`` (``invp`` is the same value
as the existing ``u``).
Resolved issues
---------------
* GH526: improved typing for ``RSA.construct``.
* GH534: reduced memory consumption when using a large number
of cipher objects.
* GH598: fixed missing error handling for ``Util.number.inverse``.
* GH629: improved typing for ``AES.new`` and the various
mode-specific types it returns. Thanks to Greg Werbin.
* GH653: added workaround for an alleged GCC compiler bug
that affected Ed25519 code compiled for AVX2.
* GH658: attribute ``curve`` of an ECC key was not always
the preferred curve name, as it used to be in v3.15.0
(independently of the curve name specified when generating
the key).
* GH637: fixed typing for legacy modules ``PKCS1_v1_5`` and ``PKCS1_PSS``,
as their ``verify()`` returned a boolean.
* GH664: with OCB mode, nonces of maximum length (15 bytes)
were actually used as 14 bytes nonces.
After this fix, data that was encrypted in past using the
(default) nonce length of 15 bytes can still be decrypted
by reducing the nonce to its first 14 bytes.
* GH705: improved typing for ``nonce``, ``iv``, and ``IV`` parameters
of cipher objects.
Other changes
-------------
* Build PyPy wheels only for versions 3.8 and 3.9, and not for 3.7 anymore.